All posts by Paola Sangiovanni

Italian Data Protection Legislation Is Enacted

Finally (!), the Italian government has enacted a legislative decree that amends the existing Data Protection Code in order to ensure its compliance with the GDPR. Additionally, the Italian legislator has filled the gaps that the GDPR had left to Member States.

Here are the main takeaways in the health area:

  • Processing of health data, genetic data or biometric data requires compliance with specific protection measures (“misure di garanzia”) that will be issued by the Italian Data Protection Authority bi-annually in light of guidelines of the European Committee, of technological developments and in the interest of data circulation within the European Union.
  • Under section 9.2.g) of the GDPR, personal data relating to health can be processed when processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law. The Italian legislator has listed the circumstances under which such substantial public interest exists, i.e., inter alia:
    • administrative activities connected to those of diagnosis, assistance or health or social therapy;
    • obligations of the national health service and of subjects operating in the health area;
    • hygiene and safety tasks to be carried out on the workplace and for safety and health of the population, for protection of the population and to safeguard life and physical integrity;
    • management and assessment of health assistance;
    • social protection of maternity and abortion, addictions, assistance, social integrations and rights of disabled individuals.
  • Data protection rights of deceased individuals may be exercised by those who have act on the basis of an own interest, in protection of the interested person, or for family reasons that are worth of protection, unless – with respect of services of information society – the interested person has expressly prohibited through a written statement the exercise of such rights by third parties. Such statement must be unequivocal, specific, informed and free, and may also relate only to some of the rights. The prohibition must not prejudice the exercise by third parties of patrimonial rights arising from death of the interested person nor the right to judicial defense.
  • The prescription of drugs that do not require the indication of the name of the interested person will be subject to specific measures (misure di garanzia) also in order to control the correctness of the prescription, for administrative purposes and for the purpose of scientific research in public health.
  • Reuse of personal data for purposes of scientific research or for statistical purposes must be previously authorized by the Data Protection Authority, who can set forth conditions for the processing. Reuse of genetic data cannot be authorized. However, processing of personal data collected for clinical activity for the purpose of research by research hospitals (IRCCS, both private and public) is not deemed to be reuse.
  • Processing of health personal data for the purpose of scientific research in the medical, biomedical or epidemiological field without the patient consent is in any case subject to a favorable opinion by the competent ethics committee and a consultation with the Data Protection Authority.
  • Criminal sanctions continue to apply in case of illegal data processing and can be up to 6 years of imprisonment.
  • The Data Protection Authority has 90 days to indicate which of the measures contained in the general authorizations it already adopted are compatible with the GDPR. The ones which are not will cease to apply.

GDPR from Down Under: an Australian Perspective

We have interviewed Dr. Peytee Grusche, special counsel at the Australian law firm Russell Kennedy, to ask about her view on GDPR. Peytee assists clients in the areas of research and development, commercialisation of intellectual property, patent, trade mark and design registration and enforcement.

Do Australian companies care about GDPR, and why?

Yes, Australian companies do care about the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.  Also, if Australian businesses are recipients of personal data, then they will be caught by the provisions of the GDPR.

Have you seen significant compliance efforts?

We have had clients request advice on their privacy policies in order to update them to include compliance with the GDPR. In particular, where AU businesses are recipients of personal data advice, on standard data protection clauses and binding corporate rules.  Also, we have received instructions for advice on compliance with GDPR in respect of direct marketing practices (mailouts, newsletters etc).

How would you compare the GDPR to Australian data protection legislation?

The GDPR and the Australian Privacy Act 1988 have much in common including the requirement to show that businesses comply with the privacy principles. However, there are some differences under the GDPR which do not appear in the Australian Privacy Act 1988 including a number of rights for individuals.

Under the GDPR, individuals have the rights to erasure, right to data portability and right to restriction of processing.  The Australian Privacy Act does not include the equivalent rights to these new rights. However, it specifies that business must take reasonable steps to destroy or de-identify personal information that is no longer needed for a permitted purpose.  Additionally, where access is given to an individual’s personal information, it must generally be given in the manner requested by the individual.

