All posts by Paola Sangiovanni

About Paola Sangiovanni

Partner of GITTI and Partners. Seasoned transactional and regulatory legal counsel with a thorough understanding of the life sciences industry.

Italian Laws on HCPs & Vaccination

With a law decree decided yesterday, the Italian Government enacted two interesting new rules aimed at health care professionals (“HCPs“):

  1. Criminal liability of HCPs administering vaccines for the crimes of manslaughter and personal injuries is excluded, provided that the vaccinations follow the indications of the authorization of the specific vaccine and the decisions of the Ministry of Health;
  2. The obligation of HCPs to be vaccinated is introduced: HCPs refusing to undergo vaccination may be assigned to different duties or her/his remuneration may be suspended. The constitutionality of this obligation has been often discussed, but most scholars believe that – on the basis of the Constitutional Court jurisprudence (especially decision no. 5 of 2018, drafted by Ms. Cartabia, who is now part of the government) – there is no doubt about compliance of this provision with the Italian Constitution. Vaccination is in fact aimed at not only preserving health for the individual who is vaccinated, but also other people’s health, and consequences of vaccination are tolerable.

Hopefully the above provisions will help the vaccination campaign move faster. I certainly cannot wait to roll up my sleeve!

Happy Easter!

EMA Committee Recommends Granting Conditional Marketing Authorization to Covid-19 Vaccine

Today the European Medicines Agency (specifically, its human medicines committee or CHMP) has recommended granting a conditional marketing authorisation to the vaccine developed by BioNTech and Pfizer to prevent COVID-19 in people from 16 years of age.

In the words of the EMA press release, “EMA’s scientific opinion paves the way for the first marketing authorisation of a COVID-19 vaccine in the EU by the European Commission, with all the safeguards, controls and obligations this entails.”

The CHMP has concluded that data on the quality, safety and efficacy of the vaccine are sufficient, given the results of a trial on 44,000 people so far. The process of data collection will in any case continue for at least 2 more years.

It is still unclear who, when and how we will have access to the vaccine, but certainly a vaccine is coming our way. After a 2020 filled with lives lost, fear, confinement and social deprivation, this is absolutely great news. What a few months back seemed wildly optimistic, is now happening.

We want to end 2020 on a high note and wish you relaxing holidays and a new happy, healthy and social year!

Data Protection: What You May Have Missed

Unless you are exclusively devoting this lockdown to following webinars on the Schrems II decision (there is an impressive offering out there), you may have missed a couple of interesting developments in the area of data protection:

  • the European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which can be found here. In short, the EDPB sets forth a to-do-list for data controllers exporting data composed of 6 steps:
  • 1. map your transfers outside the EU;
  • 2. verify the transfer tool you are using;
  • 3. assess the law or practice of the country of destination (refer to the EDPB European Essential Guarantees recommendation);
  • 4. identify and adopt supplementary measures;
  • 5. take any formal step to introduce any supplementary measures; and
  • 6. re-evaluate periodically.
  • The Italian Data Protection Authority is increasingly worried by threats to privacy posed by apps (not just TikTok). It has issued a presentation to warn users about the use and misuse of personal data by various apps.

Guidelines on Concepts of Controller and Processor in the GDPR

Have you ever struggled to pinpoint the roles, and subsequent responsibilities, of controllers, joint controllers and processors in the context of the GDPR? Have you found yourself in negotiations where it was discussed who acted in which role? Help is coming your way.

The European Data Protection Board (or EDPB), a body composed of – inter alia – representatives of EU national data protection authorities, has provided helpful guidance in that regard. Guidelines 07/2020 on the concepts of controller and processor in the GDPR (adopted on September 2, 2020 but more recently made available) offer clarifications on such respective roles.

Generally speaking, such GDPR roles have a functional nature and call for a factual rather than formal analysis.

In short:

  • The controller can be any type of entity. It determines the purpose (the why) and the means (the how) of the data processing. Certain aspects of the processing may be determined by the processor, but they have to be “non-essential”.
  • Joint controllers jointly participate to the determination of the purpose and means of processing, either through a common decision, or as a result of converging decisions. There is no joint controllership when different entities use a shared database or a common infrastructure, if each entity independently determines its own purposes.
  • Data processors act on behalf of data controllers and must be separate entities from data controllers. Data processors must follow the instructions of the data controller, with a limited decree of discretion in their execution.
  • The same entity may act, at the same time, as controller for certain processing operations and as processor for others: each data processing activity must be separately assessed.

Comments on the Guidelines can be sent to the EDPB until October 19.

New Reimbursement Criteria for Medicinal Products

New criteria for reimbursement of medicinal products by the national healthcare system will apply as a result of publication of Ministerial Decree of August 2, 2019 occurred on July 24, 2020.

The new criteria focus on the clinical value of the medicinal product and on its added therapeutic value compared to other available medicinal products, while, before such Ministerial Decree, the emphasis was on the advantageous cost-effectiveness of the drug. Unless a clinical superiority of the drug compared to similar drugs can be established, the outcome of the reimbursement negotiations will be negative. AIFA has summarized here the changes introduced.

