Data Protection Commissioner Issued Guidance to Indoor Operators:


See Guidance below issued by the Data Protection Commissioner (DPC).

This Guidance does not deal with the ‘indoor dining legislation’ (Health Amendment (No 2) Act, 2021). It addresses the public health measures extending the covid pass to other settings as per 22nd October publication.

The DPC states that it is the responsibility of indoor operators as owners/operators of a premises, as a data controller, to establish whether they have identified a legal basis for, and to verify the vaccination status of attendees or patrons:

‘This should be determined with reference to the current advice of the public health authorities, and personal data should be processed only as necessary to meet the requirements of that advice’.

The DPC refers to the Government published ‘Resilience and Recovery Plan’ last updated on 5th November for public health measures relating to activities, events and mass gatherings.

The DPC refers to Section 52 of the Data Protection Act 2018 as the lawful basis for processing personal data revealing vaccination status on the grounds that processing is necessary for public interest reasons in the area of public health. ‘Necessity’ should be determined with reference to the up-to-date advice of the public health authorities and limited to the requirements of this advice.

The DPC lists examples of premises, other than hospitality, that come under the public health guidelines to check vaccination status as cinemas, museums, entertainment venues, bowling alleys, snooker halls and activity centres.

The DPC state that no Data Protection Impact Assessment is required as:

‘the scope of the processing is limited and based upon public health requirement’.

The DPC also states that:

‘Neither is it the case that health data, such as vaccination status, may only be processed by a medical professional’.



The General Data Protection Regulation, 2018 (GDPR) states that a DPAI is required in the following circumstances, amongst others:

Under Article 35(1) where a type of processing in particular using new technologies, and taking into account the nature, scope and context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

It is arguable that in light of the fact that new technology is being used to ‘scan’ a Covid pass that a DPIA is required.

Under Article 35 (3) when processing on a large scale of special categories of data referred to in Article 9(i) (sensitive health data)

The disclosure of a Covid Pass arguably involves processing of sensitive health data on a large scale.


Article 9 (2)(i) of GDPR states that processing of sensitive health data for the reasons of public interest in the area of health is subject to the provision for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

Public health is defined under Regulation (EC) No 1338/2008.

Section 73 (vi) of the Data Protection Act, 2018 refers to processing of sensitive health data that is necessary for medical purposes carried out or under the responsibility of a health practitioner (as defined in the Health Identifiers Acts, 2014)

It is arguable that if indoor operators rely on Section 53 and Article 9(2) (i) as the legal basis for processing vaccination status then they are required to satisfy the criteria of professional secrecy.


The Guidance is silent on Article 37 GDPR and the duty for the indoor operator as data controller to designate a data protection officer if core activities processing of sensitive health data on a large scale. Under Article 37(5) the data protection officer must have expert knowledge of data protection law.

Email us on for further assistance

Create your website with
Get started