Category Archives: Legal news

Happy GDPR-compliant Xmas and a prosperous new year!

Legal news, , , , , , , , , , , , , ,

Winter recess is about to start. While we’ll all be resting, GDPR will not!

While we will all be recharging our batteries to tackle the challenges for the upcoming 2025, GDPR will not go on vacation, and will thus never be out-of-office!

Check out the following tips that the Italian Data Protection Authority has recently issued in order to avoid threats to your privacy rights during the upcoming vacations:

  • Are you receiving plenty of virtual greetings and commercial offers? Be careful about them, even if apparently sent by a friend or parent: they may contain viruses, obscure links or may hide tentative of phishing. Not all presents may be welcome.
  • Have you taken good family pictures that you wish to share on your social network? Don’t forget to ask consent of all depicted individuals. Is your grandpa going to provide his consent as well?
  • Have you filmed your children’s Christmas pageant? Keep it for yourself! You’d need consent from all depicted individuals for publishing (including from their parents in case of minors).
  • Are you wishing to download any specific Christmas-related app on your smartphone? Choose them carefully, check their issuer and the reviews. You may inadvertently be downloading the Grinch’s one!
  • Are you going away for a trip? Don’t share too much information and pictures on your social media about your time off, your house and your vehicles, as it may attract thieves. Only Santa Claus shall be allowed to break in without your consent!
  • Are you connecting with your hotel’s or restaurant’s Wi-Fi? Ask the staff about its security: they may not be protected enough.
  • Have you bought any “smart” presents for your little nephews? Check whether they may collect any personal data from their users. In the affirmative, make sure that they will not harm them in any way possible.

Our own additional tips: rest, enjoy good food, spend time with your loved ones, and get ready for 2025! We wish you happy holidays and a healthy and successful new year.

Gitti and Partners Life Sciences Team

Can Corporate E-mail Accounts Be Used in Case of Litigation?

Legal news, ,

With an order of July 17, 2024, the Italian Data Protection Authority (“DPA”) has fined Selectra
S.p.A. Euro 80,000 for unlawful processing of personal data. The case originates from an
agent’s claim that Selectra (i) had maintained his email account active after the termination of
his collaboration with the company; (ii) had used a specific software (MailStore) to back up the
contents of his email account for three years; (iii) had used his data in a judicial proceeding, in
which he was accused, along with other individuals, of business secrets misappropriation and
further unlawful conduct.


The DPA reaffirmed various key principles, applicable to employees and self-employed
personnel:


– The DPA has offered some important guidelines concerning the balance between the right
to defense and the right to privacy. According to the DPA, it is admittable to access
personal data to protect one’s right in court, only if the process is already
pending before the court or there are realistic possibilities to start the claim.


Corporate email accounts cannot be used as archives. It is a company’s duty to
introduce suitable document management systems capable of archiving documents and
employees/collaborators’ email accounts cannot be used for such purposes.


Personnel must be provided with an information notice which clarifies what is
processed, on which basis and how. Selectra, instead, had backed up corporate email
accounts, with the possibility of retaining their contents for 3 years after termination of the
employment/collaboration contract, without offering any kind of information to its
employees and collaborators.


The DPA concludes that the right to privacy cannot be sacrificed in pursuit of abstract and
indeterminate protection purposes. Incidentally, the DPA emphasized again that it is
forbidden to use tools that carry out monitoring of employees’ activity in breach of
Article 4, L. 300/1970 (Italian Statute of Workers’ Rights), which admits the use of systems
for remote employee monitoring only for production, organizational, labour and safety needs
and after an agreement with trade unions. (Instead, Selectra, using the software MailStore,
was able to trace meticulously, and even after a long time, the activities carried out by
employees in breach of the Italian Statute of Workers’ Rights).

The European Commission Recently Fined Teva: but Why?

Legal news, , , , , ,

With an order issued on October 31, 2024, the European Commission fined Teva Pharmaceutical Industries (“Teva”) EUR 462.6 million for abusing of dominant position in relation to its drug Copaxone.

This European Commission decision is meant to further set on fire the already lively debate on the limits of patent law and antitrust rules in Europe.

1. Allegations: Abuse of Dominant Position and Patent Strategy

The order fined Teva for abuse of a dominant position. Specifically, two conducts were alleged, namely:

  1. The first relates to the delaying of the market entry of competing generics of Copaxone – a drug containing the active ingredient glatiramer acetate produced by Teva and indicated for the treatment of multiple sclerosis – through the filing of several divisional patents and their subsequent waiver. This approach, referred to by the European Commission as ‘divisional games’, had, in the European Commission’s view, the effect of:
  2. artificially extending the term of patent protection
  3. restricting competition even beyond the natural expiry of the original patent.
  • The second claim against Teva concerned the dissemination of false information in breach of competition rules aimed at dissuading consumers and healthcare professionals from adopting such cheaper versions of the drug by:
  • denigrating generic Copaxone products
  • casting doubts on their safety and efficacy.

