The Guarantor for the protection of personal data has warned the Region of Sicily and all the subjects involved (provincial health companies, employers, competent doctors) that the processing of personal data carried out in implementation of the ordinance n. 75 of 7 July 2021 of the President of the Sicily Region, in the absence of corrective actions, may violate the provisions of the European Regulation and the Privacy Code.
The ordinance in fact provides for the processing of personal data relating to the vaccination status of public employees and regional bodies, determining limitations on individual rights and freedoms that can only be introduced by a national standard of primary rank, subject to the opinion of the Authority.
Regional provisions provide that all employees in direct contact with users are “formally invited” to receive the vaccination and, in the absence of this, assigned to another job.
These treatments relating to the vaccination status of the staff not provided for by state law, actually introduce a requirement for the performance of certain tasks on a regional basis, generating a difference in treatment with respect to the staff who perform the same tasks throughout the national territory.
The ordinance also provides for generalized processing of data relating to the vaccination status of employees, including by the competent doctor, which do not comply with the regulations on data protection and the regulations on safety in the workplace.
Considering the delicacy of the information processed and the possible discriminatory consequences in the workplace, the involvement of employers, provided for by the ordinance, in the absence of technical and organizational measures, can be in contrast with the national rules that prohibit employers from process information relating to the health, individual choices and privacy of employees.
The Guarantor, in consideration of the serious violations found, therefore deemed it necessary to intervene promptly to protect the rights and freedoms of the interested parties, before such criticalities produce their effects, and consequently warned the Sicilian Region and all other public entities and private individuals involved, who, in the absence of corrective measures, the data processing provided may violate the privacy legislation.
The provision adopted by the Guarantor was communicated to the President of the Council of Ministers and to the Conference of Regions and Autonomous Provinces for the assessments of competence, also in order to report to the Regions and Autonomous Provinces the necessary compliance with the provisions on the protection of personal data.