All health professionals may collect the information they consider necessary as part of the care of their patients, including information linked to the presence of symptoms due to COVID-19. Like any other healthcare provider, dentists are also required to comply with the constantly evolving emergency provisions concerning measures to prevent and limit contagion from COVID-19.

This is without prejudice to the detection and collection of information on Coronavirus symptoms and of the information on the recent movements of each individual, which rest with healthcare professionals and the civil protection system, respectively, being the bodies responsible for ensuring compliance with the public health rules that were recently adopted.

A healthcare body may indicate the rules to be followed by quarantined persons in the manner they consider most effective, while respecting the confidentiality of the data subjects. If emails are used to inform simultaneously all parties about the provisions they are required to comply with, the recipients’ addresses will have to be entered in the ‘Ccn’ field in order to avoid that all the recipients become aware of the e-mail addresses of the other quarantined persons.

Yes, as the public healthcare professional is required to trace back the close contacts of an individual tested positive to COVID-19 in order to determine the most appropriate containment measures.

Healthcare facilities may identify the arrangements they consider most appropriate and effective in accordance with the principle of accountability to provide health status information to family members of COVID-19 patients who are unable to communicate independently. In that context, the hospitalization facility may certainly provide a toll-free number in order to convey that information by also implementing appropriate measures to identify the persons who are in fact entitled to know the health status of a hospitalized family member.

The provisions adopted in the course of the COVID-19 epidemiological emergency envisage that in cases of suspicion or evidence of death from COVID-19, funeral service operators must take special precautions - similar to those already in place for the death of persons with infectious and contagious diseases - in order to prevent further infection. Accordingly, the healthcare facility may well inform a funeral services provider about the COVID-19 positivity of an individual who deceased at that facility.

In order to avoid that citizens should collect prescriptions at the clinics of their doctors, the Civil Protection Order of 19 March 2020 provided that doctors would email or text prescriptions to their patients, or else communicate them by telephone.

If sent by e-mail, the prescription must be attached to the message and not included as a text in the body of the message itself.

In the case of communications by telephone or SMS-texting, it will be sufficient to provide the patient with the Electronic Prescription number.

Yes. A decree by the Ministry of Economic Affairs and Finance, issued after consulting with the Garante, provides that the patient who has received a prescription from his or her doctor by email, by SMS or by telephone may communicate it to the pharmacy in the same way.

The provisions adopted in the emergency period also enable the patient to delegate it to his/her doctor to send the prescription directly to the pharmacy, either by e-mail or through the system used to create the prescription.

The current rules prohibit the dissemination of data concerning health. This prohibition was not lifted by the emergency legislation related to the COVID-19 epidemiological emergency.

Therefore, healthcare bodies and any other public or private entity may not disseminate, via websites or other channels, the names of individuals found to be affected by COVID-19 or placed under home confinement for the purpose of containing the spread of the epidemics.

Yes. The provisions adopted for the COVID-19 health emergency envisage the possibility of carrying out body temperature checks on all passengers of European and international flights arriving at Italian airports in order to identify the measures possibly required for the containment of the Coronavirus epidemics.

COVID-19 serological screening may be promoted by the Preventive Medicine departments of each Region with regard to the categories considered to be at greater risk of contagion and spread of COVID-19. These include health care professionals and law enforcement agencies. The participation of these entities in the tests can only take place on a voluntary basis.

The results may be used by the healthcare facility that has carried out the test for the purpose of diagnosis and treatment of the data subject and to provide for the epidemiological containment measures laid down in the existing emergency legislation (e.g. home confinement), as well as for public health purposes by the regional Preventive Medicine department.

Such data processing operations should be kept separate from those carried out in connection with COVID-19 serological tests for the purposes of health and safety at work.

In the current situation linked to the epidemiological emergency, a number of regulatory measures and subsequent guidance documents were adopted at a fast pace by the competent authorities in order to set out urgent measures for the containment and management of the epidemiological emergency. Accordingly, it was determined that an employer whose activities were not suspended was required to comply with the measures for the containment and management of the epidemiological emergency laid down in the MoU to combat and control the spread of COVID-19 in working environments that was adopted jointly by the Government and workers’ representatives on 14 March 2020. (1)

In particular, the said MoU envisages the taking of the body temperature of employees for access to the premises of the organisation as part of the measures to combat the spread of the virus, which also apply to users, visitors and customers as well as to suppliers - where a separate access mode has not been envisaged for the latter.

