Mitiga Italia App – Complaint Upheld (Italy, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Italian data protection authority questioned the legal basis of the Mitiga Italia App, which was used to check health conditions for stadium entry during a football event. The app's data processing was limited until further investigation, as it lacked a valid legal basis.
What happened
The Mitiga Italia App's processing of health data for stadium entry was limited due to lack of a valid legal basis.
Who was affected
Football event attendees who used the app to certify their health status for stadium entry.
What the authority found
The Italian authority found that the app lacked a valid legal basis for processing health data, as it was not backed by state law.
Why this matters
This case emphasizes the need for apps handling sensitive health data to have a clear legal basis, especially when mirroring official certifications. It serves as a warning for app developers to ensure compliance with data protection laws.
GDPR Articles Cited
National Law Articles
The Mitiga Italia App was used to allow access to the Mapei Stadium in Reggio Emilia to attend the football event "Final Coppa Italia TIM Vision 2020/2021," which took place on May 19, 2021. The app allowed attendees of the football event to certify certain health conditions which were necessary for access to a sporting event under current Italian decrees allowing for the gradual resumption of economic and social activities (edcree 22 April 2021, n. 52). Entrance to the stadium was reserved for people with certification of a negative diagnostic test in the 48 hours prior to the event, certification of vaccination, or certification of recovery from infection with covid-19 in a period not earlier than six months from the date of the event. The Italian DPA imposed a provisional limitation on the processing performed by the Mitiga Italia App to certify health conditions for the purpose of participation in sporting events. The limitation is to be imposed for as long as necessary for the DPA to investigate the basis of processing and to protect the rights and freedoms of the interested parties. The app collects the same categories of health data as the “green certification" for COVID-19 provided for by Legislative Decree 22 April 2021. The problem is that the law decree does not constitute a valid legal basis for the introduction and use of green certifications at the national level. Only a state law can make the exercise of certain rights or freedoms subject to the display of the COVID-19 green certification, and any health data collected for such certification must be subject to adequate limitations as to insure GDPR compliance. Because the app mirrors the green certification—but is not the product of any state law—there is currently no valid legal basis for the processing of data carried out through the use of the Mitiga Italia app. It is furthermore unclear whether the processing of data by the Mitiga Italia app is adequately limited. It is these matters which
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Mitiga Italia App in IT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Mitiga Italia App - Italy (2021). Retrieved from cookiefines.eu
Last updated: