Garante per la protezione dei dati personali (Italy) - 10057629

From GDPRhub
Garante per la protezione dei dati personali - 10057629
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 9(2)(j) GDPR
Article 13 GDPR
Article 14(5)(b) GDPR
Article 25 GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 17.07.2024
Fine: 10,000 EUR
Parties: Istituto Tumori "Giovanni Paolo II" IRCCS
National Case Number/Name: 10057629
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: ligialagev

The DPA fined a research hospital €10,000 after investigating violations related to its research activities.

English Summary

Facts

The DPA carried out an ex officio inspection at a research hospital in order to verify compliance with the provisions regarding the processing activities carried out for scientific research purposes in the medical, biomedical and epidemiological fields.

Two clinical studies were analysed in terms of the following aspects: principles of lawfulness of processing, transparency to the data subject, retention period, accountability, privacy by design and by default, as well as the obligation to carry out a Data Protection Impact Assessment.

Holding

The DPA held that the processing of personal data carried out for medical, biomedical and epidemiological research purposes in particular in study #1 and study #2, have been performed in breach of Article 5(1)(a) GDPR and Article 9(2)(j) GDPR, Article 35 GDPR, Article 12 GDPR, Article 13 GDPR and Article 14(5)(b) GDPR.

The investigation revealed that the consent was collected in an inadequate manner. Such consent was not preceded by a full disclosure of at least its essential elements. In this sense, it was fundamentally flawed from the point of view of specificity and determinacy, according to Article 13 GDPR, and was considered contrary to the principles of transparency and fairness under Article 5(1)(a)GDPR.

The DPA reinforced the importance of carrying out a prior DPIA on the processing of personal data for medical research purposes, in response to the controller's claim that it does so only when the study involves a particular type of profiling of patients' data or if there is an impact on their care through automated processing. In this regard, the DPA reaffirmed that the controller limited the preparation of the DPIA to fewer cases than it should have. The failure to carry out the DPIA beforehand in this case was considered a breach under Article 35 GDPR.

It was also emphasised that the controller has the duty to issue a specific notice in respect of each individual research project, at least in order to provide information different from that already disclosed to the data subjects (Article 13(3) and 14(5)(b) GDPR).

Another issue highlighted was about the information on the processing of personal data related to study #1 and study #2, that was incomplete. The information gaps highlighted by the DPA refer to the lack of clarity in informing the intention of further processing of the data (Article 13 (1) GDPR, lack of indication of the data retention period or the criteria indicated for retention (Article 13 (2) (a) GDPR. Also the rights of data subjects and the possibility to withdraw consent were not clearly represented, as well as the possibility of exercising access to the data provided only at the end of the study. For these reasons it was pointed out that the controller was found to be in breach of the principle of transparency.

The DPA also held that the principles of accountability and privacy by design under Article 5(2) GDPR and Article 25 GDPR were violated. The controller had not demonstrated an active conduct aimed at ensuring by design and by default the effective application of the principles of personal data protection (in particular, of those of lawfulness, fairness and transparency and of data retention limitation) through the implementation and constant review and updating of specific, adequate and measurable proceedings, also in relation to the particular context in which the processing operations examined are carried out and to the related risks for the rights and freedoms of the data subjects.

The DPA conceded a period of ninety days for the controller to implement corrective measures in relation to:

1) carry out the impact assessment pursuant to Article 35 GDPR; 2) Integrate, amend and rectify the information on the processing of personal data relating to study #1 and study #2; 3) Clearly indicate the legal basis of the processing ; 4) Indicate the storage period of the personal data or the criteria used to determine it (Article 13(2)(a) GDPR 5) Clearly set out the data subject's rights and the possibility of withdrawing consent; 6) Provide for the possibility to exercise the right of access throughout the duration of the processing.

On these grounds, the DPA issued a fine of €10,000 by way of administrative pecuniary sanction for the violations indicated.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10057629]

Provision of 17 July 2024

Register of provisions
no. 473 of 17 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - General Data Protection Regulation (hereinafter "Regulation");

HAVING SEEN, in particular, Articles 35 and 36 of the Regulation relating, respectively, to the data protection impact assessment and the prior consultation of the Authority;

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code (hereinafter “Code”);

HAVING SEEN Articles 110, paragraph 1, first part, and 110-bis, paragraph 4, of the Code, regarding medical, biomedical and epidemiological research;

HAVING SEEN the Deontological Rules for Processing for Statistical or Scientific Research Purposes adopted by the Guarantor, pursuant to Article 20, paragraph 4, of Legislative Decree no. 101 of 10 August 2018, with provision no. 515, of 19 December 2018 (web doc. no. 9069637, hereinafter “Rules of Ethics”);

SEEN the Provisions relating to the processing of personal data carried out for scientific research purposes, annex no. 5 to the Provision that identifies the provisions contained in the General Authorizations that are compatible with the Regulation and with Legislative Decree no. 101/2018 adapting the Code, of 5 June 2019 (web doc. 9124510, hereinafter “Provisions”);

SEEN the documentation in the files;

SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, web doc. no. 1098801;

Rapporteur Prof. Pasquale Stanzione;

WHEREAS

1. The inspection activity

The Office of the Guarantor, on XX and XX, carried out the inspections referred to in service order no. XX, of XX at the Giovanni Paolo II Tumor Institute of Bari, Scientific Hospitalization Institute - IRCCS (hereinafter "Institute" or "IRCCS") in order to verify compliance with the provisions on the protection of personal data in relation to the processing carried out for scientific research purposes in the medical, biomedical and epidemiological fields - (Article 58, paragraph 1, letter a), e) and f) of the Regulation, Articles 157 and 158 of the Code, Articles 21 and 22 of Regulation no. 1/2019 of the Guarantor for the protection of personal data).

As part of this inspection activity, the Office of the Guarantor focused on verifying the effective application of the principles of lawfulness of processing, fairness and transparency, limitation of storage, accountability, privacy by design and by default, as well as the obligation to carry out the impact assessment (articles 5, paragraph 1, letter a), c), e), 13, 14, 25, 32, and art. 110-bis paragraph 4 of the Code), also with reference to two specific clinical studies:

- 1) “Study of the mechanisms of response and resistance to immunotherapy and targeted therapy in melanoma”, monocentric, non-profit, retrospective and prospective (hereinafter, “Study 1”, examined on 24 October 2024);

- 2) “Study of lung disease prediction in patients with stage 3 chemo-radiotherapy non-small cell lung cancer (NSCLC) treated using artificial intelligence techniques on clinical and imaging data”, retrospective and single-center (hereinafter, “Study 2”, examined on October 23, 2024).

In this regard, for what is relevant here, the following emerged.