Similar security protocols applying to non-deferrable public activities or to essential public services were concluded by the Minister for Public Administration with the most representative trade unions in the public administration (such as the MoU on Preventive Measures and for the Safety of Public Employees in connection with the COVID-19 Health Emergency of 3 and 8 April 2020), on the grounds that the safety measures laid down for the private sector were deemed to be consistent with the guidance already provided by the Minister.

Since the taking of the body temperature in real time, when associated with the data subject’s identity, is an instance of processing of personal data (Article 4(1), No (2), of Regulation (EU) 2016/679), it is not permitted to record the data relating to the body temperature found; conversely, it is permitted to record the fact that the threshold set out in the law is exceeded, and recording is also permitted whenever it is necessary to document the reasons for refusing access to the workplace - in compliance with the principle of ‘data minimisation’ (Article 5(1)(c) of the Regulation).

By contrast, where the body temperature is checked in customers (for example, in large department stores) or occasional visitors, it is not, as a rule, necessary to record the information on the reason for refusing access even if the temperature is above the threshold indicated in the emergency legislation.

Under the legislation on the protection of health and safety at work, the employee has a specific obligation to inform the employer of any situation of danger to health and safety at the workplace (Section 20 of Legislative Decree No 81 of 9 April 2008). In this connection, Directive No 1/2020 of the Minister for the Public Administration specifies that a civil servant and persons who work in whatever capacity in the public administration are bound to report that they come from or have been in contact with persons coming from a risk area. Within this framework, the employer may invite employees to do so, where necessary, through dedicated channels.

Among the measures to prevent and contain contagion employers are required to take based on the existing regulatory framework, there is the prohibition to access the workplace applying to those who have been in contact with COVID-19-positive individuals over the past 14 days or come from risk areas according to WHO indications. To this end, also in the light of the provisions adopted subsequently for the containment of contagion (see the MoU referred to above as concluded on 14 March 2020 between the Government and workers’ representatives), a declaration regarding the above circumstances may also be requested from third parties such as visitors and users.

In any case, only the necessary, adequate and relevant data will have to be collected in relation to the prevention of the contagion from COVID-19 without requesting additional information about the COVID-19-positive person, the specific places visited or other details relating to that person’s private sphere.

The regulatory provisions for the containment and management of the epidemiological emergency and the operational guidelines provided by the competent bodies require that the presence of staff in the offices be limited, mainly through smart working arrangements. As regards the tasks which require attendance at the workplace, administrative bodies are to carry out activities that are strictly functional to the management of the emergency and those that are ‘non-deferrable’, also with regard to ‘external users’. Therefore, the reception of visitors or the direct provision of services to the public should take place by electronic means or in any case in such a way as to exclude or limit physical presence in the offices (e.g. via telephone or virtual assistance), or else by arranging timed accesses including by way of the booking of visits.

In compliance with data protection principles (Article 5 of Regulation (EU) 2016/679), the purpose of providing users with contact details for assistance or for reception at the offices can be pursued by publishing only the contact details of the relevant organisational units (telephone number and certified email address), and not those of the individual officials in charge. This is also in line with the publication requirements concerning the organisation of public administrations.

The appointed doctor continues to be prohibited from informing the employer about the specific diseases affecting employees, including under emergency circumstances.

In the context of the emergency, the tasks related to the health surveillance of workers by the appointed doctor, including the possibility of subjecting workers to special visits on account of the increased exposure to the risk of infection, are considered to be a general preventive measure and must be discharged in compliance with data protection principles and by respecting the hygiene measures set out in the guidance by the Ministry of Health (see also the MoU of 14 March 2020) (1).

In the context of the emergency, the appointed doctor cooperates with the employer and the workers’ representatives in order to propose COVID-19 governance measures and alerts the employer to ‘situations of particular fragility and current or past medical conditions of the employees’ as part of the relevant health surveillance tasks (see paragraph 12 of the said MoU).

In compliance with the provisions in the field of health surveillance and on personal data protection, the appointed doctor notifies the employer of those specific cases where an employee’s particular condition of fragility as also related to that employee’s health makes it advisable to assign him or her to tasks in areas less exposed to the risk of infection. To that end, it is not, however, necessary to inform the employer of the specific pathology affecting that employee.

