Member News

GOP | Mandatory green pass at private sector workplaces – operational tips

As it is known, starting from October 15 until December 31, 2021 (the deadline set for the end of the state of emergency), the obligation to possess – and to show on request – the “green pass” 1 has been extended to all workers, including those of the private sector, in order to allow their access to workplaces.

With regard to this matter, Law Decree no. 127/2021 – published in the Official Gazzette – states that this obligation indistinctly applies “to all people who perform, for any reason in the workplace, their working activity as trainee or volunteers, even on the basis of contracts with third parties”, which means that this obligation applies to all kinds of working relationships (e.g., self-employed workers, temporary workers, workers on assignment, professionals, stagiaires, staff of contractors/suppliers, etc.)2.

All employers are in charge of monitoring the real ownership of the “green pass” – under penalty of the amount from 400 to 1000 euros (doubled in case of a reiteration) –.

By October 15, employers are required to:

  1. Establish the operational procedures for organizing the monitoring”.
  2. Formally appoint the persons in charge of ascertaining and challenging violations of the obligations”.

Workers not in possession of a “green pass” will not be allowed into workplaces and will be considered “unjustified absent” until the submission of the certification (within December 31, 2021), without disciplinary consequences (and, accordingly, the need for the employer to commence disciplinary proceedings) and with the right to maintain the employment relationship.

For companies with up to fifteen employees, the employer “after the fifth day of unjustified absence” will have the option to enter into a fixed-term employment contract for replacement, renewable only once, “for a period not exceeding ten days, and not beyond the deadline of December 31, 2021”.

The controls will be carried out “primarily at the entrances”, and also “with random spot-check”, we recommend, in this case, to consider the peculiarities of the tasks performed by the workers (ex. sellers, transfer operators, sales personnel, etc.) and of the company organization3.

Lastly, it should be pointed out that Law Decree no. 127/2021 does not modify the preventive and safety measures provided by the “Shared Protocols Against Contagion in the Workplace” (the “Protocols”), in the last version of April 12, 20214, which as of today (with the exception of any supplemental integrations) remain fully valid and effective, in order to prevent objections in terms of non-compliance with the health and the safety obligations pursuant to art. 2087 of the Italian Civil Code.

In view of these considerations, we would like to provide you with a few operational recommendations regarding the new provisions set out in Law Decree 127/2021:

1. Send a notice about the “green pass” obligation, specifying the need to possess/exhibit this certificate to access to the workplaces to own staff and, if more than one company are active in a single workplace (e.g., construction sites/ATI), to the other employers

2. Drafting a privacy policy in accordance with Article 13 of the GDPR that informs those who have access to the workplaces of the processing carried

3. Identifying and appointing the persons entrusted of “ascertaining and contesting the violations of the obligations”. In this regard, we recommend that the ”formal” appointment:

  • Comes from the employer for the purposes of health and safety at work and identifies a “internal” worker of the organisation (preferably a “Preposto” pursuant to the H&S Act).
  • If compatible with the performance of the duties, grants the person concerned the power to suspend others from work, in case of violation, as well as the power to forward and notify to the Prefect the acts related to the ascertained

Moreover, especially in complex structures and since this is a situation that is part of an emergency context, it is preferable that the act of appointment – such as the implementation of the verification and control procedures (see below) – be resolved/ratified by the Board of Directors.

In addition, with specific regard to the legislation on the protection of personal data, it should be specified that those, who will be entrusted with this task, must be appointed as acting under the authority of the data controller, pursuant to art. 29 of the GDPR. Otherwise, if the control is carried out by the staff of third parties,  it will be appointed as a data processor pursuant to art. 28 of the GDPR. Therefore, the drafting of such acts of appointments shall be required.

4. Organizing – with the support of the RSPP and the involvement of the Audit Committee, set up pursuant to the Protocols – the related verification and control procedures regarding the “green pass” (primarily through a control method on a daily basis that does not allow the acquisition of the duration of validity as well as of the methods used for the certification purposes) adopting, in this regard, the “VerificaC19” App – developed by the Ministry of Health and compliant with the requirements of the Decree of the President of the Council of ministers 17 June 20215, as well as the principles applicable to the processing of personal data, as such the minimization one which prescribes that these data need to be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (Article 5, paragraph 1, letter c), of the GDPR) – providing, also, for any adjustments when accessing workplaces (e.g., modification of time stamping systems).

On this point, as already noted, the promulgation of Guidelines and/or further Decree of the President of the Council of ministers are expected.

In addition, with specific regard to the issue of personal data processing, it should be noted that art. 13 of the Decree of the President of the Council of ministers 17 June 2021 clearly states that “the activity of verification of certifications does not involve, in any case, the collection of data of the data subject in any form”. Therefore, it is not possible to record information regarding the expiry date of the certificate, nor to keep it.

5. Implementing, with the support of the Competent Doctor (Medico Competente as per H&S Act and emergency legislation), an update on the monitoring of “vulnerable” subjects in the organisation, implementing any organizational adjustments to facilitate the exempted subjects, ex lege, from the compulsory vaccination against the virus Sars-CoV-2 (and, for the effect, from the “green pass”).

6. Updating the organisation’s protocol and/or the DVR (Documento di Valutazione dei Rischi as per H&S Act), with the involvement of the RSPP, of the Verification Committee, set up in accordance with the Protocols and the Competent Doctor, in order to incorporate the new methods of access to the workplace and control of the “green pass”.

This is also in view of the (increasingly frequent) re-entry into the office after the “smartworking” regulations adopted during the emergencies.

7. Updating the records of processing activities pursuant to art. 30 of the GDPR, considering the new processing carried


  • Fabio Ilacqua
    Partner – Head of New York Office
    GOP USA, LLC – One Rockefeller Plaza, Suite 1610,
    New York, NY 10020 Tel.: +1 212 957 9600 E-mail:

Compliments of Gianni & Origoni –  a member of the EACCNY.