On the first day of investigations, the Institute declared, in particular, that it bases the processing of personal data necessary for the implementation of current, retrospective, observational and single-center research projects on “art. 110-bis, paragraph 4 of the Code”, and that in any case, “upon acceptance of the patient for treatment purposes, information is provided” and that “where possible [the Institute] attempts to reach the patient to acquire specific consent to voluntary participation in individual research projects”.

With specific reference to Study 2) - the Institute, after clarifying that the enrollment phase was still ongoing, confirmed that, since it is a retrospective study, it is being conducted on the basis of art. 110-bis, paragraph 4 of the Code.

In relation to the information obligations, the Institute considered the general information provided during the patient acceptance phase for care purposes to be sufficient, in which it is indicated, among other things, that the data collected for treatment purposes may be further processed for research purposes. In any case, it was clarified that living patients, at the time of enrollment, are in any case provided with the specific information prepared for the Study and that the information for the processing of data of deceased or uncontactable patients is not required.

With specific reference to the impact assessment, pursuant to art. 35 of the Regulation (Vip), the Institute stated that, in general terms, it is carried out only for certain types of studies, which involve a particular type of profiling on patient data or if there are repercussions on their care, through automated processing. The Institute also stated that in relation to Study 2), Vip was not carried out, as it "uses both clinical data and characteristics extracted from radiomic images (simulation CT) taken by patients undergoing radiotherapy (where the patient has signed the informed consent also for further treatment for research)".

With specific reference to the data retention period in Study 2), the Institute stated that "the protocol indicates that the enrollment phase and the Study have a duration of 24 months, linked to the duration of the funding" and that "the research data in raw format must remain available in this form for an indefinite period for control activities on the scientific nature of the data, reserving the right to corroborate this assertion with specific documents if possible".

In relation to the data flow, the Institute stated that clinical data are entered into the e-CRFs manually, using data from paper medical records, as the electronic medical record is not probative as it “may not be complete and does not represent the reference medical-legal document”.

The manual data loading phase into the e-CRFs “is often corroborated by a double check (PI [Principal Investigator] and data manager). Each patient is assigned a progressive code, given the small number of patients enrolled in Study 2, the correlation list remains in the possession of the PI in paper format. The e-CRF and the correlation table, where in electronic format, are both protected with passwords, encrypted and stored in two different partitions”.

Also in relation to Study 1), the Institute stated that since it is a retrospective study, the legal basis for the processing was identified in art. 110-bis, paragraph 4 of the Code. In any case, both for the prospective and retrospective phases, if the patient is alive and contactable, his/her consent is acquired.

In this regard, in general terms it was represented that the choice to base the processing of personal data on art. 110-bis, paragraph 4 of the Code or on the consent of the interested parties is based on the prospective or retrospective nature of the study; where there is a dead or uncontactable patient, the processing is based on art. 110-bis, paragraph 4 of the Code. In any case, if possible, the interested party's consent is always acquired, in particular, in retrospective studies.
With reference to Study 1), the Institute also represented that the residual risk of the treatment was considered low and that for this reason, as for Study 2), the VIP was not carried out, pursuant to art. 35 of the Regulation.

In any case, for this last study it was clarified that "neither deceased patients nor uncontactable patients were enrolled, as only the prospective phase of the Study was carried out at the time".

With specific reference to the VIP, it was further stated that "it is prepared for studies in which the risk identified by the PI in collaboration with the DPO requires such a VIP. If drawn up, it is presented to the Ethics Committee. In the event that the Study enrolls a limited number of patients, it is not assessed as high risk and therefore the VIP is not prepared".

In this regard, it was clarified that the doctor responsible for the project is required to fill out an attachment describing how the data is processed by the researchers (Annex B) and that on the basis of what is indicated by the doctor in the aforementioned attachment, it is assessed whether or not to carry out the VIP.

As part of the inspection activity, the Office also acquired numerous documents containing internal guidelines containing indications on the technical and organizational measures implemented by the Institute for the application of the discipline on the protection of personal data, as well as some information prepared for the interested parties.

From a first point of view, the Institute represented that at present the organizational measures are by far prevalent compared to the technical ones and that the staff has been subjected to training activities on the protection of personal data.

With specific reference to the transparency of the treatments, the following were provided:

the information form on the processing of personal data carried out in the context of healthcare services, issued upon acceptance of the patient at the hospital facility, for treatment purposes, in which, in the section on the purpose of the treatment, the “medical, biomedical and epidemiological research activities” carried out on the basis of the “art.9, par. 2, letter a) of the GDPR (acquisition of consent): art. 9, letter j) of the GDPR “the processing is necessary for scientific research purposes on the basis of Union or national law (in cases of untraceable or deceased patients) and art. 110-bis, c.4 of Legislative Decree no. 196/03”;

the informed consent form for the processing of personal data, which includes a section with the following wording “I consent to the use of my personal data for research purposes in the sector ….. for purposes ………” followed by the two fields to be filled in “yes” or “no” in which the patient is also informed that “before the start of each Study I may be contacted again to issue further specific consent to issue further specific consent”;

the information and informed consent sheet for Study 2) which contains a section called “information and expression of consent to the processing of personal data”. This information notice states that “from 25 May the new General Data Protection Regulation (GDPR) came into force, replacing resolution 52 of 24/7/2008 Guidelines for the processing of personal data in the context of clinical trials of medicinal products, in order to describe your rights in more detail […]”. It is also indicated that “at the end of the study your personal data will be stored at the clinical center for the period required by current regulations”. In the section “your specific rights regarding your personal data” it is stated that the interested party “has the right to review your personal data. However, during the Study, access to your Personal Data may be limited to protect the integrity of the Study. You may have access to your personal data at the end of the study”.

It is also provided that “questions about the collection and use of information should [be asked] to the Study doctor. You should also inform him/her if you wish to exercise your rights regarding such information; for example, if you decide to correct some personal data or withdraw your consent”. The section is then provided in which the interested party gives his/her consent to the processing of personal data for research purposes;

the documentation relating to Studies 1) and 2): study protocol, information sheet and informed consent containing a specific section relating to the privacy information and consent to the processing of personal data and Annex B, filled out by the Doctor responsible for the project.

The Institute then sent further documentation relating to the "storage of research data in raw format for control activities on the scientific nature of the data" (note of XX).

In this regard, the Institute declared in particular that:

"The research data "raw data" (numerical data, symbols, texts, images etc.), used as primary sources of scientific research necessary to validate the results of the same research, are stored with adequate technical and organizational security measures and appropriate pseudonymization/anonymization techniques".

In the context of clinical trials of medicinal products for human use (Reg. 536/14) the data storage period of 25 years is observed.

In general, the data retention period is defined for each research project, considering that this IRCCS, if at the end of the Study it deems it appropriate not to delete the archived data as they are considered to be of interest for scientific research (secondary use pursuant to art. 110-bis c.4 of the Code), the same, pursuant to art. 5 of EU Regulation 2016/679, may be retained for a longer period, in accordance with the provisions of art. 89 of the GDPR;

Changes in the retention periods of personal data in the context of research are always subject to maximum information transparency (pursuant to art. 13-14 of the GDPR).

