All posts by Paola Sangiovanni

About Paola Sangiovanni

Partner of GITTI and Partners. Seasoned transactional and regulatory legal counsel with a thorough understanding of the life sciences industry.

GDPR Turns 5, and Trans-Atlantic Data Flow Remains a Headache

Happy birthday to the GDPR, who has turned 5 years old on May 25, 2023! Is the European Union (and, given the Brussels effect, perhaps the entire world) a better place than pre-GDPR? This is a difficult question. Surely there has been a lot more focus on data protection by companies. And one of the reasons why companies have attempted to comply (100% compliance appears to be an unachievable goal!) is the possibility of being sanctioned with “administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher“. Clearly, while the very same GDPR language applies throughout the EU, data protection legislation is not yet harmonised, not even 5 years after its entry into force. About 30 articles of the GDPR allow Member States to depart from it. Interpretations of the Regulation also vary, so in many areas uniformity has given way to diversity (which, in this case, is not ideal).     Additionally, enforcement of the GDPR is entirely decentralized and data protection authorities have different views, differing resources and different strategies. A list of GDPR sanctions is regularly updated and since the Meta decision of May 22, 2023, the Irish Data Protection Commission has emerged as the champion. While it was previously criticized for “being too cozy to Big Tech”, it has issued the highest ever sanction, along with strong measures ordering Meta to stop further transfers of personal data from the EU to the US and to bring its processing operations of data already transferred to the US into compliance with the GDPR. The problem, once again, stems from the trans-Atlantic data flow from the EU to the US, and from the concerns that such EU personal data is subject to surveillance in the US, without any redress system for EU citizens. (Incidentally, thousands of companies, like Meta, may have the same problem).  The US and EU have yet to reach an agreement that would allow a safe flow of data (although there are hopes that progress will be achieved by July). Further, there is no guarantee that the European Court of Justice will not strike down any such new arrangement, like it did in the past (twice). Meanwhile, the post-GDPR world appears to strongly push towards data localization (or “sovereign cloud”), making data flows out of the EU to non-“adequate” countries very scary. 

Focus on Med-Tech Prices

A new body dedicated to reviewing prices of medical devices in Italy has been established by the January 23, 2023 decree of the Ministry of Health, which has been recently published (and you may find here). This new “Osservatorio nazionale dei prezzi dei dispositivi medici” will be aided by the Health Technology Assessment group and other entities within the national healthcare service.

The outcome of the Osservatorio’s analysis will be published in a dedicated section of the Ministry of Health website.

The med-tech industry association has welcomed a better focus on prices, but warned against confusion among the 1.5 million+ med-tech goods and related services offered in Italy, as well as pointed out that Italy does not suffer from a problem of overspending in medical devices (the prices of which are substantially lower than the EU average), but of underfunding of the national health service.

AI Liability Directive: Key Takeaways

We have already illustrated the new proposed rules for a product liability directive on this blog. We now analyze the proposal for a AI Liability Directive, which offers interesting insights on how liability rules will be tweaked when Artificial Intelligence is concerned. In fact, as noted by the Commission’s explanatory memorandum to the AI Liability Directive, “the ‘black box’ effect can make it difficult for the victim to prove fault and causality and there may be uncertainty as to how the courts will interpret and apply existing national liability rules in cases involving AI“.

These slides may help understanding the AI Liability Directive. If you have questions or doubts, do not hesitate to reach out to us.

Product Liability Directive

The Proposal for a new Product Liability Directive of September 2022 is likely to be a game changer for manufacturers of products. Rules on the burden of proof are going to favor consumers more than before.

If you want to familiarize with the new rules, you will appreciate the following slides. Any questions? You know where to find us. Happy holidays!

The Impregilo Case Clarifies the Basis for Exemption from 231 Liability

The Italian Supreme Court has recently published a judgment (no. 23401 of 2022, hereinafter the “Impregilo Case”) that sheds new light on certain elements of liability of Italian companies arising from legislative decree no. 231 of 2001.

