Finally (!), the Italian government has enacted a legislative decree that amends the existing Data Protection Code in order to ensure its compliance with the GDPR. Additionally, the Italian legislator has filled the gaps that the GDPR had left to Member States.

Here are the main takeaways in the health area:

• Processing of health data, genetic data or biometric data requires compliance with specific protection measures (“misure di garanzia”) that will be issued by the Italian Data Protection Authority bi-annually in light of guidelines of the European Committee, of technological developments and in the interest of data circulation within the European Union.
• Under section 9.2.g) of the GDPR, personal data relating to health can be processed when processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law. The Italian legislator has listed the circumstances under which such substantial public interest exists, i.e., inter alia:
  • administrative activities connected to those of diagnosis, assistance or health or social therapy;
  • obligations of the national health service and of subjects operating in the health area;
  • hygiene and safety tasks to be carried out on the workplace and for safety and health of the population, for protection of the population and to safeguard life and physical integrity;
  • management and assessment of health assistance;
  • social protection of maternity and abortion, addictions, assistance, social integrations and rights of disabled individuals.
• Data protection rights of deceased individuals may be exercised by those who have act on the basis of an own interest, in protection of the interested person, or for family reasons that are worth of protection, unless – with respect of services of information society – the interested person has expressly prohibited through a written statement the exercise of such rights by third parties. Such statement must be unequivocal, specific, informed and free, and may also relate only to some of the rights. The prohibition must not prejudice the exercise by third parties of patrimonial rights arising from death of the interested person nor the right to judicial defense.
• The prescription of drugs that do not require the indication of the name of the interested person will be subject to specific measures (misure di garanzia) also in order to control the correctness of the prescription, for administrative purposes and for the purpose of scientific research in public health.
• Reuse of personal data for purposes of scientific research or for statistical purposes must be previously authorized by the Data Protection Authority, who can set forth conditions for the processing. Reuse of genetic data cannot be authorized. However, processing of personal data collected for clinical activity for the purpose of research by research hospitals (IRCCS, both private and public) is not deemed to be reuse.
• Processing of health personal data for the purpose of scientific research in the medical, biomedical or epidemiological field without the patient consent is in any case subject to a favorable opinion by the competent ethics committee and a consultation with the Data Protection Authority.
• Criminal sanctions continue to apply in case of illegal data processing and can be up to 6 years of imprisonment.
• The Data Protection Authority has 90 days to indicate which of the measures contained in the general authorizations it already adopted are compatible with the GDPR. The ones which are not will cease to apply.