EDPB on Privacy & Covid-19 Today

You may have heard that Israel has started processing cellphone data in order to track contacts and movements of individuals who are positive to Covid-19 in order to trace other people with whom they have come into contact. 

The European Data Protection Board has just issued an opinion on data protection and Covid-19 stating that:

 Insofar as possible, processing of data should be anonymous;
 When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security. This emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. If such measures are introduced, a Member State is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.

If you have some time to reflect on the privacy aspects of the coronavirus, you may be interested in checking the varied approach of different EU Data Protection Authorities. 

Stay safe!

No CE Marking Required for Surgical Masks and Personal Protective Equipment

In the wake of the COVID-19 pandemic, the Italian Government lifted regulatory requirements for the manufacturing, importing and placement on the market of surgical masks and other personal protective equipment.

The measures were prompted by a failure of existing manufacturers and importers to meet the demands of hospitals, healthcare professionals and individual citizens alike, and are seen as generally in line with the Commission Recommendation (EU) 2020/403 of 13 March 2020 on conformity assessment and market surveillance procedures within the context of the COVID-19 threat (https://eur-lex.europa.eu/legal-content/GA/TXT/?uri=CELEX:32020H0403).

The new emergency regulations (law decree 18/2020 – http://www.governo.it/it/articolo/decreto-legge-17-marzo-2020/14333) provide that manufacturers, importers and other businesses who intend to commercialize surgical masks and personal protective equipment, are required to submit a self-certification to the National Health Institute (“Istituto Superiore di Sanità” – https://www.iss.it/) or to the National Workers Insurance Agency (“INAIL”) respectively, whereby they describe the technical specifications of the devices/equipment and declare that the devices/equipment meet the safety requirements set forth in applicable legislation. The competent authorities are then required issue a compliance decision within 3 days from the submission.

The technical procedures for the submission to the authorities have now also been implemented and, with reference to surgical masks, they require an additional certification from the applicants concerning the compliance of the devices with quality standards UNI EN 14683:2019 and UNI EN ISO 10993-1:2010. A quality system should also be implemented, but such system does not need to be certified: the implementation of adequate procedures and traceability measures would be sufficient to meet the applicable requirements.

While certain regulatory requirements are meant to remain place in order to ensure the reliability of products placed on the market, the authorities are hopeful that the new emergency measures will provide relief to hospitals and healthcare operators operating under the current extraordinary circumstances.

COVID-19 Infects Smart Working and Data Protection Rules

The unfortunate spread of COVID-19 throughout Italy led to some interesting legislative measures.

Smart Working

Thanks to a Decree of the Prime Minister adopted on March 1, 2020, the employers could employ their workers by remote working, even without the individual agreements in writing mandated by Law no. 81/2017. 

  • Remote or “smart” working is not mandatory. It is up to the employer, given its responsibility for the organization of the working activity, to decide whether or not to adopt remote working both for employees who work in areas at risk and for employees who live in such areas but work outside.
  • Secondly, for the next six months the principle of consent, on which remote working is based, will be waived: the employer will be able to arrange such method of working “even in the absence of individual agreements”. In case of refusal by the employee, disciplinary sanctions may be applied. On the contrary, the employee may not use smart working without a specific indication by the employer.
  • With regards to formal requirements, no precise written provision is needed. An e-mail or a verbal arrangement may be sufficient.

During this time, smart working will be considered as a measure of health and safety at work and the employers should provide for the relevant IT instruments to allow the employee to arrange remote working.

Moreover, last February, before the outbreak of COVID-19 crisis, Regione Lombardia already launched a campaign to make public funds available for employers that never implemented plans of smart working. The employers can send the application starting from April 2, 2020, until December 15, 2021, up to availability of the subsidies. We could assist the employers to define the relevant plan.

Data Protection

Ordinance no. 630, adopted on February 3, 2020, as an emergency measure to contrast corona virus has been approved by the Italian Data Protection Authority. Surprisingly, it in fact lowers the protection of individuals in light of the public interest.

