Garante per la protezione dei dati personali (Italy) - 9936136: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9936136 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9936136 |Original_Source_Language_1=Ital...") |
No edit summary |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 60: | Line 60: | ||
|EU_Law_Link_2= | |EU_Law_Link_2= | ||
|National_Law_Name_1= | |National_Law_Name_1=Article 110 Codice Privacy | ||
|National_Law_Link_1= | |National_Law_Link_1=https://www.garanteprivacy.it/codice | ||
|National_Law_Name_2= | |National_Law_Name_2= | ||
|National_Law_Link_2= | |National_Law_Link_2= | ||
Line 81: | Line 81: | ||
}} | }} | ||
Following a request for prior consultation under [[Article 36 GDPR|Article 36 GDPR]], the Italian DPA authorised the company Daiichi Sankyo to process health data for a study | Following a request for prior consultation under [[Article 36 GDPR|Article 36 GDPR]], the Italian DPA authorised the company Daiichi Sankyo to process the health data of around 200 patients for a study promoting treatment improvements on breast cancer. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The company Daiichi Sankyo (the company) submitted a request for prior consultation, pursuant to | The company Daiichi Sankyo (the company) submitted a request for prior consultation, pursuant to [[Article 36 GDPR|Article 36 GDPR]], in relation to a study aimed to evaluate and improve the treatment outcomes of the drug Trastuzumab Deruxtecan or T-DXd for future patients. The study was to be carried out in several European Union countries, including Italy, Spain and Ireland. And in Italy, it involved seven trial centres around the country. | ||
The request for prior consultation was deemed necessary as the study required the processing of health data of about 200 Italian patients, some of them deceased or unreachable, which was necessary for the study's objectives and a complete evaluation of the drug. | |||
The request for prior consultation was deemed necessary as the study required the processing of | |||
As the company has its establishment in the United States, it assigned as its representative in the European Union Daiichi Sankyo Europe GmbH, established in Munich, Germany, under [[Article 27 GDPR|Article 27 GDPR]]. Additionally, under [[Article 28 GDPR|Article 28 GDPR]], it engaged the company Bionical Emas, established in the UK, as its data processor. | As the company has its establishment in the United States, it assigned as its representative in the European Union Daiichi Sankyo Europe GmbH, established in Munich, Germany, under [[Article 27 GDPR|Article 27 GDPR]]. Additionally, under [[Article 28 GDPR|Article 28 GDPR]], it engaged the company Bionical Emas, established in the UK, as its data processor. | ||
Line 97: | Line 95: | ||
=== Holding === | === Holding === | ||
Following the information provided, the Italian DPA assessed that the company had correctly identified the legal | Following the information provided, the Italian DPA assessed that the company had correctly identified [[Article 9 GDPR#2|Article 9(2) GDPR]] as the legal basis of the processing of personal data of the patients who are alive and reachable, as well as the specific and residual procedure in [https://www.garanteprivacy.it/codice Article 110 of the Italian Privacy Code] for patients who may be deceased or unreachable. | ||
It also positively acknowledged that the data would be transferred in pseudonymised form to the data controller established in the US on the basis of Standard Contractual Clauses under [[Article 46 GDPR]]. However, it requested the company to remove the reference to data processing related to legitimate interest, set out in [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], given that it is not an exemption for the processing of particular categories of data, as set out in [[Article 9 GDPR#2|Article 9(2) GDPR]]. | |||
Thirdly, on the information to be provided to the data subjects, the DPA positively noted that the company stated that the information pursuant to [[Article 14 GDPR#5b|Article 14(5)(b) GDPR]] would be published on the websites of the company and the participating trial centres. It also reminded that the information should be provided in accordance with [[Article 12 GDPR]] and contain all the elements set out in [[Article 13 GDPR]] and [[Article 14 GDPR]]. | |||
Fourthly, on the data storage, the DPA acknowledged that the company indicated that the retention period would be at least ten years. It found that the company justified the proportionality with regard to the period of data retention necessary to pursue the purpose of the collection, under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. | |||
Next, on data anonymisation, it emerged that the company intended to aggregate the data collected or convert them into statistics so the | Next, on data anonymisation, it emerged that the company intended to aggregate the data collected or convert them into statistics so the data subjects could no longer be identified. However, the DPA stressed that the availability of a large number of aggregated statistics increases the possibility of identification. To avoid this risk, it stated that the number of statistics to be disseminated must be significantly lower to avoid the identification of the data subjects. | ||