2. Legal Analysis of Breaches: Article 102 of the Treaty on the Functioning of the European Union(“TFEU”)

The Commission’s allegations are mainly based on Article 102 TFEU, which prohibits the abuse of a dominant position within the internal market. A dominant company must avoid practices that (i) restrict, (ii) distort or (iii) prevent competition.

The practice of filing “divisional patents”, carried out by Teva, has been considered as an “exclusionary abuse”, as it prevents the entry of new players in the market through manipulation of the patent system.

This approach, although in line with patent law and the procedures of the major patent offices, including the European Patent Office, has been criticized from the competition point of view. In principle, the divisional patent system should protect distinct innovations and not allow the fragmentation of protection for a single invention to artificially obstruct competition.

In addition, the use of a disinformation campaign constitutes an abusive conduct, as it aims at diminishing the quality of competitors’ products without objective reasons, thus damaging the market and final consumers.

3. The Role of Divisional Patents and the ‘Manipulation’ of the Patent System

divisional patent is an option under European law that allows patent owners to derive “child” patents from a main patent, thereby protecting more specific aspects of an invention. 

This system derives from one of the fundamental principles of patent law, i.e. that a patent can protect one, and only one, invention. Consequently, during the examination of patent applications, it is sometimes necessary to proceed with the filing of divisional applications when the examiner finds that more than one invention was covered by the original application. 

However, in Teva’s case, the excessive use of this practice was found to be abusive, as it was found to be aimed solely at extending the duration of monopoly protection for Copaxone. This practice, in addition to raising ethical and legal questions, led to the consideration of the need to change the patent system to avoid abuses. In particular, it has been suggested that European regulations on divisional patents may be updated to prevent anti-competitive practices, for instance by introducing stricter criteria for divisional patent granting.

4. Implications of the Teva Case for Competition Law and the Pharmaceutical Sector

The fine imposed on Teva represents a turning point for competition law applied to the pharmaceutical sector, as it further and rather explicitly underlines the need for a balance between patent protection and access to medicines

The European Commission, with this measure, wanted to give a strong signal against the strategic use of patents to obstruct access to generic medicines, which represent an affordable and accessible solution for patients, and which may also have a very important impact on Member States’ budgets concerning their healthcare spending.

In a scenario of increasing attention to anti-competitive practices in the health sector, the Commission’s intervention could lead other national and supranational authorities to monitor more strictly pharmaceutical companies’ behaviour in similar situations. Moreover, it may be possible that this case will put pressure on a reform of patent rules in Europe, aimed at limiting opportunities for abuse by dominant companies.

NIS 2 ENTERS INTO FORCE IN ITALY: LEARN WHAT YOU NEED TO DO

Legal news

After a long wait, EU directive 2022/2555 (“NIS 2 Directive”), which aims at achieving a common level of cybersecurity across member states, has been finally implemented in Italy, with legislative decree 138/2024 (“Legislative decree”).

The Legislative decree will apply starting from today, October 18, 2024.

Who are the actors involved?

The new regulation applies to economic operators that:

      • exceed the thresholds provided for small enterprises (i.e., more than 50 employees and annual turnover/balance sheet of more than Euro 10 million);
      • are subject to Italian jurisdiction.

      It is important to note that certain operators identified as critical subjects (according to the decree 134/2024, implementing EU directive 2022/2557 on critical subjects) are subject to the Legislative decree, even if they do not exceed the dimensional limits mentioned above. Among them, there are several operators in the healthcare field, such as:

      • Healthcare providers;
      • Subjects carrying out research and development on medicines;
      • Manufacturers of basic pharmaceutical products and pharmaceutical preparations;
      • Manufactures of medical devices considered critical in case of a public health emergency;
      • Wholesale distributors of medicinal products.

      What are the deadlines at this early stage?

      • All operators active in Italy must carry out an assessment to understand whether they fall within the scope of the Legislative decree;
        • From 1 January to 28 February of each year (starting from 2025) the economic operators subject to the Legislative decree must register or update their registration on the digital platform managed by the National Cybersecurity Agency (“NCA”) providing a set of information such as the company mission, address, and contact information, etc;
        • Within 31 March of each year (starting from 2025), NCA will draft a list identifying the so-called “essential and important subjects” following the criteria of Article 6 of the Legislative decree;
        • From 15 April to 31 May of each year (starting from 2025) the subjects identified as essential or important should provide further information, such as the IP address, domain names, EU’s States where the service is carried out, name of the legal representative, etc.

