Tag Archives: law

Implementation of the “231” Compliance Model in the Pharma Industry: New Guidelines issued by the Italian Association of Pharmaceutical Companies

Legal news, , , , , , , , , , , , , , , ,

On September 5, 2023, the Italian Association of Pharmaceutical Companies (“Farmindustria” – https://www.farmindustria.it/) has issued guidelines to design an organizational model pursuant to the Legislative Decree 231/2001 in the pharmaceutical sector (“Guidelines”).

In particular, the Guidelines, by taking into account the main peculiarities of the pharma industry, seek to identify the typical activities that are most at risk for the commission of criminal offences, and provide detailed guidance about the main policies and preventive actions that should be carried out by companies in order to prevent their commission.

As expected, the highest risks concern relationships with public officials, which may lead to crimes such as corruption or fraud against the State, with significant advantages for pharma companies.

The Guidelines seek to drive the attention of companies involved in the pharma sector on the risks that are latent in the following areas:

  • Relationships with healthcare professionals (“HCP”) and healthcare organizations (“HCO”): compliance programs should regulate activities of the key account managers and their bonuses, sponsorship of congresses, grants and donations to HCOs, gifts to HCPs, as well as other sponsorship or advertisement activities;
  • Relationships with Public Authorities: many interactions with public officials may entail corruptions risks, such as, e.g., obtainment of Market Authorizations, price reimbursement negotiations with the Italian drug regulatory agency (AIFA – https://www.aifa.gov.it/), management of site visits and inspections, participation and execution of public tenders for the supply of drugs to HCOs;
  • Relationships with private entities: relationships with suppliers providing services in the context of clinical studies, pharmacies, patient advocacy organizations, patients and “expert patients”, or management of patient support programs also need to be regulated.

The Guidelines also offer a complete set of policies and other preventive remedies that may be sufficient to prevent the envisaged criminal risks.

The Guidelines are a useful tool for pharma companies and no similar initiatives have been taken by other associations with regard to different industries and sectors. The Guidelines also constitute a benchmark for best practices that will be difficult to ignore.

Do you need help in designing or updating your company’s “231” compliance model? Do not hesitate to reach out!

Italy – At Last – Implemented the Registry of UBOs (Ultimate Beneficial Owners)

Legal news, , , , , , , , , , , ,

All legal entities established in Italy are affected by the new regulation, which provides for a December 11, 2023 deadline.

The register of ultimate beneficial owners has been established and has become
operational also in Italy, after several extensions and delays. In fact, on October 9,
2023, the decree certifying the operation of the system for the communication of
data and information on beneficial ownership was published in the Official Gazette.

This last decree, which completes the implementation of anti-money laundering
legislation, triggers the obligation for all companies, private legal entities
(associations, foundations and other institutions of a private nature with legal
personality) and trusts to communicate data and information relating to their
beneficial ownership.

The communication on beneficial ownership must be made to the Companies’
Registry at the territorially competent Chamber of Commerce by and no later than
December 11, 2023, using exclusively electronic methods. With regard to
companies, the communication must be digitally signed by a director, without the
possibility to delegate such task. Therefore, directors who do not yet have a digital
signature device will need to obtain one.

Subsequently, legal entities shall notify any change in their beneficial ownership
within 30 days of the occurrence of the change. In addition, on an annual basis (and
in any case within 12 months from the first communication), the beneficial
ownership shall be confirmed: for companies this may take place on the occasion
of the annual filing of the financial statements.

For more information on the new requirements, check out our Client Alert here or reach out to us directly.

GDPR Cross-Border Complaints: a New Regulation Proposal Attempts to Harmonize the Procedural Rules Among the Member States

Legal news, , , , , , , , , , ,

On July 4, 2023, the European Commission has issued a proposal for a new EU regulation laying down additional procedural rules aimed at ensuring a better and uniform enforcement of the GDPR among the Member States, especially with regard to the handling of cross-border complaints (“Proposal”).

