Eurac Research, as Data Controller informs you (hereinafter Data Subject) in accordance with the EU Regulation 2016/679 (GDPR) and national legislation about how your personal data is processed.

1. Data Controller and Data Protection Officer (DPO) Data Controller: Eurac Research, Viale Druso 1, 39100 Bolzano, in the person of the President and legal representative pro tempore. The DPO can be contacted at the following e-mail address: privacy@eurac.edu

2. Purpose and Legal Basis for the Data Processing The personal data will be processed for the purposes of preventing COVID-19 infections and in particular checking the EU Digital COVID Certificate (hereinafter also Green Pass) obtained by: persons vaccinated against COVID-19; persons who have obtained a negative result in the molecular/antigenic test; persons who have recovered from COVID-19. The Data Controller will not be aware of which of the above situations applies to you.

Pursuant to Art. 9-septies of L.D. no. 127 of 21 September 2021, anyone carrying out a work activity in the private sphere is obliged, for the purposes of accessing to the places where the work activity is carried out, to possess and exhibit, upon request, the EU Digital COVID Certificate.

The legal basis for the processing of your personal data is the compliance with a legal obligation to which the Data Controller is subject pursuant to Art. 6, paragraph 1, letter c) GDPR, namely the implementation of the DPCM of 17 June 2021 as well as Art. 9, D.L. no. 52 of 22 April 2021, converted with amendments by L. no. 87 of 17 June 2021, as amended. In addition, D.L. no. 127 of 21 September 2021 provides for the use of EU Digital COVID Certificates in private employment. Further guidance on the Green Pass verification process and the national VerificationC19 platform can be found on the Ministry of Health's website at the following link: http://www.dgc.gov.it/web/app.html

3. Type of personal data processed Data are collected directly from the Data Subject (individuals with the EU Digital COVID Certificate) in accordance with the principles of data minimisation and retention limitation. The personal data processed include the following

• personal details (name, surname and date of birth) indicated on the Green Pass;
• personal details indicated on the identity card or other document valid for identification purposes;
• particular categories of personal data (art. 9 GDPR), indirectly related to the possession of the green certificate. In addition, it should be noted that: the EU Digital COVID Certificate contains a two-dimensional barcode (QR code) with a digital signature of the Ministry of Health to prevent falsification; the certificate can be shown by the interested party in both digital and paper format; the authenticity and validity of the green certificate will be verified through the national VerifyC19 app: the person's personal data is not recorded by the app to protect privacy.

4. Recipients of personal data The recipients of the data are the persons in charge of data processing activities authorized and instructed by the Data Controller to data processing activities. In case of non-presentation of a valid certification, the information related to the verification (date / time / place of the verification, name and employer of the interested person) will be shared with Health, Safety & Environment and Human Resources of Eurac Research and the public authorities responsible for the disciplinary and administrative sanctions provided for.
The data shall not be disclosed or communicated to third parties outside the specific legal provisions. The data may be communicated to the competent authorities, in proven cases of necessity and urgency with respect to public health protection requirements, or upon specific request by the competent authorities. The Data Controller will not transfer your personal data to a third country or to an international organization outside the EU. There is no automated decision-making process that produces legal effects.

5. Retention period Within the framework of the verifications, the data processed will not be saved or retained in any way by the Data Controller and no photographs, photocopies or other forms of storage will be made of what is displayed by the operator. In case of non-presentation of a valid EU Digital COVID Certificate the information from the verification (date and result of the verification and name of the person concerned) will be retained in connection with the application of the measures provided for by current legislation.

6. Mandatory or Voluntary Communication of Data and Possible Consequences of a Failure to Provide it. The Green Pass must be presented in order to gain access to the places indicated, in accordance with D.L. 52 of 22 April 2021, as amended, and is therefore compulsory. In case of non-presentation of a valid EU Digital COVID Certificate the access to the premises is not permitted.

7. The Data Subject’s Rights At any time the data subject has the right to request access to their personal data, and to correct or delete that data, or to limit its processing. In addition, the data subject has the right to data portability, as well as the right to lodge a complaint with a supervisory authority. When the data processing is based on consent, the data subject has the right to withdraw that consent at any time. The data subject may also exercise all other rights pursuant to current data protection regulations (art. 15 et seq. GDPR) by writing to the e-mail address: privacy@eurac.edu .