The second issue of our summer series focuses on the recent decision by the Italian Data Protection Authority, which affects all users of the Google Analytics services in Italy, as well as other similar services that entail the transfer of users’ personal data to the United States.
Read our slides to understand what actions are available to you.
New guidelines on patient support programs have been adopted by the Italian pharmaceutical industry association (Farmindustria) on January 19, 2022. The new guidelines have been incorporated in a new release of the industry ethical code, where also several provisions regarding educational activities, market access and scientific data exchange have been updated.
Patient support programs are not expressly regulated under Italian law and, for such reason, the guidelines issued by Farmindustria are particularly helpful in identifying the best market practices. The new guidelines define patient support programs as initiatives implemented by pharmaceutical companies aimed at making available additional services for the direct benefit of patients. Such services are not intended to replace the services of hospitals and other healthcare organizations.
Patient support programs can only be implemented in connection with medicinals that have received a marketing authorization, for the sole purpose of providing information on the correct use of the medicinal product and to foster patients’ compliance with its administration. They can never have a promotional purpose.
The new Farmindustria guidelines expressly acknowledge that patient support programs may be implemented by pharmaceutical companies through a third party service provider, which may carry out services in favour of patients by means of adequately qualified professionals. The pharmaceutical companies, however, continue to have overall responsibility for the program.
A noteworthy innovation has been adopted with regard to the processing of patients’ personal data. In fact, the new guidelines provide that pharmaceutical companies must not directly process the data of patients enrolled in a patient support program, and should rather only access aggregated data for statistical purposes on the use of the services.
This latter provision is particularly troublesome from a data protection standpoint, as it may be interpreted as preventing pharmaceutical companies from acting as data controllers in connection with the deployment of patient support programs, even if they remain responsible for the programs themselves. Therefore, new mechanisms shall be implemented to segregate identifiable data and prevent their processing by pharmaceutical companies unless they are previously de-identified.
Access to personal data concerning deceased people may represent an issue and a necessity, especially for their heirs. How is such kind of access to personal data currently regulated under the Italian Law (Legislative Decree n. 196/2003), as amended after GDPR?
The Italian Data Protection Authority, in its efforts to combine data protection legislation and clarity, recently issued an outline of article 2-terdecies of the Legislative Decree n. 196/2003.
- Who is entitled to such right to access? Whoever (i) has a vested interest; (ii) acts in the interest of the deceased person (who is the “interested party” pursuant to data protection laws); (iii) acts as mandatary; or (iv) acts for worthwhile reasons of family protection.
- To whom should the request to access data be addressed? The request should be addressed to the relevant Data Controller (i.e., the natural or legal person, public authority, agency or other body, either private or public, which determines the purposes and means of the processing of personal data), also through the Data Processor (i.e., the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller), where appointed.
- Which information may be requested? (i) Access to personal data of the deceased person; (ii) the purpose of processing data; (iii) which data have been communicated and the related addressees; (iv) the retention period; (v) the origin of such data and (vi) whether data are subject to an automatic decisional processing (Sections 15-22 of GDPR).
- Do you have to pay to access data? No, it is free (unless the request is manifestly unfounded or excessive).
- Are there any exceptions or limits? Yes, it is not possible to access data in the event it is forbidden (i) by the law or (ii) by the interested party, who released an express and unequivocal declaration addressed to the Data Controller. However, even in the latter hypothesis, third parties exercising their patrimonial rights originating from the death of the interested party cannot be prejudiced in their rights.
- Do you have to motivate your request? No.
- How long does it take to get a feedback on your request? Maximum one monthsince your request, except in some particular cases, as provided by GDPR.
- What can you do if your request is refused or in lack of any feedback? You may address the Italian Data Protection Authority or the relevant court.
Access to data concerning deceased people seems to be quite easy in theory. However, balancing patrimonial rights of heirs and assessing “express and unequivocal” declarations of the deceased may prove to be more complex in practice.
The Italian Data Protection Authority has authorized the transfer of personal data to the United States on the basis of the new “Privacy Shield” program, designed by the European Commission and the U.S. Department of Commerce to provide companies with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. On July 12, 2016 the European Commission deemed that the “Privacy Shield” offered adequate protection and could enable data transfers under EU legislation.
The Italian Data Protection Authority has now issued a general authorization for the processing and transfer of personal data in accordance with the “Privacy Shield” program and with the European Commission adequacy decision. The general authorization will be published today on the Official Gazette. Italian companies and multinational corporations active in Italy will therefore be able to transfer personal data to United States entities adhering to the “Privacy Shield”.
This latest decision comes after the expiration of the previous general authorization allowing the transfer of personal data to the United States pursuant to the “Safe Harbor” framework, held invalid by the Court of Justice of the European Union on October 22, 2015.
The European Commission plans to implement a continuous monitoring of the “Privacy Shield”, while at the moment it remains unclear how many business entities will seize this opportunity and join in the new program.