Monthly Archives: March 2023

PAYBACK ON MEDICAL DEVICES IN ITALY: LATEST UPDATES

Legal news, ,

The medical devices sector in Italy has been struggling for several months now as the Government is retroactively demanding that sellers of medical devices refund a quota of the excessive expenses sustained by the regional health systems during the years 2015-2018.

In fact, following a law decree enacted in August 2022, businesses and companies that won public tenders and provided Italian hospitals with medical devices from 2015 and onwards have been requested to turn back to the Regions part of the relating income, for a total amount of more than 2 billion euros.

In December 2022, Regions issued decrees ordering that the medical devices operators pay their respective quotas of the so-called “payback” contribution by the end of January 2023.

However, hundreds of claims were filed before the Administrative Court of Rome and the Government decided to postpone the payment deadline to 30 April 2023.

As the payment deadline draws closer, it appears that on yesterday’s Council of Ministers the Government issued a new law decree providing for a (still unspecified) discount in favour of businesses and companies that waive all claims and pay the discounted contribution by 30 June 2023.

While this new law decree is yet to be published on the Official Journal, it seems likely that the compromise reached at political level will not satisfy the expectations of several companies operating in the medical devices sector, meaning that the challenge is far from over.

Focus on Med-Tech Prices

Legal news

A new body dedicated to reviewing prices of medical devices in Italy has been established by the January 23, 2023 decree of the Ministry of Health, which has been recently published (and you may find here). This new “Osservatorio nazionale dei prezzi dei dispositivi medici” will be aided by the Health Technology Assessment group and other entities within the national healthcare service.

The outcome of the Osservatorio’s analysis will be published in a dedicated section of the Ministry of Health website.

The med-tech industry association has welcomed a better focus on prices, but warned against confusion among the 1.5 million+ med-tech goods and related services offered in Italy, as well as pointed out that Italy does not suffer from a problem of overspending in medical devices (the prices of which are substantially lower than the EU average), but of underfunding of the national health service.

New Whistleblowing Legislation Adopted in Italy

Legal news, , , ,

Italy has implemented today the EU whistleblowing directive (UE) 2019/1937. The new legislative decree no. 24/2003 has in fact been published on the official journal and is scheduled to enter into force on March 30, 2023.

The final published version of the decree, which had been previously leaked in an unofficial draft, can be found here: https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg.

The new legislation is certain to affect private companies and public entities alike when it comes to managing whistleblowing reports and new measures may need to be adopted to comply with the new requirements.

For additional information on this subject, materials from our February webinar can be freely accessed here: https://lawhealthtech.com/2023/02/09/our-whistleblowing-webinar/.

Italian Transparency Act: the Opinion of the Italian Data Protection Authority

Legal news, , , , , , , , , ,

The Italian Data Protection Authority has issued its opinion on the data protection implications relating to the new information duties set forth on employers by legislative decree 104/2022.

On August 13, 2022, legislative decree 104/2022 (“Transparency Act”) has entered into force. It provides for a new set of mandatory information that the employer must communicate to its employees at the time of their onboarding. On January 24, 2023, the Italian Data Protection Authority (“Garante”) issued its opinion about compliance of such new information duties with the provisions of the relevant data protection legislation.

In particular, the focus of the Garante was centered on the mandatory communication that, according to section 4, paragraph 8 of the Transparency Act, the employer must give to the employees if any “decision or monitoring automated system is used for the sake of providing information which is relevant for the hiring, management or termination of the employment relationship, for the assignment of tasks and duties, or for the surveillance, evaluation and fulfillment of contractual duties by the employee”. The Garante has stated that:

  • GDPR Sanctions Apply in case of Breach.  The implementation of any decision or monitoring automated system must be made in compliance and within the limits set forth by the applicable labor law provisions, and in particular law 300/1970. Such labor law provisions, which allow the implementation of automated systems only if certain conditions occur, must be deemed as providing “more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context” (as per section 88, paragraph 2, of the GDPR), and thus non-compliance with them may lead to administrative fines pursuant to section 83 of the GDPR.
  • Data Processing Impact Analysis (“DPIA”).  The employer, who is subject to the duty of accountability, must assess beforehand if the relevant processing is likely to result “in a high risk to the rights and freedoms of natural persons responsibility”, and thus requires a preliminary data processing impact analysis under section 35 of the GDPR. In such regard, the Garante has clarified that data subjects (i.e., employees) should be deemed as “vulnerable”, and that the processing of their data with automated systems is very likely to meet the conditions that make the DPIA mandatory according to the guidelines on the DPIA issued by the WP 29 on April 4, 2017.
  • Compliance with the “privacy by default” and “privacy by design” principles.  Employers must implement appropriate technical and organizational measures and integrate the necessary safeguards into the processing so that to protect the rights of data subjects (privacy by design). Moreover, the controller shall ensure that, by default, only personal data which are necessary for the specific purpose of the processing are processed (privacy by default), and should then refrain from collecting personal data that are not strictly related to the specific purpose of the relevant processing.
  • Update of the register of processing activities (“ROPA”).  The employer must indicate the processing of data through automated systems within his/her ROPA.

Need any further assistance on the matter? Don’ hesitate to reach us out!