2. Contested violations

On the basis of the elements acquired in the context of the aforementioned inspection activity as well as the subsequent assessments carried out, the Office - with act of XX (prot. no. XX), which must be considered reproduced in its entirety here - has initiated, pursuant to art. 166, paragraph 5 of the Code, a proceeding for the adoption of the measures referred to in art. 58, paragraph 2 of the Regulation, against the Institute, inviting it to produce written defenses or documents to the Guarantor and to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, Law no. 689 of 24 November 1981).

With the aforementioned act, the Office notified the Institute that it has been ascertained that the processing of personal data carried out by the Institute for research purposes in the medical, biomedical and epidemiological fields within its research lines and in particular in Studies 1) and 2), were carried out in violation of:

1. of art. 5, paragraph 1, letter a) and 9, paragraph 2, letter j) of the Regulation, 110 and 110-bis, paragraph 4 of the Code;

2. of art. 35 of the Regulation;

3. of arts. 12, 13 and 14, paragraph 5, letter b) of the Regulation and art. 6, paragraph 3 of the Rules of Ethics;

4. of art. 5, paragraph 1, letter e) of the Regulation;

5. of arts. 5, paragraph 2, and 25 of the Regulation.

More specifically, with respect to each of the aforementioned violations, the Office has noted the following.

2.1. On the principle of lawfulness and the legal bases of the processing

In relation to the processing of personal data on health, including where applicable genetic data, for scientific research purposes carried out by the Institute in the lines of research authorised by the Ministry of Health and in particular for those analysed during the inspection - Study 1) and Study 2) -, as highlighted above, the legal basis has been identified in art. 110-bis, paragraph 4 of the Code, except for the acquisition of consent in the event that the patient is alive and contactable (present in the informed consent forms of the aforementioned Studies) and except, furthermore, the consent acquired in any case on the occasion of health services.

In this regard, the Office of the Guarantor has considered that in general terms there is partial knowledge by the Institute of the conditions of lawfulness relating to the processing of personal data on health and genetic data for medical, biomedical and epidemiological research purposes, which, inevitably, is reflected in their application, in the performance of the related obligations and in the information for the interested parties.

In fact, the Institute, on the one hand, declares and represents to the interested parties during the acceptance phase at the hospital facility that the further processing of the data collected for treatment purposes carried out for research purposes is based on art. 110-bis, paragraph 4 of the Code, on the other hand systematically fails to provide for the performance and publication of the impact assessment (mandatory obligations in this case, according to the regulatory reconstruction indicated in the following paragraph 3 and already illustrated to the Institute with notes of XX, prot. no. XX and of XX, prot. no. XX).

The Institute, however, at the same time declared and demonstrated that the aforementioned processing is also based on the consent of the interested parties (where materially possible to acquire it) collected during the acceptance phase and subsequently also on the occasion of the enrollment of patients in specific research projects.

On this basis, in relation to the collection and subsequent processing of the data of deceased and uncontactable patients enrolled exclusively in Study 2), given that during the inspection it was declared that the enrollment was in progress, the Institute was charged with failure to fulfill the obligation to carry out and publish the Vip in violation of articles. 110 first part of paragraph 1 and 110-bis, paragraph 4 of the Code (art. 166, paragraph 2 of the Code).

The same objection was not raised in relation to Study 1) as it was stated that "neither deceased patients nor uncontactable patients were enrolled, as only the prospective phase of the Study was carried out at the time",

The violation of the principle of lawfulness, pursuant to art. 5, paragraph 1, letter a) of the Regulation, was also contested in relation to the processing of personal data relating to deceased or uncontactable subjects enrolled in retrospective studies carried out by the Institute within its lines of research, to the extent that the latter, as the owner, systematically failed to carry out and publish the VIP, obligations which in this case are mandatory, pursuant to art. 9, paragraph 2, letter a) of the Regulation. j) of the Regulation, 110, paragraph 1, first part and 110-bis paragraph 4 of the Code.

Furthermore, the investigations carried out revealed that the Institute, with particular reference to the processing of personal data of patients who can be contacted for research purposes in the medical, biomedical and epidemiological fields, collects two different consents, the first of which is acquired on the occasion of health services and would seem to be aimed at authorizing the processing of data for medical research purposes in certain sectors, without prejudice to the possibility of acquiring further consent with respect to specific projects.

In this regard, the Office noted the unsuitability of this expression of will, particularly in terms of specificity, to allow the aforementioned processing since the scientific research sector to be indicated in the consent form is limited to identifying macro purposes of the research itself and not a specific project.

Furthermore, such consent, not being preceded by complete information, at least of its essential elements, would be fundamentally flawed in terms of specificity and specificity (Article 13 of the Regulation; see points 23 et seq. of the Guidelines on transparency pursuant to Regulation 2016/679, adopted on 29 November 2017, Amended version adopted on 11 April 2018).

This collection of consent was therefore considered to be in conflict with the principles of transparency and fairness pursuant to art. 5, par. 1, letter a) of the Regulation since, even if in practice the subsequent processing of data for scientific research purposes is based on a new expression of consent or on art. 110-bis paragraph 4 of the Code, it was considered likely to generate confusion among the interested parties regarding the fate of their data, in violation of the principle of information self-determination and therefore of fairness and transparency.

2.2. On the impact assessment

With reference to the need to carry out a preventive VIP on the processing of personal data for medical research purposes, the Institute declared that it would only carry out this obligation when the study involves a particular type of profiling on patient data or if there are repercussions on their care through automated processing, on the basis of the assessment carried out by the trial office/PI reported in the aforementioned document called Annex B) acquired in the proceedings. The document does not contain the examination and assessment of the risks associated with the processing but only a description of some aspects of the same including, in particular, the types of data collected, the legal basis of the processing and some generic technical and organizational measures.

In this regard, the Office noted that the Institute limits the performance of the impact assessment to a number of cases far lower than those for which it, even if not required by law pursuant to the combined provisions of Articles 110 and 110-bis paragraph 4 of the Code, is in any case necessary pursuant to Article 35 of the Regulation.

Considering that, in general terms, for the implementation of clinical studies in the medical, biomedical and epidemiological fields, the promoter as the data controller processes health data (and if applicable also genetic data, data suitable for revealing racial and ethnic origin, or relating to sexual life and orientation) relating to vulnerable subjects, such as patients and/or minors, it is noted that in such cases the failure to carry out the VIP prior to carrying out the study must be considered exceptional and in any case should be extensively justified (page 13 of the Guidelines of 4 October 2017, cit.), in homage to the principle of accountability, where the rule should instead be to carry out this obligation.

