April 13, 2021

EU and the Digital Green Certificate: New challenges and opportunities during the COVID-19 pandemic

On March 17, 2021, the European Commission presented a proposal to create a Digital Green Certificate (the Certificate) to facilitate the free movement of citizens within Member States during the COVID-19 pandemic while ensuring public health safety.

The Certificate will allow movement between Member States to occur in a safe way, thus limiting the risk of spreading the virus within EC territory. This certificate will not discriminate against individuals who have not yet been vaccinated. In fact, the Certificate will not be used as a precondition for travel but will allow movement to take place more easily, avoiding possible restrictions imposed by individual states, such as quarantine or testing for COVID-19.

One of the most hotly debated issues regarding the Digital Green Certificate, informally referred to as a Vaccination Passport, concerns the protection of personal data, which will be further discussed below.

1. Digital Green Certificate: Main features and minimum information required

The Certificate will be issued in digital format by each Member State and may include three different types of certification: the certification of (i) vaccination, (ii) testing (non-self-diagnostic), and (iii) recovery from COVID-19.

The information on the Certificate is strictly used to verify the identity of the subject and the authenticity of the Certificate (i.e., name, Member State of issuance, and unique identifier of the certificate) as well as to ascertain technical characteristics related to the vaccine (e.g., producer), the test (e.g., type of test and date it was performed), or recovery (e.g., date determined), depending on the type of certification that is shown.

2. Implementation of the Digital Green Certificate in each Member State

Each Certificate must contain a QR code with a digital signature, which will be scanned and checked at the time of verification in order to make sure the Certificate is authentic.

For this purpose, each Certificate issuing body (e.g., hospitals, health authorities) will have its own digital signature key. These keys will be stored in a secure database within each Member State. Moreover, the European Commission will build a gateway through which it will be possible to verify the digital signature on the Certificate, regardless of the issuing Member State.

In this regard, the choice made by the European Commission to use a regulation as a normative instrument to introduce the Digital Green Certificate becomes essential. This, in fact, guarantees immediate and uniform implementation of Certificate discipline, thus avoiding problems involving recognition of the authenticity of the Certificates themselves.

3. The processing of personal data contained in the Digital Green Certificate

Article 9 of the proposed regulation provides certain guarantees to ensure the protection of personal data processed to create a Digital Green Certificate.

As already mentioned, the Certificate contains only data strictly necessary to verify the identity of the subject and the data related to vaccination, the negative outcome of a test, or the recovery of a patient. The amount and type of information collected in the Certificate therefore seem to be in line with the principle of minimization.

It is clear that not only personal data will be processed, but also data concerning health—the processing of which may be supported, as in this case, for reasons of substantial public interest (i.e., to facilitate the free movement of persons within EU territory in safety) on the basis of EU law.[1]

Furthermore, these data can be consulted by the competent authorities of the country of destination but cannot be stored by the countries visited. The data will therefore be stored only by the Member State that issued the certificate, while the creation of a European database is not foreseen. In any case, the data necessary for the Certificate will be retained only for the period of use of Certificates during the pandemic in order to allow effective exercise of free movement within Member States.

Under the proposed Regulation, the authorities in charge of issuing the Certificates are considered data controllers.

In light of the above, it is clear that the European legislature deemed this solution practicable while striking a balance between the principle of free movement of persons between Member States, the protection of public health, and the right to protection of personal data recognized by Regulation (EU) 2016/679 (GDPR). However, in order for the project to be implemented effectively, Member States will have to come to unanimous agreement (on such items as, for example, the proposal’s respect for the principles on the protection of personal data) and operational and IT capacity must exist to guarantee the issuance of Certificates under the minimum requirements at the European level requested from each Member State.

Recently, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a joint opinion on the EU Proposal for the Digital Green Certificate. With this opinion, they provided for recommendations and suggestions for the implementation of the Certificate in accordance with EU personal data protection legislation[2].

4. Considerations at a national level: the Italian Data Protection Authority on possible local vaccination pass

Before the proposed regulation for the Digital Green Certificate was published, the Italian Data Protection Authority expressed its opinion on what was called a national vaccination pass, i.e., digital-format solution that public or private service providers might require as a necessary condition to access certain places or to use services.

First, such solutions risk discriminating against those who have not yet had access to the vaccination campaign and those who choose not to vaccinate. Therefore, such tools—if implemented improperly—could harm the fundamental freedoms granted to individuals and, for example, lead to vaccination against COVID-19 being perceived as compulsory health treatment.

Also from the perspective of the confidentiality of personal data, critical issues could arise. In fact, such measures—adopted in an uneven and uncontrolled manner in national territory—could lead to violation of the right to privacy if implemented in violation of the principles set out in the GDPR (e.g., the principle of proportionality, purpose limitation, and data minimization). In this light, in a press release dated March 1, 2021, the Italian Data Protection Authority reiterated that any appropriate measures to introduce vaccine passports in national territory must be adopted by the state legislature, in compliance with existing legislation and while striking an appropriate balance between public interest, health protection, and protection of personal data.

This declaration by the Italian Data Protection Authority is in accordance with the principles cited in the text of the EU Regulation and does not represent opposition to the adoption of similar solutions; it merely takes a stance against the schizophrenic and inconsistent adoption of tools potentially capable of damaging constitutionally guaranteed rights. Moreover, we note that if the Regulation is adopted at the European level, it will regulate only movement between Member States. It will then be up to each individual Member State to introduce instruments similar to the Digital Green Certificate within its territory, via national law, if necessary.

[1] This legal basis, provided in Article 9(2)(g), is cited in Recital 37 of the proposed Regulation.

[2] EDBP press release available at the following page.

Tag: COVID-19
< Back to blog
Welcome to the Portolano Cavallo Life Sciences blog focusing on legal development and key legal issues affecting the life sciences and healthcare industry.
Read more
Our highly-ranked team of professionals will provide news, insights and multidisciplinary commentary on the hottest and most recent regulatory, transactional and contentious aspects of the pharmaceutical, bio-tech, med-tech, food supplement and healthcare world with an eye on its digital transformation and technological developments.

This blog will be a place for focusing on digital health, telemedicine and artificial intelligence, as well as more traditional topics: from the protection of intellectual properties to performance of clinical trials, from the market access to advertising and competition issues, from internal and criminal investigations to M&A and venture capital transactions.

September 21, 2023
CBS products: from September 20th, compositions for oral administration of cannabidiol obtained from Cannabis sativa extracts shall be considered as narcotic drugs in Italy, as they have bee...
July 27, 2023
Payback on medical devices: Italian government announces extension of payment deadline to October 30, 2023
July 21, 2023
On July 21, 2023, the Italian Ministry of Health published new guidelines on health advertising of self-medication drugs (OTC) and non-prescription drugs (SOP), including advertising on new ...
June 30, 2023
Payback for medical devices: on June 28 Italian parliament approved the Law which, among other things, extends the deadline for the payment of the amount reduced by 52% from June 30th to Jul...
June 20, 2023
Clinical investigations on medical devices: four ministerial decrees setting out procedures for submitting applications/notifications and requirements for facilities and assessing persons, i...
Search by...
Follow us on
Follow us on