Covid-19 coronavirus: the Italian Data Protection Authority’s statement

Employers cannot ask for self-certifications and process employees’ health data

The Italian Data Protection Authority (the Authority) considered situations where such information is requested when registering external visitors or where employers are seeking from their employees an ad hoc self-certification.

In both cases, the Authority held that such data processing activities are unlawful as they are unnecessary. In fact, emergency legislation has already provided for some mechanisms for the prevention of contagion. Consequently, the processing of such data for the aforementioned purposes is justified only if it is carried out by the competent authorities or within the limits set out by the emergency legislation. On the contrary, any other controller that collects such data, including health data, a priori and in a systematic way, is infringing on the data subject’s rights. 

Employee’s duty to inform employer and health authority

Employers’ compliance with their health and safety obligations is also ensured by the employee’s duty to inform the employer of any health and safety risk of which they are aware.

Therefore, the Authority urged any data controllers to comply with the indications of the competent authorities concerning methods to combat the spread of the disease, without acting on their own initiative by collecting such kinds of data, including data subjects’ health data, when not expressly permitted to so by the law or by the competent authorities.

DPA’s press release

The press release is available at the following link (only in Italian).