        What will happen after this first phase?

        After this first phase, a new set of obligations will progressively come into force, such as:

        • The obligation of essential and important subjects to implement technical measures to ensure the security of information and network systems used by operators (within 18 months from the communication of being considered as an essential or important subject);
          • The duty for essential and important subjects to notify the Computer Security Incident Response Team – Italy (“CSIRT Italy”) of each accident that can impact service delivery (within 9 months from the communication of being considered as an essential or important subject).

          How to proceed in these first months?

          It is key for all economic operators operating in Italy, before February 28, 2025, to carry out an assessment and understand if they fall under the perimeter of the application of the Legislative decree and, if so, act accordingly.

          Substances of Human Origin (or SoHO): the New EU Regulation

          Legal news, , , ,

          PURPOSE OF THE NEW REGULATION. On June 13, 2024, the European Parliament and the Council adopted a new regulation on the substances of human origin (so-called SoHO), repealing Directives 2002/98/EC and 2004/23/EC. The new regulation:

          • was necessary because previous directives only partially managed to harmonize member states’ legislation on cells, tissues and blood; also, a new definition of SoHO was needed;
          • introduces mechanisms to grant continuity and resilience of SoHO supplies and to facilitate EU cross border exchanges and access to SoHO;
          • enhances safety of donors and recipients (included the offspring born from medical assisted procreation).

          WHAT IS A ‘SOHO’? A SoHO is now defined as “any substance collected from the human body, whether or not it contains cells and whether or not those cells are alive, including SoHO preparations resulting from the processing of the above-mentioned substance”. The definition has been expanded to include breast milk and gut microbiota, as well as blood preparations different from those used for transfusions. Any future SoHO will be automatically included in the regulation. The regulation also defines SoHO preparation as a SoHO subjected to processing, with a specific clinical indication, intended for human application on a recipient or for distribution.

          WHO DEALS WITH SOHO? The regulation also defines which will be the main actors in the organizational chain from SoHO donation to application. Specifically:

          • A SoHO entity is a legal entity established in the EU that carries out SoHO-related activities (e.g. collection, processing, control, storage, release, distribution, import, export, application on human beings,  clinical studies and outcomes recording on SoHO preparations)
          • A SoHO establishment is a SoHo entity that carries out one of the following SoHO-related activities: A) both processing and storage; B) release; C) import; D) export;
          • Competent authorities for SoHO are appointed by each member state and 1) maintain SoHO entities’ registry, 2) deal with authorization process for SoHO establishments and SoHO preparations 3) carry out inspections and evaluate plans for monitoring clinical outcomes.

          WHEN?  The regulation will be enforceable by mid-2027.

          TAKEAWAYS. Apparently, it is science-friendly as the definition of SoHO will be broader and more flexible than before. Also, in view of its structure, there is hope that it will succeed in ensuring more uniformity and granting an enhanced minimum level of safety across EU.

          AIFA Guidelines Regarding Observational Studies on Medicines: What’s New?

          Legal news, ,

          The Italian Medicines Authority (“AIFA”) has recently issued new guidelines for the classification and conduct of observational studies on medicines (“Guidelines”) repealing the previous version of 2008. Through such new Guidelines AIFA has given full implementation to what was provided for in Article 6, par. 3 of the Ministry of Health November 30, 2021 decree, which had mandated that AIFA issues new guidelines for the classification and conduct of observational studies on medicine.

          The new Guidelines have extended the perimeter of observational studies and now include:

          • Retrospective studies related to unauthorized uses;
          • Pharmacogenetics and pharmacogenomics studies;
          • Databases and other data on drug therapies collected through online platforms, wearables, or other devices when the following conditions are met:
            1. They pursue the aim of keeping track of the medicines used by patients;
            2. They follow a specific protocol;
            3. They are carried out in accordance with Guidelines’ indications.

          Other new elements introduced by the Guidelines are:

          • The duty for ethics committees, in case of non-profit observational studies, to verify the independence from commercial promoters;
          • The duty to insert a specific section on informed consent in the protocol;
          • The duty to publish the results of the research (even if they are negative) within 12 months from the end of the study;
          • The duty to retain documents on observational studies for 7 years;
          • The possibility for the territorial ethics committee to apply a fee on profit observational studies;
          • The inclusion of universities among facilities where observational studies can be carried out;
          • The inclusion of new documents that the promoters must submit to ethics committee, such as a cover letter with the precise identification of the competent ethics committee, a summary of the protocol, and investigators/coordinators’ curricula
          • The duty of the legal representative of the research centre to execute an administrative agreement prior to the start of the study.