In this context, the employer may, in compliance with data protection principles (see Article 5 of Regulation (EU) 2016/679), process the employees’ personal data only if it is legally prescribed or ordered by the competent bodies or else on specific notification by the appointed doctor in the performance of his or her health surveillance tasks.

Employers may not, in the context of the adoption of protective measures and of their duties relating to the safety of workplaces, communicate the name(s) of the employee(s) infected by the virus, unless national law so permits.

Under the national legal framework, the employer has to inform the competent health authorities of the names of the personnel infected and to cooperate with them in identifying ‘close contacts’ in order to allow timely implementation of disease prevention measures.

On the other hand, such an information requirement is not provided for with regard to the workers’ representative for safety, nor do the tasks described above fall within that representative’s specific remit based on sector-specific legislation.

In the current epidemiological emergency, the workers’ representative for safety will have to continue to carry out his/her consultative, control and coordination tasks and cooperate with the appointed doctor and the employer - for example, by helping in the identification of the most appropriate prevention measures to protect workers’ health in the specific working environment; updating the risk assessment document; and verifying compliance with internal protocols.

Where the workers’ representative for safety becomes aware of information in discharging the relevant duties — which information the representative usually processes in aggregate form, e.g., the information included in the risk assessment document — , he or she complies with data protection provisions if it is possible, even indirectly, to identify certain data subjects.

No. With a view to the protection of the health of other workers, it is for the competent health authorities to inform the ‘close contacts’ of the diseased employee in order to implement the required prevention measures.

Conversely, the employer is required to provide the competent institutions and health authorities with the necessary information so that they can carry out the tasks and duties set out also in the emergency legislation adopted in connection with the current outbreak (see paragraph 12 of the MoU mentioned above).

Data concerning health may only be disclosed, whether externally or within the organization an employee or collaborator pertains to, if this is provided for in the law or ordered by the competent authorities on the basis of statutory powers - for example, solely for the prevention of contagion from COVID-19 and upon a request by the health authority for tracing back the ‘close contacts’ of a worker who tested positive for COVID-19.

In all cases the employer must take specific measures if persons affected by COVID-19 are present within the premises of the organization, relating to the cleaning and sanitising of the premises in accordance with the instructions given by the Ministry of Health (see point 4 of the MoU mentioned above).

Yes, but only if ordered by the appointed doctor and in compliance with the information provided by the health authorities, including reliability and appropriateness of those tests.

Only the appointed doctor, as a health professional, taking account of the general risk posed by COVID-19 and the specific health conditions of workers subject to health surveillance, may determine the need for particular clinical and biological tests and suggest specific diagnostic methods if this is considered useful to contain the spread of the virus and protect workers’ health (see paragraph 12 of the MoU between the Government and social partners updated on 24 April 2020).

The information relating to the worker’s diagnosis or family history may not be processed by the employer (for example, by consulting reports or test results), except in the cases expressly provided for by law. By contrast, the employer may process data relating to the assessment of suitability for the specific task and any requirements or restrictions the appointed doctor may lay down in terms of working conditions.

Visits and inspections, including for the purposes of assessing the employee’s return to work, must be carried out by the appointed doctor or other health personnel; in any case, the overarching prohibition against the employer’s carrying out diagnostic tests on employees will have to be complied with.

Workers are free to participate in the screening campaigns launched by the competent regional health authorities for COVID-19 serological tests, of which they may happen to be informed by their employer as involved by the local preventive medicine department in conveying, to its own employees, the invitation to join the campaign (see FAQ 10 - Data processing in health care in the context of the health emergency).

Employers may offer serological tests in public and private health facilities to their employees and also cover the relevant costs in whole or in part – for instance, through ad-hoc or expanded health insurance policies or through ad-hoc agreements with those facilities; however, they are not permitted to know the outcome of such tests.

Although, as a general rule, personal data relating to the specific conditions affecting workers may only be processed by health professionals (e.g. family doctors, specialists, appointed doctors) and not by the employer, the latter may, in some cases and in the context of the current epidemiological emergency, lawfully become aware of the identity of an employee affected by or presenting symptoms compatible with COVID-19.