On this basis, it was noted that the Institute does not take into due consideration the centrality of the risk-based approach imposed by the Regulation, omitting as a general rule and in particular with reference to the data of patients enrolled or who intend to enroll in Studies 1) and 2), to carry out the VIP, in violation of art. 35 of the Regulation.

2.3 On the principle of transparency and the obligation to provide information to interested parties

The Institute has declared that it provides patients with information on the processing of general data upon their admission to the hospital for treatment purposes, attaching a copy thereof, and then to provide interested parties enrolled in clinical trials with further specific information regarding the related processing, providing a copy of those relating to Studies 1) and 2).

The first information concerns the processing of personal data carried out in the context of the healthcare services offered by the Institute.

The Office has noted its incompleteness in relation to some elements referred to in art. 13 of the Regulation.

Through this information, in any case, the Institute informs interested parties that the data collected for treatment purposes may be further processed for research purposes, pursuant to art. 110-bis, paragraph 4 of the Code or on the basis of the relative consent pursuant to art. 9, paragraph 1, letter a) of the Regulation.

However, this does not exempt the data controller from the duty to provide specific information for each individual research project, at least to provide information that is different from that already made known to the interested parties (Articles 13, paragraph 3 and 14, paragraph 5, letter b) of the Regulation).

However, this additional information is systematically not provided for deceased or uncontactable subjects, in violation of Article 14, paragraph 5, letter b) of the Regulation and Article 6, paragraph 3 of the Deontological Rules. The Institute has in fact declared that, for such patients, the information is that provided upon acceptance of the patient at its facility for the provision of healthcare services.

Indeed, it is reiterated that the data controller has the obligation to provide the information directly to the interested parties in advance if possible, or through its publication if they are deceased or uncontactable (Article 14, paragraph 5, letter b) of the Regulation and Article 6, paragraph 3 of the Ethical Rules).

It was also noted that the information on the processing of personal data relating to Studies 1) and 2) prepared for the contactable subjects, were completely similar in their content and erroneous and incomplete in the part where:

it is indicated that following the entry into force of the Regulation it would have replaced resolution 52 of 24/7/2008 containing the "Guidelines for the processing of personal data in the context of clinical trials of medicinal products, in order to describe in more detail your rights [...]"; in fact, the aforementioned guidelines remain in force where compatible with the Regulation;

they do not clearly indicate the legal bases of the processing (art. 13, par. 1, letter c) of the Regulation);

they do not indicate the period of retention of personal data or the criteria used to determine it (art. 13, par. 2, letter a) of the Regulation), despite the fact that, moreover, the Institute has declared on this point that “The variations in the retention periods of personal data in the context of research are always subject to maximum information transparency (pursuant to art. 13-14 of the GDPR; see the Institute’s note of XX)”;

the rights of the interested parties and the right to withdraw consent are not clearly represented;

the possibility of exercising access to the data is foreseen only at the end of the Study. In fact, this limitation is not provided for by the current regulatory framework (see also the “Guidelines 01/2022 on data subject rights - Right of access”, Version 1.0, Adopted on 18 January 2022).

In light of the above, the Office therefore contested the violation of the obligation to provide contactable data subjects with clear, complete and easily intelligible information in advance in relation to the processing of personal data necessary for the implementation of Studies 1) and 2), in violation of Articles 12 and 13 of the Regulation.

Furthermore, the violation of the obligation to make public the information on the processing of personal data relating to deceased and uncontactable subjects enrolled in Study 2) was contested, in violation of Article 14, paragraph 5, letter b) of the Regulation and Article 6, paragraph 3 of the ethical rules.

Finally, for the reasons set out above, the Institute was found to have violated the principle of transparency, given the preparation of incomplete and/or incorrect information forms, the total absence of organizational measures or a specific policy to make public the information on the processing for research purposes of personal data of deceased or uncontactable data subjects (Article 5, paragraph 1, letter a) of the Regulation).

2.4. On the limitation of data retention

Finally, during the inspection it emerged, on the one hand, that in the information provided to data subjects upon acceptance at the hospital facility it is indicated that the retention period of data processed for research purposes should be indicated in the relevant protocols, on the other hand, that not only is this period not defined (at least in the protocols relating to Studies 1 and 2 and not even in the information documents addressed to data subjects) but the criteria for their relative determination are not even indicated. The aforementioned terms are not even defined in the "Privacy Guidelines for the processing of personal data for scientific research purposes".

In this regard, the legislation on the protection of personal data in no case exempts the data controller from the obligation to define the data retention period or a suitable criterion for this purpose, in particular in order to be able to comply with the specific transparency obligations provided for towards the interested parties. Therefore, it was found that the Institute processes personal data for scientific research purposes in violation of the principle of limitation of data retention pursuant to art. 5, par. 1, letter e) of the Regulation.

2.5. On the Principle of accountability and privacy by design and by default

For all that has already been noted, the violation of the principles of accountability and privacy by design pursuant to art. 5, par. 2 and 25 of the Regulation, since the data controller, in general terms, has not demonstrated an active conduct aimed at ensuring from the design stage and by default the effective application of the principles of protection of personal data (in particular, those of lawfulness, correctness and transparency and limitation of data retention) through the implementation and constant review and updating of specific, adequate and measurable measures also in relation to the particular context in which the processing operations examined take place and the related risks for the rights and freedoms of the interested parties.

The Institute has in fact produced copious documentation prepared in the privacy field, with particular reference to the resolutions of the General Director with which the "Regulation for the protection of personal data of natural persons, in compliance with EU Regulation 2016/679 (GDPR)" and the "Privacy Guidelines for the processing of personal data for scientific research purposes" were approved (resolution 1100 of 27 December 2019).

In this regard, it was also noted that the aforementioned documents can be considered as mere organizational measures, more formal than substantial, and in themselves ineffective if not supported by further technical and organizational measures identified in relation to the specific processing carried out by the owner and proportionate to the protection objective that is specifically intended to be pursued.

On the merits, in addition, in the aforementioned documents, inaccurate or at least incomplete indications emerged, for example in relation to the retention times or further processing for scientific research purposes of personal data collected for treatment purposes - for which no reference is made to art. 110-bis, paragraph 4 of the Code, as the legal basis of the processing, nor to the specific obligations required by the owner, (such as the performance and publication of the Vip).

The lack of adequate technical security measures was on the other hand confirmed by the owner himself who, during the preliminary investigation, declared that “at present, organizational measures are far more prevalent than technical measures and he reserves the right to provide proof of the training activity carried out”.

On this point, in particular, the absence of adequate technical measures to ensure by design the accuracy of the data during the collection phase for the pursuit of further research purposes in the context of single-center studies was noted. As highlighted above, in fact, the data loading phase in the e-CRFs is manual although “often corroborated by a double check (PI and data manager)”.

