All posts by Paola Sangiovanni

About Paola Sangiovanni

Partner of GITTI and Partners. Seasoned transactional and regulatory legal counsel with a thorough understanding of the life sciences industry.

Our Article on Clinical Trial Legislation Is Out

We are happy to announce that our article on “Drug Clinical Trials Legislation in the European Union” has been published on the Indian Journal of Law and Technology (https://www.ijlt.in/).

You may read it here or here.

The purpose of the article is to illustrate the basic tenets of European Union law on clinical trials. Such body of law has been progressively harmonized in the European Union over the years with the aim of subjecting interventional clinical trials conducted in any of the 27 European Union Member States to identical rules.

The article initially describes the reasons why clinical trials are important to measure the safety, efficacy and cost-effectiveness of innovative medical treatment. It then continues by illustrating the scope and basic principles of the current EU Regulation, as well as its main changes over the previous legislation. Further, the article explains the requirements of the scientific and the ethical approvals of a clinical trial application. Lastly, the authors focus
on the patients’ consent to the enrollment in a clinical trial, as well as to the patients’ separate consent to the processing of their personal data

New Data Transfer Standard Contractual Clauses Approved by the EU Commission

On June 4, 2021 the EU Commission approved new standard contractual clauses (“SCC“), which are regarded to provide appropriate safeguards within the meaning of Article 46(1) and (2) (c) of the GDPR.

The new SCC are updated with GDPR, the opinions expressed during the course of the consultation phase (including those of the European Data Protection Board and the European Data Protection Supervisor), as well as take into account the recent Schrems II judgement of the Court of Justice.

There are two different sets of SCC: (i) for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) and (ii) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

The new SCC promisemore flexibility for complex processing chains, through a ‘modular approach’ and by offering the possibility for more than two parties to join and use the clauses“.

If you or your company are using the old SCC, you have a transition period of 18 months.

Patents on Covid Vaccines: the Plot Thickens

Last Friday I spoke at an interesting event, dedicated to lessons learned during the pandemic, sponsored by the association Women&Tech.

My plan was to illustrate the international aspects of intellectual property and, in particular, the possibilities afforded by article 31 of the TRIPS agreement to obtain a license to use vaccines’ patents without consent of the patent holder. There had also been a proposal by India and South Africa to waive IP rights on vaccines altogether, but it had been rejected. The discussion seemed largely theoretical.

Only a few hours before the event, the scenario completely changed when the US announced that it was backing the idea of a waiver of IP rights on Covid vaccines’ patents. Reactions by EU leaders were varied, and it is still unclear if the waiver proposal will receive the required three fourths of the votes at the WTO level.

You may find my slides (in Italian) below, but in my view the clearest explanation of the issues at stake is in the position paper by the Max Planck Institute for Innovation and Competition, which can be found here.

Entry into force of EU Regulation on Clinical Trials is Getting Closer

EU Regulations on Clinical Trials number 536/2014 will enter into force 6 months after the publication of a notice by the EU Commission confirming that the clinical trial portal and databases have achieved full functionality in accordance with the required specifications.

Such clinical trial portal and database, where all information submitted through the portal will be stored, supposedly one of the high points of the Regulation, is probably its worst enemy so far. In fact, due to technical difficulties with the development of the IT systems (aka “CTIS”), the portal’s go-live date had to be postponed for years. Therefore, so far, the Directive continues to apply, while some argue that the Regulation – that appeared cutting edge in 2014 – already shows the signs of age.

Now things are finally moving ahead.

On April 21, 2021 the European Medicines Agency’s Extraordinary Management Board confirmed that “CTIS is fully functional and meets the functional specifications, following an independent, successful audit“. 

The ball is now in the European Commission’s court: once the Commission confirms the same conclusions on CTIS, a notice will be published in the Official Journal of the European Union. “Six months after this notice, the Regulation will start to apply and CTIS will go live. The aim is that CTIS goes live on 31 January 2022.says the EMA.