This may be the case, in particular, when an employer is notified directly by the employee, who is obliged to inform the employer of any situation of danger to health and safety at the workplace. By the same token, the MoU between the Government and social partners updated on 24 April 2020 – to be complied with as required by the emergency legislation - lays down specific obligations for the employee to inform the employer when there are any conditions of danger such as signs of influenza (see also similar MoUs drawn up in the public domain and those relating to specific sectors, such as construction sites, transport and logistics). This also applies if the symptoms are detected upon entering the workplace or during the course of work (see MoU, e.g. paragraphs 1, 2 and 11). To that end, the employer may call on its employees to make such communications by facilitating the way they are conveyed, including through dedicated channels, taking account of its general obligation to protect workers’ bodily integrity in accordance with Section 2087 of the Civil Code and Legislative Decree No 81/2008 (see also FAQ No 2).

Additionally, an employer might become aware of a COVID-19 positivity situation that is established by the health authorities on the basis of a buccal/nasopharyngeal swab, as part of the cooperation the employer is required to provide to those authorities - also with the involvement of the appointed doctor - in order to track down any close contacts with other individuals in the employment context (see paragraph 11 of the MoU of 24 April 2020).

The employer may also be informed of a negative buccal/nasopharyngeal swab with a view to readmission to the workplace of any employee previously found to be COVID-19 positive - in accordance with the procedures laid down and the documentation issued by the competent preventive medicine department (see paragraphs 2 and 12 of the MoU of 24 April 2020). ⁽¹⁾

In the above cases the employer may accordingly process data relating to an employee’s COVID-19 symptoms or positivity for the purposes of ensuring health and safety at the workplace or fulfilling the obligations of cooperation with public health workers.

Conversely, an employer may not process data on a worker’s health and communicate the data to third parties in cases other than those set out in the law (see FAQs 5 and 6).

Pursuant to the legislation on health surveillance, which is not derogated from by the emergency legislation, an employer may not be informed of the outcome of the diagnostic tests ordered by the appointed doctor including serological tests, which anyhow do not allow diagnosing the infection (see FAQ No 7).

When a swab test is ordered following the serological test in order to establish virus positivity, the employer will still be able to know the identity of the employee concerned in addition to the assessment by the appointed doctor regarding that employee’s unsuitability for work (see the MoU, paragraphs 1, 2, 11 and 12) in the aforementioned cases, of which a summary is provided below.

In the light of the current legal framework, an employer may accordingly process the personal data of an employee affected by or presenting symptoms from COVID-19 and may be informed of a COVID-19 positivity situation in the following cases:

- if the employer is informed directly by the employee;

- in so far as it is necessary in order to cooperate with health authorities; or

- with a view to readmission to the workplace of an employee who had been found to be COVID-19 positive.

(1) As updated on 24 April 2020.

No. Schools may process data, including special categories of data (1), relating to teachers, pupils/students (including minors), and parents as part of their institutional tasks and do not have to request the data subjects’ consent to the processing of such data, including in relation to distance learning as implemented following the suspension of face-to-face teaching in all schools. Moreover, consent as a rule is not an appropriate legal basis for the processing of data in the public domain and in the employment context.

Yes. Schools are required to ensure the transparency of processing by informing data subjects (pupils, students, parents and teachers), in a language easily understood by minors, in particular about the types of data and the way in which they are processed, the storage periods and any other processing operations. They must also specify that the objectives pursued are limited exclusively to the provision of distance learning, on the basis of the same conditions as and with guarantees similar to those in place for traditional teaching.

It is the responsibility of the competent health authorities to inform the close contacts of the infected individuals in order to implement the required preventive measures. A school is required to provide the competent institutions with the necessary information, so that they can trace back the chain of contacts for the infected individuals; in other respects, schools are expected to implement the sanitation measures that were recently provided for.

As a result of the suspension of face-to-face teaching activities and meetings of collegiate bodies, arrangements have been made for distance learning and smart working with regard to administrative services. For the same reasons linked to the emergency situation, and taking account of the guidance provided by the Minister for Public Administration and the Ministry of Education, any meeting within the scope of non-deferrable activities must take place by using electronic means.

The Garante has already provided some guidance to schools to make informed choices about the platforms to be used, on the basis of the safeguards offered by the providers, in view of the specific risks also to teachers’ personal data.