Furthermore, it was noted that although the Privacy Guidelines for the processing of personal data for scientific research purposes adopted by the Institute expressly provide that at the "start up" of each research project an audit to verify compliance with the same be carried out by a commission, it was not possible to acquire the audit reports carried out on Studies 1) and 2) during the inspections.

For all of the above, it was noted that the Institute had not effectively applied the principle of accountability and the obligations to protect personal data by design, in violation of Articles 5, paragraph 2 and 25 of the Regulation).

3. Applicable legislation

The processing of personal data for scientific research purposes must be carried out in compliance with the Regulation and the Code, the Provisions relating to the processing of genetic data (if necessary) and the Provisions relating to the processing of personal data carried out for scientific research purposes (web doc. no. 9124510) as well as the Deontological Rules (web doc. no. 9069637) which constitute an essential condition for the lawfulness and correctness of the processing (art. 2-quater of the Code and art. 21, paragraph 5, of Legislative Decree 10 August 2018, no. 101).

According to the Regulation, personal data must be processed “lawfully, fairly and in a transparent manner in relation to the data subject” (principle of “lawfulness, fairness and transparency” (art. 5, par. 1, letter a) of the Regulation).

The principle of lawfulness requires that each processing be based on a specific legal basis (Article 6 of the Regulation). In relation to the particular categories of data, including health data, Article 9 of the Regulation establishes a general prohibition on processing unless one of the specific exemptions to this prohibition applies, among which the consent of the interested party is provided for.

In the event that the condition of lawfulness is represented by consent, it must be given through a positive act with which the interested party expresses a free, specific, informed and unequivocal will relating to the processing of personal data concerning him or her (Recitals 32, 42 and 43, Articles 5, 6, paragraph 1, letter a) and 7 of the Regulation and Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Data Protection Board on 4 May 2020).

With specific reference to the particular categories of data, consent must also be expressed in writing (art. 9, par. 2, letter a) of the Regulation and par. 4 of the aforementioned Guidelines 5/2020 on consent and art. 7, paragraph 2, letter b) of the Deontological Rules).

On this point, it is noted that the European Data Protection Board has reiterated that "the notion of research cannot be extended beyond its common meaning and that "scientific research" in this context means a research project established in accordance with the relevant sector methodological and ethical standards, in line with good practices", thereby confirming that in this sector the purpose of the processing must be identified in the specific research project that is intended to be carried out (Guidelines 5/2020 on consent cit.; "A preliminary Opinion on scientific research" of the European Data Protection Supervisor, cit.).

Without affecting the obligations relating to consent, recital 33 of the Regulation recognises that “In many cases, it is not possible to fully identify the purpose of the processing of personal data for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research where there is compliance with recognised ethical standards for scientific research. Data subjects should have the possibility to give their consent only to certain areas of research or parts of research projects to the extent permitted by the intended purpose”. It therefore, in residual circumstances, admits that data subjects may give consent to progressive phases for the processing of personal data for scientific research purposes, when at the time of collection it is not possible to fully identify the specific purposes of the processing. This, taking into account that, also in relation to the processing in question, it is not possible to derogate from the requirement of specificity and granularity of consent (Articles 6 and 7 of the Regulation and point 7.2 of the Guidelines no. 5/2020 on consent cit.).

In this case, therefore, the data controller is subsequently required to define one or more specific research projects in accordance with the ethical and methodological rules of the sector and integrate the expressions of will of the interested parties already collected, with specific consents to progressively obtain a suitable legal basis for the processing of data for scientific research purposes (articles 5, paragraph 1, letter a) 6, 7 and 9 of the Regulation; Guidelines 5/2020 on consent, cit.; see also “A Preliminary Opinion on data protection and scientific research”, of the European Data Protection Authority, of 6 January 2020; ”Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research” adopted by the European Data Protection Committee, on 2 February 2021), or, where it is in one of the conditions referred to in art. 110 of the Code and point 5.3 of the Prescriptions, carry out the obligations set out in art. 110 of the Code as amended by art. 44, paragraph 1-bis of Legislative Decree no. 19 of 2 March 2024, converted into law no. 56 and indicated by the Guarantor in the resolution promoting the new ethical rules for the processing of data for statistical and scientific research purposes ( (provision of 9 May 2024 web doc. 10016146).

For what is relevant here, it is also noted that the pursuit of scientific research purposes in the medical, biomedical and epidemiological fields is permitted after obtaining the interested party's consent. "Consent is not necessary when the research is carried out on the basis of provisions of law or regulation or European Union law in accordance with Article 9, paragraph 2, letter j), of the Regulation, including the case in which the research is part of a biomedical or health research program provided for pursuant to Article 12-bis of Legislative Decree 30 December 1992, n. 502, and an impact assessment is conducted and made public pursuant to Articles 35 and 36 of the Regulation” (Article 110 of the Code, Article 9, paragraph 2, letter j) and paragraph 4 of the Regulation).

With specific reference to the processing of personal data for scientific research purposes carried out by IRCCS, it is reiterated here, as already highlighted in the note of XX, prot. no. XX, which notes Article 110-bis, paragraph 4, of the Code, according to which “The processing of personal data collected for clinical activity, for research purposes, by scientific hospital and care institutes, public and private, does not constitute further processing by third parties, due to the instrumental nature of the health care activity carried out by the aforementioned institutes with respect to research, in compliance with the provisions of Article 89 of the Regulation”.

Article 110-bis, paragraph 4 of the Code, must be read in conjunction with the sector regulations of the IRCCS referred to, in particular, in Legislative Decree no. 288 of 16 October 2003 and (ss.mm.ii) containing “Reorganization of the regulations of the Scientific Hospitalization and Treatment Institutes” which identifies appropriate and specific measures to protect the fundamental rights and interests of the interested party (see in particular art. 8, paragraph 5-bis of Legislative Decree no. 288 of 2003).

It follows that art. 110-bis, paragraph 4 of the Code, offers the IRCCS a specific regulatory basis, by virtue of which, pursuant to art. 9, paragraph 2, letter j) of the Regulation, they can process the data collected for treatment purposes also for further scientific research purposes in the medical, biomedical and epidemiological fields without the need to obtain prior consent from the patients

Article 110-bis, paragraph 4 of the Code, therefore constitutes one of those "legal provisions" referred to in art. 110 (first part of the first paragraph) of the Code, which prescribes as a further requirement for the processing of data for research purposes in the medical, biomedical and epidemiological fields, carried out pursuant to art. 9, paragraph 2, letter j) of the Regulation, the performance and publication of the impact assessment, pursuant to art. 35 of the Regulation (see FAQ on the legal prerequisites and main requirements for the processing by IRCCS of personal data collected for health care purposes for further research purposes of 6 May 2024, web doc. no. 10024215).

