According to Italian Data Protection Authority Garante Per La Protezione Dei Dati Personale, The COVID-19 emergency does not automatically, and in itself, represent a sufficient legal basis for particularly invasive data processing, such as data processing aimed at allowing contact tracing by any public or private owner.

At present, the only processing of personal data that has an adequate legal basis are those that have their basis in a provision of national law. Any other processing aimed at contact tracing is therefore devoid of an adequate legitimating legal source and, therefore, carried out in violation of European and national legislation on the protection of personal data.

Read the detailed guidance on contact tracing privacy from Garante.