(1) I.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, data concerning health or a person’s sex life or sexual orientation.

If two pupils have tested positive in a classroom, primary and secondary schools may process as controllers the data contained in the documents pupils have to submit to show they meet the requirements to attend classes in person – i.e., having completed a first vaccination cycle and recovered from COVID since less than 120 days, having got a booster shot. The checks in question will have to be carried out on a daily basis:

- For as long as provided for by the law (10 days) but only concerning pupils that attend classes in person;

- Only to enable in-person attendance of classes in the said cases and for no other purposes;

- In accordance with arrangements capable to ensure data integrity and security;

- Without acquiring the documents (vaccination/recovery certificate, green pass) in advance, as those documents may only be produced by pupils at the time they are checked;

- By only using the C-19 verification app if the green pass is produced;

- By duly authorised and trained staff.

Controllers shall not collect and keep the documents in question (vaccination/recovery certificate, green pass) and shall not take any steps that can result into disseminating the list of pupils attending classes whether in person or remotely.

Based on the legislation in place, free rapid antigen tests are envisaged for primary and secondary school pupils placed under self-monitoring regime if such tests are ordered by a general practitioner and/or paediatric specialist; the same applies to individuals unable to receive or complete COVID-19 vaccination following medical certification. Depending on the age range, controlled pricing tests may be administered as well.

In the above cases, the testing units/organisations are authorised to process such personal data as are necessary to prove eligibility – e.g., medical certification, age, being a pupil under self-monitoring regime; the data must be included in the documents produced by the data subjects and no additional information is to be requested – e.g., no information on the individual’s vaccination status is required.

Sponsors and testing centres may process personal data, also concerning the health of COVID-19 patients, to carry out clinical trials of medicinal products (such as investigational clinical studies on medicinal products, phase I, II, III and IV, observational studies on medicinal products and compassionate therapeutic use programmes), insofar as they are strictly necessary to combat and study the ongoing pandemic, on the basis of the data subjects’ consent or by relying on another legal basis pursuant to Article 9 (2) of the Regulation, in accordance with Union or national law, for reasons of significant public interest, for reasons of public interest in the area of public health and for the purposes of scientific research (Article 9 (2), letters (a), (g), (i) and (j) of the Regulation).

When, on account of particular and substantiated reasons, informing the data subjects proves impossible or involves a disproportionate effort or is likely to seriously impair the achievement of the objectives of the research, and it is therefore not possible to acquire the data subjects’ consent for the processing of their personal data, the controllers are required, where possible, to obtain such consent, after providing the appropriate information, from the persons who have legal authority over those data subjects, or from a close relative, a member of their family, a cohabitee or, in the absence thereof, the manager of the facility where the data subject is staying. This is based on an analogy with the provisions of point 4.11.2 of the requirements relating to the processing of genetic data as contained in Annex 4 to the Garante’s order laying down the requirements for the processing of special categories of data, Web Doc No 9124510.

Where, for specific and substantiated reasons, it is not possible to obtain informed consent for the processing of personal data, also from third parties, or where doing so risks seriously undermining the successful outcome of the research – e.g. when processing data relating to deceased patients or patients in intensive care units -, the data controllers intending to process personal data exclusively in connection with clinical trials and the compassionate use of medicinal products for human use with a view to the treatment and prevention of COVID-19 are not required, under the legislation relating to the current emergency situation, to submit their research project and the associated impact assessment for the prior consultation of the Garante as referred to in Section 110 of the Italian data protection Code.

On the basis of the legislation enacted in the emergency situation, the Ministry of Health issued a call for tenders, on 1 April 2020, addressed to IRCCS regarding medical research projects aimed at better understanding the COVID-19 epidemics, contributing to more efficient clinical management of infected patients, and improving the capabilities and effectiveness of the treatments available to the National Health Service.

Personal data also concerning health may be processed by the IRCCS that are awarded the funds of the above call, in the context of research aimed at combating the pandemics, without the data subjects’ consent as they are inherent in the significant public interest functions committed, inter alia, to the entities belonging to the National Health Service. Accordingly, those IRCSS that process personal data in the context of medical research funded by the Ministry do not have to comply with the requirements laid down in Section 110 of the Italian data protection Code.