          The Guidelines confirm that there is no mandatory AIFA assessment on observational studies, even though the ethics committee may decide to consult AIFA if necessary. The Guidelines also confirm the duty to transmit the information on the studies to the “Registry of observational studies” run by AIFA.

          The definition of observational studies has not changed, i.e., studies that meet the following conditions:

          • Medicines are prescribed and delivered according to the conditions of use authorized for marketing in Italy;
          • Medicines are prescribed in the normal clinical practice;
          • The decision to prescribe the medicine to the patient must precede and be independent with the decision to include the patient in the study;
          • Diagnostic and evaluative procedures correspond to the current clinical practice without leading to negative consequences for the patient or the National Healthcare System.

          Your Face at the Airport: the EDPB Weighs in on Face Boarding

          Legal news, , , , , ,

          As you wander around an airport waiting to travel for the summer, you may notice that your image is captured by various devices. This process, known as facial recognition or “face boarding”, has recently been the subject matter of an opinion by the EDPB https://www.edpb.europa.eu/edpb_it, which issued an opinion (no. 11/2024, https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-112024-use-facial-recognition-streamline_en, pursuant to article 64 of the GDPR) – on the processing of data obtained in airports using facial recognition to streamline airport passenger’s flow.

          The EDPB assessed the compatibility of such data processing with:

          • article 5(1)(e) and (f) of the GDPR on storage limitation and integrity and confidentiality;
          • article 25 of the GDPR on privacy by default and privacy by design;
          • article 32 of the GDPR on security of processing.

          The opinion takes into account four different scenarios:

          • Scenario 1: Storage of an enrolled biometric template – which is a set of biometric features stored in a database for future authentication purposes – only in the hands of the passenger.

          Enrolment consists in recording – by each passenger who has consented to such processing – the biometric template and ID necessary for the processing, on the passenger’s device. Neither the passengers’ ID, nor their biometric data are retained by the airport operator after the enrolment process.

          The passenger is authenticated when going through specific checkpoints at the airport (equipped with QR scanners and cameras), through the use of a QR code produced by the passenger’s device, where the biometric template is stored.

          The EDPB opinion concludes that such processing could be considered in principle compatible with article 5(1)(f), 25 and 32 of the GDPR (nonetheless, appropriate safeguards must be implemented, including an impact assessment).

          • Scenario 2: centralized storage of an enrolled biometric template in an encrypted form, stored in a database within the airport premises and with a key solely in the passenger’s hands.

          The enrolment is controlled by the airport operator and consists in generating ID and biometric data that is encrypted with a key/ secret. The database is stored within the airport premises, under the control of the airport operator. Individual-specific encryption keys/ secrets are stored only on the individual’s device

          Passengers are authenticated when going through specific checkpoints, equipped with a control pod, a QR scanner and a camera. The passenger’s data are sent to the database to request the encrypted template, which is then checked locally on the pod and/or user’s device.

          The opinion concludes that such processing could be considered in principle compatible with article 5(1)(e)(f), 25 and 32 of the GDPR subject to appropriate safeguards. In fact, the intrusiveness from such processing through a centralized system can be counterbalanced by the involvement of the passengers, who hold control of the key to their encrypted data.

          • Scenario 3: centralized storage of an enrolled biometric template in a database within the airport, under the control of the airport operator and Scenario 4: centralized storage of an enrolled biometric template in a cloud, under the control of the airline company or its cloud service provider.

          The enrolment is done either in a remote mode or at airport terminals.

          At the airport passengers go through dedicated control pods equipped with a camera. Biometric data is sent to the centralized database or to the cloud server – where the matching of the data is processed. The biometric matching is only performed when the passengers present themselves at pre-defined control points at the airport, but the data processing itself is done in the cloud or in centralized databases.

          The EDPB considers that the use of biometric data for identification purposes in large central databases, as in Scenarios 3 and 4, interfere with the fundamental rights of data subjects and could possibly entail serious consequences. As such, Scenarios 3 and 4 are not compatible with article 25 of the GDPR because they imply the search of passengers within a central database, by processing each biometric sample captured. Also, taking into account the state of the art, the measures envisaged in such Scenarios would not ensure an appropriate level of security under article 5(1)(f) of the GDPR.

          In conclusion, the EDPB regards with suspicion the processing (through matching-and-authenticating process) of biometric templates of the passengers when it happens in centralized storage tools (databases or clouds). The EDPB regards that this increases risks for the security of data, requires the processing of much more data and does not leave passengers in control of the data.