Put it simply, legislative decree 231 has established quasi-criminal liability of companies when one of their employees commits a certain crime to its benefit or in its interest. The same law has established that the company is exempt from liability if (i) it has adopted an organizational and management model (“Model”) aimed at preventing such crimes, and (ii) it has appointed an independent compliance committee (“Committee”), which has diligently overseen the actual application of such Model. If a company has not adopted an adequate Model duly enforced by the Committee, then it is regarded as failing to diligently organize itself in order to prevent 231 crimes: having failed at its duty to prevent the crime, it is therefore at fault (so called “colpa in organizzazione”, or organizational fault) and liable. Additional information on 231 legislation can be found here.

In the Impregilo Case, which followed a tortuous path through courts of various instances, the Supreme Court has established very interesting principles:

  • The mere fact that a certain 231 crime has occurred is not sufficient to prove that the Model was inadequate: 231 liability of a company is not strict liability, rather is based on fault, i.e., depends on lack of diligence in preventing the crime.
  • Adequacy of the Model must be assessed with a focus on the specific crime occurred, and not with regard to the Model as a whole.
  • If the Model conforms to codes of conduct drafted by industry associations, a court has the duty to indicate which best practices would have effectively prevented the crime.

This judgement ultimately grants exemption from 231 liability and recognizes that, since the Model was based on best practices, it was adequately preventing the crime, even if the crime was in fact committed due to the choice of the company’s managers to circumvent the Model.

If this trend in case law continues, companies will have a stronger incentive to adopt, enforce and update Models diligently reflecting best practices in crime prevention.

Registration of MDR + IVDR Implementation Webinar

Last week Paola Sangiovanni and Flavio Monfrini participated, as speakers, to a webinar on the implementation of the MDR and IVDR.

The webinar was hosted by the firm Axon Lawyers based in Amsterdam and was especially interesting as members of the Alliance of European Life Sciences Law Firms in France, UK, Germany, Belgium, Greece, Spain, Belgium and The Netherlands contributed their expertise.

If you have missed it, worry not: you can find its registration here .

It’s “Pay Back Time” for Medical Devices’ Companies

Medical devices’ companies who sell to the Public Administration face the prospect of imminent stellar payments due to Italian Regions.

Learn about the legislative journey that led to this, and what can be done about it, in our latest Client Alert published here:

Contact us if you need assistance in reacting against pay-back obligations or if you simply want to understand more about this issue and its impact on your business.

Upcoming Webinar on EU MDR and IVDR Implementation

Save the date for Friday 18 November from 15:30 to 17:00 CET for a unique webinar about implementation of the EU MDR and IVDR in various European member states and recognition of CE marked devices on the UK market, hosted by the Alliance of European Law Firms in which medical devices legal specialists from Spain, Italy, the UK, Germany, Greece, Belgium and the Netherlands will address:

  • A compare and contrast of how competent authorities in the respective countries deal with the concepts of placing on the market and making available under the MDR and IVDR, both crucial concepts for upcoming regulatory deadlines (and maybe some news on where we expect things to go with the MDR and IVDR);
  • A compare and contrast of national implementing measures for the MDR and IVDR, such as regarding sanctions for non-compliance, enforcement policy and specific subjects where the MDR and IVDR allow significant local discretion (e.g. reprocessing of single use devices and as regards in-house produced devices);
  • A compare and contrast of national exemption possibilities under articles 59 and 97 in view of expiring MDD/AIMDD/IVDD certificates and not timely obtain an MDR / IVDR certificate. 

Do not miss out on this unique opportunity to have all your questions about medical devices and IVD regulation implementation in the UK and important EU member states addressed by our expert panel:

  • Francisco Aranega from AMyS Law (Barcelona, Spain)
  • Laure le Calve from LCH Avocats (Paris, France)
  • An Vijverman from Dewallens & Partners (Leuven/Brussels, Belgium)
  • Ioanna Michalopoulou from Michalopoulou & Associates (Athens, Greece)
  • Mathias Klümper and Claudia Lützeler from Lützeler Klümper (Hamburg/Düsseldorf, Germany)
  • Paola Sangiovanni and Flavio Monfrini from Gitti and Partners (Milan, Italy)
  • Alex Denoon and Xisca Borras from Bristows (London, UK)
  • Erik Vollebregt from Axon Lawyers (Amsterdam, The Netherlands)

If you would like to attend, please send us an email to and we will provide you with a link and technical information on joining the seminar well in advance.

Please feel free to share this save the date with colleagues or other people that may find the seminar interesting. If they send us an email, we can send them their own link and information for joining the webinar.