In any case, the principle of alternative legal bases remains firm, therefore, in implementation of the principle of lawfulness, it is up to the owner to identify with respect to each individual Studio among the different conditions of lawfulness provided for in Articles 6 and 9, par. 2 of the Regulation the most appropriate one, corresponding to the objective and essence of the processing and consequently indicate it in the impact assessment and in the information prepared for the interested parties, also taking into account the different implications that each of them may have on the rights of the interested parties (Articles 15-22 of the Regulation).

The principles of transparency and fairness imply that the interested party is informed in advance of the existence of the processing and its purposes by providing, in a concise, transparent, intelligible and easily accessible form, with clear and simple language, the information referred to in Article 13 of the Regulation, in the case of data collected directly from them, or pursuant to Article 14 of the Regulation, in the case of data collected from third parties (recitals 58 and 60 and art. 5, par. 1, letter a) and 12 of the Regulation).

It should be noted, in particular, that the aforementioned regulation provides that, if the data are previously collected for other purposes, as in the case in question, the data controller, before such further processing, provides the data subject with information on such different purpose and any other relevant information (art. 13, par. 4 of the Regulation).

In any case, in relation to data not collected from the data subjects, the data controller may not provide the information, to the extent that communicating it is impossible or involves a disproportionate effort. This, in particular, in the context of processing carried out for scientific research purposes, without prejudice to the conditions and guarantees referred to in art. 89, par. 1 of the Regulation and the adoption of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including by making the information public (Article 14, paragraph 5, letter b) of the Regulation and Article 6, paragraph 3 of the Rules of Ethics).

The principle of limitation of data storage is also relevant, which requires that data be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed" (Article 5, paragraph 1, letter e) of the Regulation).

Among the principles applicable to processing established in Article 5 of the Regulation, the principle of accountability is worth highlighting here, according to which "the data controller must comply with and be able to demonstrate compliance with the principles and obligations set out in the Regulation" (Articles 5, paragraph 2, 24 and of the Regulation).

This is linked to the duty to ensure that the law and the rules on the protection of personal data of the data subjects are protected and applied from the design stage and by default (privacy by design and by default, art. 25 of the Regulation).

In compliance with the obligation of data protection from the design stage, the controllers must take an active conduct in the application of the principles, aiming to obtain a real protection effect. The requirement set out in Article 25 of the Regulation obliges the controllers to ensure that data protection is integrated into the processing from the design stage and by default throughout the entire life cycle of the processing.

The Regulation also provides that "where a type of processing, in particular when it involves the use of new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present comparable high risks” (Article 35; Article 29 Working Party Guidelines No. 248 on "Data protection impact assessment and the criteria for determining whether a processing operation is appropriate" adopted in amended form on 4.10.2017).

In particular, an impact assessment is required whenever processing operations are likely to result in a high risk to the rights and freedoms of natural persons, meaning in particular those involving: (i) assessment or scoring; (ii) automated decision-making which produces legal effects concerning the data subject or similarly significantly affects him or her; (iii) systematic monitoring; (iv) processing of sensitive data or data of a highly personal nature; (v) processing on a large scale; (vi) matching or combining data sets; (vii) processing of data relating to vulnerable data subjects; (viii) innovative use or application of new technological or organisational solutions; ix) processing that prevents the interested parties from exercising a right or from making use of a service or a contract. In particular, the European Data Protection Board believes that VIP must certainly be carried out whenever at least two of the aforementioned criteria are met at the same time (part III, letter B) of the aforementioned Guidelines).

4. The defensive briefs and assessments of the Guarantor

With note of XX (prot. no. XX), the Institute sent its defensive briefs, without asking to be heard, as provided for by art. 166, paragraph 5 of the Code.

4.1. On the principle of lawfulness, correctness and transparency

In relation to the objections raised by the Office of the Guarantor, the Institute represented, with declarations for the truthfulness of which it is criminally liable pursuant to art. 168 of the Code, preliminarily that "within the two studies, subject of the dispute, the patient enrollment phase had not been started, as stated in the minutes [...], a decisive circumstance for the purpose of declaring the merely potential and theoretical nature of the possible harmfulness of the contested violations and, therefore, exculpatory, or at least strongly mitigating, of the contested violations".

This declaration, confirming what has already been represented in relation to study 1), also clarifies the meaning of what was reported at the end of the inspections of XX, during which the Institute, with regard to Study 2), declared that "[...]. The study is ongoing and the enrollment phase has not yet been completed. At present, 58 potential patients, both alive and dead, have been identified".

In particular, with reference to the dispute of the violation of the principles of transparency and fairness, linked to the circumstance that during the patient acceptance phase a prior and generic consent for research purposes is collected from the interested parties, the Institute represented that it intended to collect such consent by implementing recital 33 of the Regulation, assuming a sort of progressive phase consent.

In this regard, without prejudice to what was highlighted above in relation to the case referred to in the aforementioned recital 33 of the Regulation, taking into account the good faith of the data controller, which emerges widely from the briefs presented and in particular the circumstance that, where possible, the consent of the interested parties is acquired in any case before the start of the processing of personal data for research purposes, the dispute of the violation of the principles of transparency and fairness referred to in art. 5, par. 1, letter a) of the Regulation is considered to be overcome.

4.2 On the impact assessment

With reference to the challenge of the violation of the obligation to carry out the VIP in relation to the processing of personal data necessary for the implementation of clinical studies and in particular those examined during the inspection (study 1 and 2), the Institute defended itself by representing in particular that it is "preparing the [impact] assessment activities certainly for those that are being started again and, in any case, also for studies in progress".

While acknowledging the commitment undertaken by the owner, it is noted however that the processing of personal data relating to health and, if applicable, genetic data, relating to vulnerable subjects (such as patients) often carried out through combinations of data or on a large scale or through the use of new technologies (such as, for example, in Study 2, which involves the use of artificial intelligence techniques for the analysis of clinical and imaging data), certainly falls within those for which the VIP must be carried out in advance, pursuant to art. 35 of the Regulation (see Guidelines no. 248 cited in Part III, letter B). This is also relevant with specific reference to the retrospective clinical studies that the Institute claims to be based on art. 110-bis, paragraph 4 of the Code.

Considering, moreover, that the document on the basis of which the Institute decides whether the treatment is worthy of VIP or not does not have as its object the examination of the risks related to the treatment, no elements emerged from the defense briefs that could overcome the challenge of the violation of art. 35 of the Regulation.

In this last regard, it should be noted that the circumstance that the Institute did not start the patient enrollment phase in Studies 1) and 2), although it may be considered as a mitigating factor, is not in itself sufficient in this case to cause the contested violation to fall, since the VIP by its very nature must be carried out before the start of the treatments and the documentation of the studies demonstrates how the Institute carried out internal assessments, erroneously reaching the conclusion that it did not have to carry out this obligation.