More specifically, the Italian Data Protection Authority pointed out that, pursuant to Section 9 of GDPR, certain personal data may be legitimately processed for reasons of public interest in public healthcare – particularly in case of serious cross-border threats against healthcare – while ensuring appropriate measures to protect the rights of the concerned individuals, with a specific focus on professional secrecy.

In light of the above and considering the ongoing COVID-19 crisis, the measures taken allow personal mobile communication data and geolocation to be analysed in order to trace connections and contacts amongst individuals. However, such decision does not set forth specific countermeasures in order to protect the rights of the concerned individuals.

Italian Data Protection Authority Plans to Inspect Life Sciences Companies in 2020

The Italian Data Protection Authority has recently issued its inspection plan for the first half of 2020. The Authority plans about 80 inspections through the fiscal police. 

Inter alia, the Authority plans to inspect health data processing carried out by multinational companies operating in the pharma and health sector. In case that’s what you do, make sure your GDPR documents are in order.

Other industries will also be impacted, such as whistleblowing software, marketing, online banking, food delivery and call center services.

In 2019 the Italian Data Protection Authority has issued sanctions amounting to Euro 15,910,390.

Five Key Takeaways from Our Seminar on Clinical Trials

If you missed our seminar on clinical trials on January 16, here are five key takeaways to help you understand the changing regulatory environment in Europe and Italy.

  1. Be ready for a new regulatory landscape

The recent clinical trials regulatory overhaul within the EU aims at fostering research and facilitating the tasks of all actors involved in this area. However, delays in the implementation of such new legislation are posing an actual risk for the entire sector throughout the EU, while competition from emerging economies is getting stronger.

  1. Harmonized, but not enough

In several areas, such as observational studies or ethical committee’s assessments, a unified approach at European level is yet to be adopted. This leaves a lot of fragmentation among the various countries and a lot of work to be done at local level in order to ensure compliance with applicable regulations. Be prepared to deal with such inconveniences, in particular in the pharmaceutical sector.

  1. Changes in data protection laws offer new opportunities but challenges remain

GDPR brought new harmonized provisions to improve and support the use of data for the purpose of conducting research. However, guidance from national data protection and regulatory authorities in areas such as legal grounds for processing and secondary use is far from established. Moreover, different EU countries continue to adopt opposite approaches when it comes to consent and legitimate interest as valid legal grounds for data processing in the framework of clinical research. Data protection compliance will therefore continue to require local check-ups.

  1. New opportunities for independent research

Recent regulatory changes in Italy are being implemented to foster independent not-for-profit research in the clinical area. The new regulations, which are about to be adopted, envisage new opportunities for the participation of private actors in independent research and allow not-for-profit research institutions to better exploit the results of their research. The potential for conflicts remain and caution should be exercised within public-private relationships, but there is hope that new paradigms of collaboration will see the light.

  1. A new world of evidence is out there

More and more projects in the clinical research field involve real world data and real world evidence, gathered in a number of different ways outside the rigid protocols of a controlled study, whether through medical devices or other data collection instruments. Real world data are key to understanding how treatments work in reality and developing new healthcare paths. However, both clinicians and private actors are operating in uncharted territories and the line between studies and alternative research projects is thinner than you may expect. Be mindful of the regulatory and compliance ramifications of these new powerful tools.

Italy’s First Multi-Million GDPR Sanctions

Before last week, the Italian Data Protection Authority (“DPA”) only applied one (modest) GDPR sanction, which placed Italy at the bottom of the lists of EU Countries per number and value of GDPR sanctions applied.

In addition to the great differences in numbers and figures – for example, of soon-to-leave UK (sanctions’ amounts in Euro: Italy 30k vs. UK 315mln+) or Spain (number of sanctions: Italy 1 vs. Spain 43) – it is interesting noting that, until last Friday, the most active European DPAs (UK, France, Germany, Spain) tended to target big players in the private sector (i.e. British Airways, Marriot International, Google), as opposed to Italy’s attention to websites affiliated to a political party and run through the platform named Rousseau.