The Proposal has been inspired by the findings of the reports issued by the European Commission and the European Data Protection Board concerning the status of the application of the GDPR among the Member States. Such reports stressed the need to make the handling of cross-border complaints more efficient and levelled across the EU, since the proceedings followed by local data protection authorities (“LDPA”) have been found to be differently designed and may thus lead to different application of the GDPR provisions.

The main features of the Proposal may be summarized as follows:

  • Submission and handling of cross-border complaints: The Proposal aims at removing the existing differences among the procedural rules applied by different LDPAs, namely with regard to how complaints on cross-boarder issues should be filed and which contents they should have. In such respect, a template for the filing of cross-border complaints – including a standard pre-determined set of information to be provided – has been drafted. The Proposal further specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles and rights of the lead LDPA and of any other concerned LDPAs. A system of amicable settlement of complaints is also encouraged.
  • Procedural rights of parties under investigation: The Proposal further aims at harmonizing and strengthening the rights of defence in the course of cross-border investigations and proceedings. Specifically, the Proposal recognizes an extended right of the parties to be heard at key stages of the proceedings and imposes the creation of an administrative file and the parties’ rights of access to it.
  • Tools for cooperation between LDPAs: New tools have been designed to ease the building of consensus between the involved LDPAs on the main features of cross-border proceedings since their preliminary phase, in order to limit the recourse to the (time consuming) dispute resolution mechanism provided by section 65 GDPR only in few exceptional cases. LDPAs that are called to handle a cross-border complaint are required to provide other involved LDPAs with a summary of key issues”, wherethe main findings of facts and legal grounds underlying each complaint are set out. Concerned LDPAs will be able to provide their views on such summary and to raise “relevant and reasoned objections”, in which case a specific fast-track procedure is designed in order to ensure that disagreements among LDPAs are settled at the beginning of the process.
  • Acceleration of cross-border proceedings: Lastly, the Proposal, by imposing strict deadlines, aims to prevent undue delays within the proceedings.

At the moment it is still unclear whether the Proposal will be officially adopted and become a binding regulation. Certainly, it has been welcomed by the European Data Protection Board and by the European Data Protection Supervisor and may be a good opportunity to level the difference among Member States and make the proceedings more efficient.

GARANTE VS. CHATGPT: LATEST DEVELOPMENTS

Legal news, , , , , ,

1. An Order to Stop ChatGPT

On March 30, 2023 the Italian Data Protection Authority (“Garante”) issued an order by which it temporarily banned the ChatGPT platform (“ChatGPT”) operated by OpenAI LLC (“OpenAI”). The Garante in fact regards ChatGPT as infringing Articles 5, 6, 8, 13 and 25 of the GDPR. In particular:

  • No Information.  OpenAI does not provide any information to users, whose data is collected by OpenAI and processed via ChatGPT;
  • No Legal Basis.  There is no appropriate legal basis in relation to the collection of personal data and their processing for the purpose of training the algorithms underlying the operation of ChatGPT;
  • No Check of User’s Age.  OpenAI does not foresee any verification of users’ age in relation to the ChatGPT service, nor any filters prohibiting the use for users aged under 13.

Given that, the Garante has immediately banned the use of ChatGPT, and OpenAI has blocked the access to ChatGPT to the Italian people.

2. Measures Offered by OpenAI

On April 11, 2023, in light of the willingness expressed by OpenAI to put in place measures to protect the rights and the freedom of the users of ChatGPT, the Garante issued a new order, which opened the possibly to re-assess ChatGPT if OpenAI adopts the following measures:

  1. to draft and publish an information notice to data subjects, which should be linked so that it can be read before the registration;
  2. to make available, at least to data subjects who are connected from Italy, a tool to exercise their right to (i) object, (ii) obtain a rectification, insofar as such data have been obtained from third parties, or (iii) the erasure of their personal data;
  3. to change the legal basis of the processing of users’ personal data for the purpose of algorithmic training, by removing any reference to contract and instead relying on consent or legitimate interest;
  4. to include a request to all users connecting from Italy to go through an “age gate” and to submit a plan for the deployment of age verification tools; and
  5. to promote a non-marketing-oriented information campaign by May 15, 2023 on all the main Italian mass media, the content of which shall be agreed upon with the Italian Authority.