What is the preferred strategy of Australian companies who face different standards in data protection legislations around the world?

In our experience, Australian companies will try to comply by adopting  an appropriate privacy policy and/or by contractual provisions to include provisions relating to relevant countries.

Thank you, Peytee!

May 25, 2018: Did You Survive the GDPR D-Day?

Last May 25 the GDPR came into force. It was hard not to notice given the inundation of emails that everyone received, as well as the clear signs of burnout in the eyes of GDPR experts.

Here are my personal top 3 takeaways from that experience:

  • The flood of data protection emails received on May 25 showed me how my data had been disseminated all over the place and archived for a really long time. I had some recollection of only a few of those who wrote me to share their most recent privacy policy (and remind me how they deeply, deeply care about privacy!), since many may have bought, inherited or just collected my data a long time ago. It reminded me that those data subjects’ rights are an empowering tool, which I intend to use more frequently in the future.

 

  • The Law (capital “L”) showed its full might and power on May 25, something which surprised even those, like me, who work with legal requirements all day every day. Look at what companies do when you threaten a 4% fine on their worldwide turnover! (Incidentally, this reminded me why politics is important and why people who are indifferent to politics are wrong: this stuff does make a difference in our lives).

 

  • The Italian authorities (mostly the government and parliament) lost yet another opportunity to be helpful to citizens. We had been waiting for a national data protection law for months, but no such law was enacted before May 25. Until that happens, Italians are supposed to assess, for each and every provision of the Data Protection Code, whether or not it conflicts with the GDPR. How practical.

GDPR: do’s and dont’s

Seminario GDPR 03052018

Paola Sangiovanni will be speaking at a seminar on GDPR on May 3, 2018 at Gitti and Partners’ office in Brescia.

The seminar, followed by a reception, will focus on DOs and DONTs for small and medium enterprises in the field of data protection.

While Italians are still awaiting the enactment of a national data protection law that will clarify the relationship between GDPR and the previous privacy legislation, GDPR compliance efforts must nonetheless continue.

Join us in this interesting seminar to find out what should be done and what should be avoided!

Weekend Reading Recommendations

Ready for the weekend? I have these article on my reading list: perhaps you, too, may enjoy some food for thought on some of the hottest topics in the fields of law and innovation:

  • A Layered Model for AI Governance”: https://cyber.harvard.edu/node/100108, on governance for artificial intelligence aimed at ensuring transparency and accountability and addressing massive information asymmetries between the developers of artificial intelligence systems and consumers and policymakers;

 

 

 

Whatever you will be reading, have a great weekend!

Presentation on GDPR and scientific research at the Paperless Lab Academy

Paola Sangiovanni will be speaking at the Paperless Lab Academy event (http://www.paperlesslabacademy.com/) on March 20, 2018 in Baveno (NO), Italy, on the topic of the impact of the new GDPR for science.

Sofie van der Meulen, Senior Supervision Officer at Dutch Data Protection Authority, will offer a special introduction titled “Why Privacy Matters”.

This promises to be an interesting event. See you there!

 

 

New Rules on Continuing Medical Education

The rules on continuing medical education (“CME”) have changed since a new agreement between the Italian government, the Italian Regions and the autonomous provinces of Trento and Bolzano has come into force on February 2, 2018. You may find the new agreement here or here (only in Italian, sorry).

The agreement is an “upgraded version” of the previous principles, which remain largely unchanged, but are now better defined, stricter and hopefully more effective.