Last Friday, however, a significant change in such scenario occurred. The Italian DPA issued a press release announcing two GDPR sanctions applied to Eni Gas e Luce, a fully-owned subsidiary of Italy’s State-controlled multinational oil and gas company, Eni S.p.A., for Euro 8.5 and 3 million.

The first sanction of Euro 8.5 million has been imposed for unlawful processing in connection with telemarketing and tele-selling activities. The inspections and inquiries had been carried out by the authorities as a response to several alerts and complaints that followed GDPR D-Day.

Violations included: advertising calls made without consent or despite data subjects’ refusal, absence of technical and organisational measures to take into account the instructions provided by data subjects, excessive data retention periods, obtainment of personal data of possible future customers from third parties which did not obtain consent.

The second sanction of Euro 3 million relates to unsolicited contracts for the supply of electricity and gas. Many individuals complained that they have learned about their new contracts only upon receipt of the termination letter from the previous supplier or of the first electricity bill from Eni Gas e Luce. Complaints included alleged incorrect data and false signatures.

About 7200 consumers have been affected. The Italian DPA also underlined the role of third-party contractors, acting on behalf of Eni Gas e Luce, in perpetrating the violations.

Both decisions are quite significant as, for the very first time, the Italian DPA provides its indications and illustrates its approach in dealing with data processing and violations by large-sized companies operating in the private sector, within the GDPR regulatory framework.

Clinical Trials Seminar at Gitti and Partners

On January 16 our firm Gitti and Partners will be hosting a seminar on clinical trials legislation and its related opportunities and risks. The seminar will look at drug trials and medical devices investigations from various angles, including regulatory, data processing and criminal law perspectives.

Ms. Alice Cabrio and Ms. Giulia Corti, Corporate & Compliance Managers at Roche S.p.A., will focus on the challenges of reconciling GDPR and trials.

Dr. Eleonora Ferretti will bring the perspective of the trial unit of a large public hospital that is also a research center.

Ms. Elisa Tacconi and Ms. Elisa Corleto of Medtronic Italia S.p.A. will dive into real world evidence and will explore the limits of trials’ regulations.

Our Fabrizio Sardella and Ms. Castagno and Mr. Stigliano of Orrick will highlight criminal risks linked to clinical trials.

The seminar promises to be very interesting and you are welcome to join us.

The full program can be found here: http://grplex.com/en/conferences/download/765/clinical-trials–risks-and-opportunities-in-a-new-regulatory-environment

Don’t Forget to Close E-mail Accounts of Employees who Leave. And Happy Holidays!

The Italian Data Protection Authority has recently reiterated what to do when an employee leaves the company, i.e.:

  • Close down email accounts attributable to the former employee;
  • Adopt automatic response systems indicating alternative addresses to those who contact the mailbox; and
  • Introduce technical measures to prevent the display of incoming messages to unauthorized subjects.

The automatic forwarding of emails to colleagues of the former employee amounts to a breach of principles of data protection, which impose on the employer the protection of confidentiality even of the former worker.

In the case decided by the Authority the e-mail account had remained active for over a year and a half after the end of the employment relationship and before its elimination, which took place only after a formal complaint filed by the worker.

Our life sciences team at Gitti and Partners wishes you a relaxing Christmas break and a 2020 full of happy innovation, useful technology and interesting legal developments!

Update: Italian Senate Steps Back on Light Cannabis

Optimism after last week’s news did not last very long.  The Italian Senate just approved its version of the Italian Budget Law for 2020 (still subject to the Italian House of Representatives’ vote) striking out the amendment clarifying that products with THC contents under 0.5% should not be considered as having a doping or psychotropic effect.

This quick turnaround was likely due to the highly political nature of the debate surrounding the whole industry, which may have influenced the Senate’s final decision on light cannabis business and, on a very different field, may as well still impact on the slow progress of the increase of the Italian production of therapeutic cannabis.