In June 2022, Law 62/2022 known as the Sunshine Act entered into force in Italy, introducing new transparency regulations on transfers of value established between companies operating in the pharmaceutical and health care sector and health care professionals (HCPs) as well as health care organizations (HCOs). The Italian Sunshine Act is one of the newest Acts bearing the same denomination that have been adopted in other European countries, as well as in the United States.
The Italian Sunshine Act, in particular, will become fully operational once the Ministry of Health activates access to the public database called “Sanità Trasparente”, that will be under its direct management. This public database will contain the information and details concerning the transfers of value carried out between companies of the health sector, HCPs and HCOs, as well as the personal data of the latter, such as name, surname, professional contact data, and membership number of professional orders.
For this reason, the Sunshine Act also raises particular and important issues from a data protection standpoint and, consequently, in terms of compliance with the European Regulation 679/2018 (GDPR) and the national data protection legislation (in this case, the Italian Privacy Code).
In fact, the collection, storage and disclosure of personal data relating to HCPs and HCOs with the Ministry of Health, which is required by the Act, constitutes by definition a processing of personal data that must therefore be carried out in compliance with the obligations imposed by the relevant legal framework.
Therefore, we will now analyze what data protection obligations health care companies must comply with, when they fulfil the obligations imposed by the Italian Sunshine Act.
Required steps towards GDPR compliance
Article 5(6) of the Sunshine Act contains the most relevant elements for analyzing the law from a data protection point of view. The paragraph in question specifies:
“With the signing of conventions or agreements […] or with the acceptance of payments […] by subjects operating in the health sector and health organizations, as well as with the acquisition of shares, securities and profits deriving from industrial or intellectual property rights […] the consent is understood to be given to the disclosure and processing of data by the aforementioned subjects and organizations, for the purposes set forth in this article. However, manufacturing companies are required to provide information to subjects operating in the health sector and health organizations, specifying that the communications referred to in the preceding paragraphs are subject to publication on the institutional website of the Ministry of Health […]” (Unofficial translation)
Legal basis for the processing of personal data
As mentioned in Article 5(6) of the Act, the transfer of value between the company and the HCPs and HCOs is governed by an agreement. In this agreement, personal data of the data subjects are collected, which will then be communicated to the Ministry of Health.
The current wording of Article 5(6) is, however, imprecise with regard to the legal basis that would legitimize such processing. In fact, an „implied “ consent of the data subject is envisaged, considered to have been given at the time of the signing of the aforementioned agreements.
However, consent does not appear to be the most correct and appropriate legal basis in this circumstance. The processing of personal data of data subjects is legitimate, inter alia, under Article 6(1)(c) of the GDPR, i.e. when it is carried out on the basis of a legal obligation to which the data controller is subject. Such legal obligation is provided for in the Sunshine Act itself, which obliges data controllers to disclose and publish the personal data of HCOs and HCPs.
According to the GDPR, consent as described in the current wording of the Act is therefore unnecessary (due to the existence of a different, more appropriate legal basis) and, above all, not legitimate. Article 7 GDPR, together with guidelines and decisions of both the European Data Protection Board (EDPB) and Member States‘ DPAs, emphasize that the data subject’s consent to the processing of their personal data can never be implied, but always has to be provided by a clear, unambiguous and explicit act of the data subject.
Moreover, consent must be withdrawable at any time by the data subject: in its current wording, the Act does not provide for a direct mechanism for withdrawing consent.
Therefore, the reference to consent as a legal basis currently addressed in the Italian Sunshine Act seems to be not appropriate. We trust that the Italian DPA (Garante per la protezione dei dati personali) or the forthcoming implementing decrees, will provide further clarification on this profile.
Data retention period
According to Article 5(4) of the Act, personal data published on the public database are available for consultation for five years from their publication and deleted thereafter. Although this retention period concerns only the Ministry of Health, it provides an important insight for evaluating proportionate and appropriate retention periods for companies.
Primarily, data disclosed to the Ministry should be stored by the company to prove compliance with the Sunshine Act’s reporting obligation, and thus to defend itself against accusations of omission or disclosure of false data. The prescription period for a similar administrative offence is five years. Therefore, five years would be a proportionate retention period for personal data of HCPs and HCOs.
However, it may also be necessary to retain such data for a longer period, for example when the data controller has to defend itself in the event of a corruption-related claim. In this case, the retention period should be aligned with the prescription period that national laws set for this kind of offences.
Further obligations
Finally, to ensure GDPR compliance in relation to Sunshine Act-related data processing, data controllers will need to:
- Provide a privacy policy to HCPs and HCOs informing them in a complete and comprehensive manner about the processing of their personal data. Again, this requirement is unnecessarily stated in the Sunshine Act despite the fact that this obligation is already clearly established by Article 13 GDPR, and is directly applicable in this context.
- Update the Record of Processing Activities (ROPA) with the personal data processing required to comply with the Sunshine Act.
- Appoint the employees under Article 29 GDPR who will be responsible for the collection of personal data and its communication to the Ministry (in line with the legal obligation established by Article 30 of the Italian Privacy Code).
Conclusion
Under the Sunshine Act, the processing and protection of personal data published on the Sanità Trasparente database will be the sole responsibility of the Health Ministry itself, acting as an independent data controller.
The Italian DPA (together with the Italian Digital Agency -AgID– and the National Anti-Corruption Authority -ANAC-) shall provide an opinion on the compliance of the database before it is implemented, focusing in particular on the adequacy of the implemented technical and organizational security measures. We look forward for the Italian DPA to also comment on the appropriate legal basis to be used for these data processing activities and provide guidance to correctly identify the appropriate retention period.
Therefore, before the Sunshine Act becomes fully applicable at the beginning of 2023 (following the opinion of the above-mentioned authorities), companies falling under the scope of this Act shall rely on their DPO or legal advisors to ensure their compliance with the legal requirements also from a data protection point of view, focusing in particular on the elements discussed and explored in this article.