Negotiations can be either started by the pharmaceutical company or by AIFA. Guidelines on the documentation, to be submitted by the pharmaceutical company, are currently subject to public consultation until September 30, 2020.

Under the new Ministerial Decree the pharma company must disclose information regarding reimbursement conditions already negotiated in other countries, estimates of expenditure on the basis of estimated market quotas, patent status, and economic/financial impacts on public expenditure. Sales data and marketing data must also be provided to AIFA throughout the validity of the reimbursement arrangement. Confidentiality obligations covering the reimbursement agreement, however, are not expressly prohibited.

Innovative reimbursement models, as well as traditional schemes, are possible.

Further Crimes Triggering “231” Liability

Italian corporations are subject to criminal liability arising from legislative decree 231 of 2001: more on the topic can be found here.

“231 crimes” triggering such liability are already a vast and varied list of crimes. They are not limited to corruption crimes, but range from manslaughter due to breach of safety on the workplace provisions to corporate crimes and tax crimes.

Nonetheless, the list of “231 crimes” continues to grow.

Effective on July 30, 2020 new crimes will be added, as law 75 of 2020 will come into force. The new crimes are mostly further nuances of the tax crimes, as well as new crimes (fraud in public suppliesfraud in agriculture and smuggling, misappropriation and abuse of office).

It’s time for companies  to update their organizational models again! (Perhaps enjoy your well deserved summer vacation first: it has been quite a year).

New Intellectual Property Scenarios in the Age of Covid-19

IP DONATIONS.  Many life sciences companies have made generous donations to alleviate the difficulties arisen in these dire pandemic times (Roche Italia, for example, has donated medicinal products, devices, cash and services).

Some of them, instead, have donated intellectual property: Medtronic, for example, has publicly posted design specifications for its Puritan BennettTM560 (PB560) ventilator “to allow innovators, inventors, start-ups, and academic institutions to leverage their own expertise and resources to evaluate options for rapid ventilator manufacturing”. More than 90,000 people were interested.

IP VOLUNTARY LICENSES.  Momentum is also building in favor of the Open Covid-19 Pledge, a program, now also sponsored by the Creative Commons, where patent holders pledge to make their intellectual property available free of charge for uses against Covid-19. The pledge, rather than a donation, takes the form of a royalty-free, non-exclusive, worldwide license under which the intellectual property is made available. Such license may be standard or can be adapted by licensors in various ways.

While many research institutions and private companies are working on a Covid-19 vaccine, the World Health Organization has warned that “it will be important that vaccines go where they are most needed, not simply to the countries that can afford them.” Critical issues not only affect the development of a vaccine, but will also affect its mass production and worldwide distribution. A similar request has been voiced by the European Parliament in its Motion for Resolution dated April 14, 2020, where it “calls on the Commission to ensure that, when EU public money is spent on research, the results of that research are not protected by intellectual property rights and price accessibility to patients is guaranteed for the products developed; stresses the importance of public research and development activities and institutions and of cooperation at international level, while expressing concerns over the dominant role of multinationals in the pharmaceutical sector; urges all pharmaceutical companies to pool their data and knowledge in a collective effort to identify, test, develop and manufacture treatments to curb the disease”.

IP MANDATORY LICENSES.  Such voluntary licenses are completely different from the mandatory licenses that section 31 of the TRIPS agreement allows in case of a “national emergency or other circumstances of extreme urgency”. While the right holder would need to receive “adequate remuneration”, this instrument would allow governments to obtain a non-exclusive and non-assignable license to use the patent without the authorization of the right holder.

It is thus possible that the extreme circumstances in which we are living may also bring completely new scenarios in the intellectual property landscape.

EDPB on Privacy & Covid-19 Today

You may have heard that Israel has started processing cellphone data in order to track contacts and movements of individuals who are positive to Covid-19 in order to trace other people with whom they have come into contact. 

The European Data Protection Board has just issued an opinion on data protection and Covid-19 stating that:

 Insofar as possible, processing of data should be anonymous;
 When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security. This emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. If such measures are introduced, a Member State is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.

If you have some time to reflect on the privacy aspects of the coronavirus, you may be interested in checking the varied approach of different EU Data Protection Authorities. 

Stay safe!

Italian Data Protection Authority Plans to Inspect Life Sciences Companies in 2020

The Italian Data Protection Authority has recently issued its inspection plan for the first half of 2020. The Authority plans about 80 inspections through the fiscal police. 

Inter alia, the Authority plans to inspect health data processing carried out by multinational companies operating in the pharma and health sector. In case that’s what you do, make sure your GDPR documents are in order.

Other industries will also be impacted, such as whistleblowing software, marketing, online banking, food delivery and call center services.

In 2019 the Italian Data Protection Authority has issued sanctions amounting to Euro 15,910,390.