Lastly, pursuant to [[ | Lastly, pursuant to [[Article 32 GDPR]] and [[Article 35 GDPR]], the Italian DPA noted that in the case of remote monitoring of the study, the company should define the data protection roles of all entities involved in this activity and also identify appropriate technical and organisational measures to protect the fundamental rights and freedoms of the data subjects. | ||
== Comment == | == Comment == |
Latest revision as of 16:59, 6 November 2023
Garante per la protezione dei dati personali - 9936136 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(e) GDPR Article 6(1)(f) GDPR Article 9 GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 32 GDPR Article 35 GDPR Article 35 GDPR Article 36 GDPR Article 46 GDPR Article 110 Codice Privacy |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | Daiichi Sankyo |
National Case Number/Name: | 9936136 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | Garante per la protezione dei dati personali (in IT) |
Initial Contributor: | ar |
Following a request for prior consultation under Article 36 GDPR, the Italian DPA authorised the company Daiichi Sankyo to process the health data of around 200 patients for a study promoting treatment improvements on breast cancer.
English Summary
Facts
The company Daiichi Sankyo (the company) submitted a request for prior consultation, pursuant to Article 36 GDPR, in relation to a study aimed to evaluate and improve the treatment outcomes of the drug Trastuzumab Deruxtecan or T-DXd for future patients. The study was to be carried out in several European Union countries, including Italy, Spain and Ireland. And in Italy, it involved seven trial centres around the country.
The request for prior consultation was deemed necessary as the study required the processing of health data of about 200 Italian patients, some of them deceased or unreachable, which was necessary for the study's objectives and a complete evaluation of the drug.
As the company has its establishment in the United States, it assigned as its representative in the European Union Daiichi Sankyo Europe GmbH, established in Munich, Germany, under Article 27 GDPR. Additionally, under Article 28 GDPR, it engaged the company Bionical Emas, established in the UK, as its data processor.
In the request to the Italian DPA, the company also enclosed the data protection impact assessment carried out pursuant to Article 35 GDPR.
Holding
Following the information provided, the Italian DPA assessed that the company had correctly identified Article 9(2) GDPR as the legal basis of the processing of personal data of the patients who are alive and reachable, as well as the specific and residual procedure in Article 110 of the Italian Privacy Code for patients who may be deceased or unreachable.
It also positively acknowledged that the data would be transferred in pseudonymised form to the data controller established in the US on the basis of Standard Contractual Clauses under Article 46 GDPR. However, it requested the company to remove the reference to data processing related to legitimate interest, set out in Article 6(1)(f) GDPR, given that it is not an exemption for the processing of particular categories of data, as set out in Article 9(2) GDPR.
Thirdly, on the information to be provided to the data subjects, the DPA positively noted that the company stated that the information pursuant to Article 14(5)(b) GDPR would be published on the websites of the company and the participating trial centres. It also reminded that the information should be provided in accordance with Article 12 GDPR and contain all the elements set out in Article 13 GDPR and Article 14 GDPR.
Fourthly, on the data storage, the DPA acknowledged that the company indicated that the retention period would be at least ten years. It found that the company justified the proportionality with regard to the period of data retention necessary to pursue the purpose of the collection, under Article 5(1)(e) GDPR.
Next, on data anonymisation, it emerged that the company intended to aggregate the data collected or convert them into statistics so the data subjects could no longer be identified. However, the DPA stressed that the availability of a large number of aggregated statistics increases the possibility of identification. To avoid this risk, it stated that the number of statistics to be disseminated must be significantly lower to avoid the identification of the data subjects.
Lastly, pursuant to Article 32 GDPR and Article 35 GDPR, the Italian DPA noted that in the case of remote monitoring of the study, the company should define the data protection roles of all entities involved in this activity and also identify appropriate technical and organisational measures to protect the fundamental rights and freedoms of the data subjects.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.