OpenAI has until April 30, 2023 to comply (until May 31, 2023 to prepare a plan for age verification tools). The objections by the Garante have been echoed by other European Union data protection authorities. The European Data Protection Board will be attempting to solve the dispute within two months and launched a dedicated task force on ChatGPT “to exchange information on possible enforcement actions conducted by data protection authorities”

New Whistleblowing Legislation Adopted in Italy

Legal news, , , ,

Italy has implemented today the EU whistleblowing directive (UE) 2019/1937. The new legislative decree no. 24/2003 has in fact been published on the official journal and is scheduled to enter into force on March 30, 2023.

The final published version of the decree, which had been previously leaked in an unofficial draft, can be found here: https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg.

The new legislation is certain to affect private companies and public entities alike when it comes to managing whistleblowing reports and new measures may need to be adopted to comply with the new requirements.

For additional information on this subject, materials from our February webinar can be freely accessed here: https://lawhealthtech.com/2023/02/09/our-whistleblowing-webinar/.

Italian Transparency Act: the Opinion of the Italian Data Protection Authority

Legal news, , , , , , , , , ,

The Italian Data Protection Authority has issued its opinion on the data protection implications relating to the new information duties set forth on employers by legislative decree 104/2022.

On August 13, 2022, legislative decree 104/2022 (“Transparency Act”) has entered into force. It provides for a new set of mandatory information that the employer must communicate to its employees at the time of their onboarding. On January 24, 2023, the Italian Data Protection Authority (“Garante”) issued its opinion about compliance of such new information duties with the provisions of the relevant data protection legislation.

In particular, the focus of the Garante was centered on the mandatory communication that, according to section 4, paragraph 8 of the Transparency Act, the employer must give to the employees if any “decision or monitoring automated system is used for the sake of providing information which is relevant for the hiring, management or termination of the employment relationship, for the assignment of tasks and duties, or for the surveillance, evaluation and fulfillment of contractual duties by the employee”. The Garante has stated that:

  • GDPR Sanctions Apply in case of Breach.  The implementation of any decision or monitoring automated system must be made in compliance and within the limits set forth by the applicable labor law provisions, and in particular law 300/1970. Such labor law provisions, which allow the implementation of automated systems only if certain conditions occur, must be deemed as providing “more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context” (as per section 88, paragraph 2, of the GDPR), and thus non-compliance with them may lead to administrative fines pursuant to section 83 of the GDPR.
  • Data Processing Impact Analysis (“DPIA”).  The employer, who is subject to the duty of accountability, must assess beforehand if the relevant processing is likely to result “in a high risk to the rights and freedoms of natural persons responsibility”, and thus requires a preliminary data processing impact analysis under section 35 of the GDPR. In such regard, the Garante has clarified that data subjects (i.e., employees) should be deemed as “vulnerable”, and that the processing of their data with automated systems is very likely to meet the conditions that make the DPIA mandatory according to the guidelines on the DPIA issued by the WP 29 on April 4, 2017.
  • Compliance with the “privacy by default” and “privacy by design” principles.  Employers must implement appropriate technical and organizational measures and integrate the necessary safeguards into the processing so that to protect the rights of data subjects (privacy by design). Moreover, the controller shall ensure that, by default, only personal data which are necessary for the specific purpose of the processing are processed (privacy by default), and should then refrain from collecting personal data that are not strictly related to the specific purpose of the relevant processing.
  • Update of the register of processing activities (“ROPA”).  The employer must indicate the processing of data through automated systems within his/her ROPA.