          New Guidelines on Web Scraping

          Legal news, , ,

          Pursuant to Article 57(1)(b) of the GDPR, on May 20, 2024 the Italian Data Protection Authority (“Italian DPA”) adopted guidelines [LINK] on web scraping, with the aim of providing guidance to operators of websites and online platforms, acting in Italy as data controllers of personal data made available online to the public.

          Web scraping is defined by the Italian DPA as the massive collection of personal data from the web for the purpose of training generative artificial intelligence models. Specifically, whenever such phenomenon involves the collection of traceable information – linked to an identified or identifiable natural person – a data protection issue arises with reference to the identification of an appropriate legal basis for the processing of such data.

          According to the guidelines, the assessment of the lawfulness of web scraping must be carried out on a case-by-case basis. Personal data are made available on the web as a result of a primary level processing by operators of online platforms as data controllers. Only then, third parties – often web robots or “bots” – may gather such data for different purposes while scraping the web. This is the reason why the Italian DPA addresses its guidelines to operators of online platforms: they are, in fact, the only ones able i) to more easily evaluate how data are used after being scraped from their platforms and ii) to implement measures on their platforms that may prevent or mitigate web scraping activity for purposes of training algorithms.

          Possible precautions or enforcement actions identified by the Italian DPA are the following:

          • Creation of restricted areas, which can only be accessed after registration. In this way, certain personal data would be removed from public availability;
          • Inclusion of ad hoc clauses in the terms of service of the online platform expressly prohibiting the use of web scraping techniques;
          • Monitoring network traffic to detect any abnormal flow of data and adopting limits as countermeasures;
          • Direct intervention on bots (e.g. insertion on websites of CAPTCHA checks or monitoring log files to block undesirable users).  

          Such measures should be adopted by the data controller after an independent assessment – in compliance with the accountability principle, which increasingly appears to govern new data protection legislation and strategies. At any rate, the Italian DPA acknowledges that, albeit useful, none of these measures can be expected to entirely prevent web scraping from happening.  

          Processing Health Data: the Most Recent Amendment to Italian Privacy Code

          Legal news, , , , , , ,

          The Italian “Privacy Code” (Legislative Decree No. 196/2003), which governs data protection in Italy together with the European GDPR, has recently been amended.

          Law No. 56/2024, further implementing the National Recovery and Resilience Plan, intervened on section 110 of the Privacy Code, which deals with the processing of health-related data for the purposes of medical, biomedical or epidemiological scientific research.

          Section 110 provides that consent of the data subject for the processing of health-related data for the purpose of medical, biomedical or epidemiological scientific research is not required when:

          • the research is carried out on the basis of legal provisions or European Union law, when processing is necessary for scientific research or statistical purposes, provided that an impact assessment is carried out pursuant to sections 35 and 36 of the GDPR; or
          • informing the data subject is impossible or involves a disproportionate effort, or would render impossible or seriously jeopardise the attainment of the purposes of the research.

          In such cases – before the latest amendment – the data controller had to:

          1) take appropriate measures to protect the rights, freedoms and interests of the data subject;

          2) obtain a favorable opinion of the competent ethics committee; and

          3) consult the Italian Data Protection Authority prior to processing.

          The obligation to consult the Italian Data Protection Authority has now been repealed. Thus, there is no need to apply for the Authority’s clearance prior to processing health-related data (in those cases where consent of the data subject is not required under section 110 of the Privacy Code). 

          This amendment may have a significant impact especially on retrospective studies for which informing data subjects is particularly burdensome. The data controller will, in fact, be able to proceed without the Authority’s permission. Nonetheless, the data controller will still have to comply with specific guarantees and ethical rules issued by the Authority – as specified by the amended section 110.

          On the one hand, the amended section 110 seems to favor accountability and to soften the procedural requirements in processing health data for research purposes, making the overall procedure quicker. When it comes to “secondary use” of health data, the accountability approach should be considered strong enough to protect data and favorably welcomed, as it moves in the same direction of the European Health Data Space – which intends to provide a reliable and efficient system for the re-use of health data in areas as research and innovation.

          On the other hand, though, the Italian Data Protection Authority has already issued some interim guarantees, specifying that data controllers – when processing health data related to deceased or non-contact subjects – must carry out and publish an impact assessment, pursuant to section 35 of the GDPR, notifying it to the Authority. It remains to be seen how the amendment will be handled by the Authority in practice: the effects of the simplification provided by the new version of section 110 may be diminished if the guarantees set forth by the Authority generate equally articulate procedures.