4.3 On the principle of transparency and the obligation to provide information to interested parties

With reference to the challenge of the violation of the principle of transparency pursuant to art. 5, par. 1, letter a) of the Regulation and the obligation to make public the information on the processing of personal data relating to deceased and uncontactable subjects enrolled in Study 2), pursuant to art. 14, par. 5, letter b) of the Regulation and art. 6, paragraph 3 of the Deontological Rules, in its defense briefs the Institute stated that it considered it “satisfied precisely because of the double information provided to the patient, one upon first access to the Institute, the other upon the start of the specific research for the individual project, in addition to the privacy information also provided on the website of the Institution, on the page dedicated to this purpose” and that “all retrospective and prospective studies are published on the company website, in the form of a resolution of acknowledgement”.

In this regard, while acknowledging favorably the commitments undertaken by the Institute in relation to the information obligations, no elements useful for overcoming the challenge of the violation of the principle of transparency, pursuant to art. 5, par. 1, letter a) of the Regulation, also in relation to the processing of personal data relating to deceased and uncontactable subjects due to the systematic omission of the obligation to publish the information pursuant to art. 14, par. 5, letter b) of the Regulation and art. 6, paragraph 3 of the Deontological Rules, are found in the briefs presented.

With reference, however, to the information on data processing in the context of healthcare services, additional documentation has been produced which proves that the previous one was incomplete, as the last page (3/3) was missing. The complete text containing all the information pursuant to art. 13 and 14 of EU Reg. 2016/679 has been transmitted to the records and is available in the appropriate Privacy section of the institutional website (https://www.sanita.puglia.it/web/irccs/privacy1).

Therefore, the objection of the violation of articles 12 and 13 of the Regulation in relation to the information provided during the patient acceptance phase is considered to be overcome.

Finally, it should be noted that the objections relating to the information on the processing of personal data relating to Studies 1) and 2) prepared for contactable subjects, placed at the bottom of the documentation and information preparatory to the collection of informed consent, have not been overcome. In fact, they are erroneous and incomplete as contested by the Office of the Guarantor and referred to in the previous point 2.3.

For these reasons, the violation by the Institute of the principle of transparency is therefore ascertained, taking into account the preparation of incomplete and/or erroneous information forms and the total absence of organizational measures as well as a specific policy to make public the information on the processing for research purposes of personal data of deceased or uncontactable data subjects (art. 5, par. 1, letter a) and 13 of the Regulation).

4.4 On the limitation of data retention

With reference to the contestation of the violation of the principle of limitation of data retention, the Institute represented that "the limitation of the retention time will be indicated in compliance with the law and taking into account the specificity of the case, as already specified above".
In acknowledging favorably "the manifest will of the Institution to comply with the rules on health and research regarding the correct processing of personal data" and the commitment undertaken in this sense by the Institute, the violation of the principle of limitation of retention, pursuant to art. 5, par. 1, letter a) and 13 of the Regulation, is nevertheless ascertained. e) of the Regulation for the reasons set out above (see par. 2 or 3).

4.5 On the Principle of accountability and privacy by design and by default

With regard to the challenge of the Institute's failure to effectively apply the principle of accountability and the obligations to protect personal data by design, in violation of Articles 5, par. 2 and 25 of the Regulation), the latter, in its defense, asked the Authority to "benevolently evaluate the Entity's business system" by providing evidence of some specific actions that it intends to undertake.

On this basis, the Guarantor, in acknowledging the good faith of the Institute and the commitment already made in order to improve the technical and organizational measures aimed at ensuring effective application of the principles regarding the protection of personal data, nevertheless considers the violation of the obligations to protect personal data by design to be ascertained and confirmed, in violation of Articles 5, par. 2 and 25 of the Regulation, for the reasons set out above (see par. 2.5).

5. Conclusions

In light of the above assessments, taking into account the declarations made pursuant to art. 168 of the Code during the investigation and the elements provided by the data controller in the defense brief, although worthy of consideration, do not allow, as illustrated and motivated above, to overcome most of the findings notified by the Office with the act of initiation of the proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

For these reasons, the processing of personal data carried out by the Giovanni Paolo II Scientific Hospital and Care Institute of Bari is found to be unlawful as it violates art. 5, par. 1, letter e), par. 2, 9, par. 2, letter j), art. 14, par. 5, letter b) 25 and 35 of the Regulation, of the Regulation, 110, paragraph 1, first part and 110-bis, paragraph 4 of the Code, art. 6, paragraph 3 of the Rules of Ethics. Violation of the aforementioned provisions also makes the administrative sanction provided for by art. 83, paragraphs 4 and 5 of the Regulation applicable, pursuant to arts. 58, paragraph 2, letter i), and 83, paragraph 3, of the Regulation itself and 166 paragraph 2 of the Code.

6. Corrective Measures

Article 58, paragraph 2 of the Regulation provides the Guarantor with a series of corrective powers, of a prescriptive and sanctioning nature, to be exercised in the event that unlawful processing of personal data is ascertained, including that of "ordering the data controller or the data processor to bring the processing into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specific period" (Article 58, paragraph 2, letter d) of the Regulation).

In light of the assessments referred to above, it is considered necessary to order the Institute, pursuant to the aforementioned Article 58, paragraph 2, letter d) of the Regulation, to adopt, within ninety days of notification of this provision, the following corrective measures:

- to carry out the impact assessment pursuant to Article 35 of the Regulation and Articles 110 and 110 bis, paragraph 4 of the Code (paragraph 4.2);

- to publish the information in relation to the processing of personal data relating to deceased and uncontactable subjects, pursuant to art. 14, par. 5, letter b) of the Regulation and art. 6, paragraph 3 of the Rules of Ethics (par. 4.3);

- to integrate, modify and rectify the information on the processing of personal data relating to Studies 1) and 2) prepared for contactable subjects (par. 2.3 and 4.3), in particular:

eliminating the indication that following the entry into force of the Regulation, it would replace resolution 52 of 24/7/2008 containing the “Guidelines for the processing of personal data in the context of clinical trials of medicinal products, in order to describe in more detail your rights […]”;

clearly indicating the legal bases of the processing (art. 13, par. 1, letter c) of the Regulation);

indicating the period of retention of personal data or the criteria used to determine it (Article 13, paragraph 2, letter a) of the Regulation);

clearly representing the rights of the interested parties and the right to withdraw consent;

providing for the possibility of exercising the right of access for the entire duration of the processing.

7. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (Articles 58, paragraph 2, letters i and 83 of the Regulation; Article 166, paragraph 7, of the Code).