Need any further assistance on the matter? Don’ hesitate to reach us out!

Facial Recognition Technology: Are We Close to a Turning Point?

Legal news, , , , ,

When people think about facial recognition technology (“FRT”), they immediately imagine the use of their faces to unlock their smartphones. But this technology is far more complicated, useful and potentially dangerous.

First, it is important to understand the difference among “facial detection”, “facial characterization”, “facial identification” and “facial verification”. Such terms have been defined by the non-profit organization Future of Privacy Forum (https://fpf.org/wp-content/uploads/2019/03/Final-Privacy-Principles-Edits-1.pdf) as follows:

  • Facial detection simply distinguishes the presence of a human face and/or facial characteristics without creating or deriving a facial template.
  • In facial characterization the system uses an automated or semi-automated process to discern a data subject’s general demographic information or emotional state, without creating a unique identifier tracked over time.
  • Facial Identification is also known as “one-to-many” matching because it searches a database for a reference matching a submitted facial template and returns a corresponding identity.
  • The last one, facial verification, is called “one-to-one” verification because it confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image.

There are many possible uses of facial recognition. In the private sector FRT may be used to keep track of employees’ time and attendance, identify shoppers’ patterns inside stores, implement smart homes, etc. In the public sector, FRT may be used to monitor protests, identify suspects in security footage, check claimed identities at borders, etc.

This relatively new technology brings, besides a wide range of possible implementations, significant concerns regarding privacy, accuracy, race and gender disparities, data storage and security, misuse. For instance, depending on the quality of images compared, people may be falsely identified. In addition to that, in its current state, FRT is less accurate when identifying women compared to men, young people compared to older people, people of color compared to white people. Privacy is certainly another concern: without strong policies it is unclear how long these images might be stored, who might gain access to them or what they can be used for; not to mention that this technology makes far easier for government entities to surveil citizens and potentially intrude into their lives (see “Early Thought & Recommendations Regarding Face Recognition Technology”, First report of the AXON AI and policing technology Ethics Board https://www.policingproject.org/axon-fr).

Once the possible implementations and the related risks are understood, the worldwide lack of regulation becomes even more surprising.

Within the European Union, the General Data Protection Regulation obviously applies to FRT. Furthermore, “Guidelines on Facial Recognition” have been released on January 28, 2021 by the Consultative Committee of the Council of Europe with regard to automatic processing of personal data (https://rm.coe.int/guidelines-on-facial-recognition/1680a134f3). This latter document includes:

  • Guidelines for legislators and decision-makers;
  • Guidelines for developers, manufacturers and service providers;
  • Guidelines for entities using FRT;
  • Rights of data subject.

When it comes to Italy, particular attention has been drawn by several decisions of the Italian Data Protection Authority on the topic. Recognizing the innovative potential of FRT as well as its riskiness for individual rights, the Authority adopted a more permissive approach regarding the private sector’s use of FRT, while issuing stricter decisions with regard to the use of FRT by public authorities. For instance, the Authority allowed the use of FRT by police forces for purposes of identifying individuals among archived images, but prohibited real-time surveillance using the same technology (see https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9040256 and https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9575877). On the other hand, the Authority allowed one airport to implement FRT for purposes of improving efficiency in the management of the flow of passengers, so long as images of individuals were not stored (see https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/8789277).

The European Commission, in light of the complexity of the situation and the necessity of a strong and harmonised legislative action, presented on April 21, 2021 its “Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence” (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206). This Proposal was already the subject, on June 18, 2021, of a EDPB and EDPSs’ joint-opinion (https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-52021-proposal_en), in which they called for a general ban on the use of FRT for:

  • Automated recognition of human features in publicly accessible spaces;
  • Categorization of individuals into clusters according to ethnicity, gender, etc., based on biometric features;
  • Inference of individuals’ emotions.