Italian Laws on HCPs & Vaccination

With a law decree decided yesterday, the Italian Government enacted two interesting new rules aimed at health care professionals (“HCPs“):

  1. Criminal liability of HCPs administering vaccines for the crimes of manslaughter and personal injuries is excluded, provided that the vaccinations follow the indications of the authorization of the specific vaccine and the decisions of the Ministry of Health;
  2. The obligation of HCPs to be vaccinated is introduced: HCPs refusing to undergo vaccination may be assigned to different duties or her/his remuneration may be suspended. The constitutionality of this obligation has been often discussed, but most scholars believe that – on the basis of the Constitutional Court jurisprudence (especially decision no. 5 of 2018, drafted by Ms. Cartabia, who is now part of the government) – there is no doubt about compliance of this provision with the Italian Constitution. Vaccination is in fact aimed at not only preserving health for the individual who is vaccinated, but also other people’s health, and consequences of vaccination are tolerable.

Hopefully the above provisions will help the vaccination campaign move faster. I certainly cannot wait to roll up my sleeve!

Happy Easter!

EMA Committee Recommends Granting Conditional Marketing Authorization to Covid-19 Vaccine

Today the European Medicines Agency (specifically, its human medicines committee or CHMP) has recommended granting a conditional marketing authorisation to the vaccine developed by BioNTech and Pfizer to prevent COVID-19 in people from 16 years of age.

In the words of the EMA press release, “EMA’s scientific opinion paves the way for the first marketing authorisation of a COVID-19 vaccine in the EU by the European Commission, with all the safeguards, controls and obligations this entails.”

The CHMP has concluded that data on the quality, safety and efficacy of the vaccine are sufficient, given the results of a trial on 44,000 people so far. The process of data collection will in any case continue for at least 2 more years.

It is still unclear who, when and how we will have access to the vaccine, but certainly a vaccine is coming our way. After a 2020 filled with lives lost, fear, confinement and social deprivation, this is absolutely great news. What a few months back seemed wildly optimistic, is now happening.

We want to end 2020 on a high note and wish you relaxing holidays and a new happy, healthy and social year!

Data Protection: What You May Have Missed

Unless you are exclusively devoting this lockdown to following webinars on the Schrems II decision (there is an impressive offering out there), you may have missed a couple of interesting developments in the area of data protection:

  • the European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which can be found here. In short, the EDPB sets forth a to-do-list for data controllers exporting data composed of 6 steps:
  • 1. map your transfers outside the EU;
  • 2. verify the transfer tool you are using;
  • 3. assess the law or practice of the country of destination (refer to the EDPB European Essential Guarantees recommendation);
  • 4. identify and adopt supplementary measures;
  • 5. take any formal step to introduce any supplementary measures; and
  • 6. re-evaluate periodically.
  • The Italian Data Protection Authority is increasingly worried by threats to privacy posed by apps (not just TikTok). It has issued a presentation to warn users about the use and misuse of personal data by various apps.

Guidelines on Concepts of Controller and Processor in the GDPR

Have you ever struggled to pinpoint the roles, and subsequent responsibilities, of controllers, joint controllers and processors in the context of the GDPR? Have you found yourself in negotiations where it was discussed who acted in which role? Help is coming your way.

The European Data Protection Board (or EDPB), a body composed of – inter alia – representatives of EU national data protection authorities, has provided helpful guidance in that regard. Guidelines 07/2020 on the concepts of controller and processor in the GDPR (adopted on September 2, 2020 but more recently made available) offer clarifications on such respective roles.

Generally speaking, such GDPR roles have a functional nature and call for a factual rather than formal analysis.

In short:

  • The controller can be any type of entity. It determines the purpose (the why) and the means (the how) of the data processing. Certain aspects of the processing may be determined by the processor, but they have to be “non-essential”.
  • Joint controllers jointly participate to the determination of the purpose and means of processing, either through a common decision, or as a result of converging decisions. There is no joint controllership when different entities use a shared database or a common infrastructure, if each entity independently determines its own purposes.
  • Data processors act on behalf of data controllers and must be separate entities from data controllers. Data processors must follow the instructions of the data controller, with a limited decree of discretion in their execution.
  • The same entity may act, at the same time, as controller for certain processing operations and as processor for others: each data processing activity must be separately assessed.

Comments on the Guidelines can be sent to the EDPB until October 19.