  • THE RIGHT TO CME. Health care professionals (“HCPs”) have the right to obtaining CME and regulators will need to remove impediments in order to allow the exercise of such right.
  • ACCREDITATION OF PROVIDERS. As before, providers of CME need to be accredited, but accreditation will be subject to stricter rules, which particularly focus on avoiding any conflicts of interest. Providers will also need to adopt an internal regulation setting forth how to prevent and exclude (even potential) conflicts of interest.
  • SPONSORSHIP OF EVENTS. Sponsorship of CME events will be possible by private companies, provided that the principles of transparency, objectivity, impartiality and independence are complied with. No advertisement of medicinal products or medical devices can be carried out during the CME event, but only before, after and outside the event. No direct payments or reimbursements are allowed to speakers or moderators of the CME events.
  • NO ACCESS TO PERSONAL DATA OF HCPs. On the data protection front, note that sponsors of CME cannot have access to lists and addresses of participants, speakers or moderators.
  • SPONSORSHIP OF HCPs. Lastly, HCPs may be sponsored by commercial firms operating in the health industry, but cannot fulfil more than one third of their CME requirement through such sponsorship. This is bound to change how CME has been handled before, forcing HCPs to bear the cost of at least two thirds of their CME requirements.

Have a great weekend!

Take our Quiz on the New MoH Guidelines on Medical Device Advertisement!

On December 20, 2017, the Italian Ministry of Health has issued interesting guidelines on medical device advertisement to the general public, which you can download here (scroll to the bottom of the page).

The new rules describe DOs and DONTs in advertisement on Instagram, YouTube and Facebook and offer interesting indications on the use of a celebrity in the ads.

The basic principle remains the same: advertisement of medical devices that are subject to medical prescription (or may be used only with the assistance of medical personnel) is prohibited by Italian law. When allowed, advertisement of medical devices to the public is subject to authorization by the Ministry of Health.

Take our medical device advertisement quiz to check if you know (or can guess!) what’s new in the guidelines!

  • Can a doctor recommend a medical device in an advertisement to the general public?

No, the Ministry of Health will not authorize such advertisement.

  • What about a celebrity appearing in an advertisement message?

While the mere presence of such individual may be tolerated, no express or implied endorsement of the medical device will be authorized.

  • Can authorized medical advertisement be shared through Instagram?

Yes, but only in the “Stories” section and if users’ comments are de-activated.

  • What about Facebook?

As comments cannot be de-activated, a special disclaimer must be used in order to clarify that the Ministry of Health authorization of advertisement solely covers advertisement, while any further comments are the responsibility of users.

  • Is a medical device company allowed to email advertisement to patients?

Yes, but only if the Ministry of Health has authorized the advertisement and if the patient has expressed his/her consent (always revocable).

Holiday Reading Selection

Dear Readers and Friends,

With Christmas and Boxing days behind, you should have had your share of party time with your family and friends (if not, New Year’s is a good time to catch up).

If you are ready for some quiet time to read some interesting articles in the areas of innovation, health and the law, here is a selection of holiday reading that our life sciences group has prepared for you.

We wish you a 2018 filled with good health, great technology and interesting law!

Warm wishes from

Paola Sangiovanni, Flavio Monfrini, Marco Bertucci and Miriam Postiglione

a.k.a. the GITTI and Partners life sciences team.

**********************************************************************************

New crimes triggering criminal corporate liability introduced.

Starting from November 19, 2017 and following an amendment of the Anti-Mafia Code, additional criminal conducts will trigger corporate criminal liability pursuant to Legislative Decree no. 231 of 2001. (If you are not yet familiar with “231”, i.e., the Italian law setting forth criminal corporate liability, you may refer to our previous blog post for an overview of such legislation).

Section 25-duodecies of Legislative Decree no. 231 of 2001 has been amended by the introduction of three new paragraphs (1-bis, 1-ter and 1-quater) relating to the following crimes in the area of illegal immigration:

• Procured illegal entry into the State; and
• Favoring illegal permanence into the State.

The full list of crimes and sanctions can be found here.

The idea is to punish companies who take advantage of illegal immigration, as well as to provide an incentive to companies to organize their activities in order to prevent such corporate crimes (in fact, companies are exempt from liability if they set up and actively pursue organizational models aimed at preventing corporate crimes). It is, however, unclear if continuously increasing the list of crimes that companies must prevent is an efficient way to do that.