What the European Commission is doing is an example of a more globally widespread legislators’ attitude towards artificial intelligence in general and FRT in particular. These technologies are more and more in our lives and are constantly evolving. Consequently, there is an increasing request, both from public and private subjects, for clear rules to govern this new technology and ensure that individual rights are safeguarded. Hopefully in the next months/years the situation will become clearer.

Flavio Monfrini / Michele Galluccio

Repeal of Patent Linkage in Italy is on the Horizon

Legal news, , , , , , ,

The patent linkage is the practice of linking the marketing authorisation of medicinal products, their pricing or reimbursement, or any other generic drug approval, to the patent status of the original reference product.

On 4 November 2021 the Italian Council of Ministers approved the draft law for the market and competition for the year 2021 (the “Draft Law”), by means of which by the end of this year the Italian Government intends to modify, update and renovate the regulatory framework of several critical sectors of the economic life of the country, amongst which energy, transportation, entrepreneurship and healthcare.

With the aim of removing barriers to market entry for generic medicines, the Draft Law inter alia provides for the abolition of the patent linkage, finally bringing Italy, on this point, in line with the EU law and the other European countries.

Indeed, the Draft Law repeals article 11, paragraph 1, of Law no. 189/2012 (the “Balduzzi Decree”), pursuant to which generic drugs cannot be included in the list of the medicines reimbursed by the Italian National Health Service before the expiry date of the patent or of the supplementary protection certificate of the corresponding originator’s product.

Because it establishes a patent linkage, said provision of the Balduzzi Decree is generally held in breach of the EU law, according to which regulatory bodies, when granting a marketing authorisation for a medicine, setting its price, and determining its class of reimbursement, cannot consider the patent coverage, but only the quality, safety, and efficacy of medicines.

In the last decade the Italian association of generic drug manufacturers (Assogenerici), several patient advocacy groups and even the Italian Competition Authority had tried to push the Italian Government to repeal article 11, paragraph 1, of the Balduzzi Decree, but without success. Now, probably also under the EU Commission’s pressures to comply with the requirements it set in the framework of the aids given to Italy to face the economic and social consequences of the Covid-19 pandemic, the Italian Government decided to finally remove the patent linkage.

The purpose of the measure provided by the Draft Law is to allow manufacturers of generic medicines to carry out all the negotiation procedures for price and reimbursement to be ready to enter the market as soon as the patent expires, and so to increase the competition in the healthcare sector.

The Draft Law will be soon submitted to the Italian Parliament, where it will be discussed and where it might be subject to several and significant amendments. We will see whether the abolition of the patent linkage will be eventually approved and will therefore become law.

Web Cookies’ Processing: New Guidelines by the Italian DPA

Legal news, , , , , , , , , , , , , ,

On June 10, 2021 the Italian DPA has officially issued new guidelines for the processing of cookies and other online tracking instruments. Such newly-issued guidelines are aimed at compliance with principles set forth by the GDPR, as well as by the recently issued contributions of the European Data Protection Board. The new guidelines complement and update the previous ones issued in 2014.

New provisions mainly regard how consent is acquired and information to be provided to interested subject. In fact:

  • consent by the user must be given in accordance with principles of freedom and unambiguousness. Accordingly, the use of methods that do not comply with such principles, such as the “scrolling-down” and the “cookie-wall”, are unlawful and void;
  • the “cookie banner” must comply with the “privacy by design” and “privacy by default” principles, as resulting from article 25 of the GDPR. Consequently, simplified manners for the obtainment of the consent are allowed only to the extent that they comply with some pre-determined requirements;
  • “analytic cookies” can be processed without any consent by users only if they do not allow any identification (direct identification of the person concerned should not be achieved), and if they are used for the production of aggregate data only. Otherwise, they need to be expressly authorized;
  • information to be provided to the users must be specific and comply with articles 12 and 13 of the GDPR.

Data controllers now have a 6-months term (expiring on December 2021) for the adoption of the measures necessary to comply with such giudelines.

The full text of the measure can be found at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9677876.