The violation of Article 5, paragraph 1, letter e) and paragraph 2, of Article 9, paragraph 2, letter j), of Articles 13, 14, paragraph 5, letter b) and of Articles 25 and 35 of the Regulation, of Articles 110, paragraph 1, first part and 110-bis, paragraph 4 of the Code and art. 6, paragraph 3 of the Rules of Ethics committed by the Institute is subject to the application of the administrative pecuniary sanction, pursuant to art. 83, paragraph 4, letter a) and 5, letters a) and b) of the Regulation.

The Guarantor, pursuant to art. 58, paragraph 2, letter i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Garante] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Garante pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Garante Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in Article 83, paragraph 1, of the Regulation, in light of the elements provided for in Article 83, paragraph 2 of the Regulation in relation to which it is noted that:

- the processing carried out concerned, in particular, the information suitable for detecting the state of health referred to patients enrolled in clinical studies conducted by the Institute within its lines of research (Article 4, paragraph 1, no. 13 and 15 of the Regulation and Article 83, paragraph 2, letters a) and g) of the Regulation);

- from the perspective of the subjective element, no intentional attitude on the part of the data controller emerges, the violations ascertained having occurred in good faith (Article 83, paragraph 2, letter b) of the Regulation);

- there are no previous relevant violations committed by the data controller nor have measures pursuant to Article 58 of the Regulation been previously ordered (Article 83, paragraph 2, letter e) of the Regulation);

- the Institute has proven to be cooperative during the inspection and the present proceeding;

- although there are still some non-compliance profiles with the current regulatory framework regarding the protection of personal data highlighted above, the Institute has already implemented some corrective measures in relation to the processing of personal data carried out (art. 83, par. 2, letter c) of the Regulation).

In light of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction provided for by art. 83, paragraphs 4 and 5, of the Regulation, in the amount of € 10,000.00 (ten thousand/00) for the violation of art. 5, paragraph 1, letter e), and paragraph 2, of art. 9, paragraph 2, letter j), of arts. 13, 14, paragraph 5, letter b) and of arts. 25 and 35 of the Regulation, of arts. 110, paragraph 1, first part and 110-bis, paragraph 4 of the Code and of art. 6, paragraph 3 of the Rules of Ethics as an administrative pecuniary sanction deemed, pursuant to art. 83, paragraph 1 and 3 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

CONSIDERING ALL THE ABOVE, THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Istituto di Tumori "Giovanni Paolo II" I.R.C.C.S., with registered office in Viale Orazio Flacco 65, 70124 Bari (BA) - C.F and P.I.:00727270720, for the violation of art. 5, par. 1, letter e), and par. 2, of art. 9, par. 2, letter j), of arts. 13, 14, par. 5, letter b) and of arts. 25 and 35 of the Regulation, of arts. 110, paragraph 1, first part and 110-bis, paragraph 4 of the Code and of art. 6, paragraph 3 of the Rules of Ethics in the terms set out in the reasons.

ORDER

pursuant to arts. 58, par. 2, letter i) and 83 of the Regulation, as well as art. 166 of the Code, to the Institute, to pay the sum of € 10,000.00 (ten thousand/00) as a pecuniary administrative sanction for the violations indicated in this provision. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed. 

ORDERS

to the Institute:

1. to pay the sum of € 10,000.00 (ten thousand/00) - in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code -, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

2. to conform the treatments to the provisions of the Regulation, adopting the corrective measures indicated in paragraph 6 of this provision, no later than 90 days from notification of this provision, pursuant to art. 58, paragraph 2, letter d), of the Regulation. Failure to comply with an order formulated pursuant to art. 58, paragraph 2, of the Regulation, is punishable by the administrative sanction referred to in art. 83, paragraph 6, of the Regulation;

3. to communicate what initiatives have been undertaken in order to implement the provisions of the aforementioned paragraph. 6) and to provide, in any case, adequately documented feedback, no later than 20 days after the expiry of the deadline indicated above, pursuant to art. 58, paragraph 1, letter a), of the Regulation and art. 157 of the Code. Failure to respond to a request made pursuant to art. 157 of the Code is punishable by an administrative sanction, pursuant to the combined provisions of art. 83, paragraph 5, of the Regulation and 166 of the Code.

ORDERS

pursuant to art. 166, paragraph 7 of the Code, the publication of this provision in full on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 17 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE GENERAL SECRETARY
Mattei

[web doc. no. 10057629]

Provision of 17 July 2024

Register of provisions
no. 473 of 17 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN TODAY'S MEETING, which was attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the councilor Fabio Mattei, secretary general;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - General Data Protection Regulation (hereinafter “Regulation”);

SEEN, in particular, Articles 35 and 36 of the Regulation relating, respectively, to the data protection impact assessment and prior consultation of the Authority;

SEEN Legislative Decree no. 196 of 30 June 2003 containing the “Code on the protection of personal data (hereinafter “Code”);

SEEN Articles 110, paragraph 1, first part and 110-bis, paragraph 4, of the Code, regarding medical, biomedical and epidemiological research;

SEEN the Ethical Rules for processing for statistical or scientific research purposes adopted by the Guarantor, pursuant to art. 20, paragraph 4, of Legislative Decree no. 101 of 10 August 2018, with provision no. 515, of 19 December 2018 (web doc. no. 9069637, hereinafter “Ethical Rules”);

SEEN the Provisions relating to the processing of personal data carried out for scientific research purposes, Annex no. 5 to the Provision which identifies the provisions contained in the General Authorizations that are compatible with the Regulation and with Legislative Decree no. 101/2018 of adaptation of the Code, dated 5 June 2019 (web doc. 9124510, hereinafter “Prescriptions”);

SEEN the documentation in the files;

SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, web doc. n. 1098801;

Rapporteur Prof. Pasquale Stanzione;

WHEREAS

1. The inspection activity

The Office of the Guarantor, on XX and XX, carried out the inspections referred to in service order n. XX, of XX at the Giovanni Paolo II Cancer Institute of Bari, Scientific Hospitalization Institute - IRCCS (hereinafter "Institute" or "IRCCS") in order to verify compliance with the provisions on the protection of personal data in relation to the processing carried out for scientific research purposes in the medical, biomedical and epidemiological fields - (Article 58, paragraph 1, letter a), e) and f) of the Regulation, Articles 157 and 158 of the Code, Articles 21 and 22 of Regulation no. 1/2019 of the Guarantor for the protection of personal data).

As part of this inspection activity, the Office of the Guarantor focused on verifying the effective application of the principles of lawfulness of processing, fairness and transparency, limitation of storage, accountability, privacy by design and by default, as well as the obligation to carry out the impact assessment (articles 5, paragraph 1, letter a), c), e), 13, 14, 25, 32, and art. 110-bis paragraph 4 of the Code), also with reference to two specific clinical studies:

- 1) “Study of the mechanisms of response and resistance to immunotherapy and targeted therapy in melanoma”, monocentric, non-profit, retrospective and prospective (hereinafter, “Study 1”, examined on 24 October 2024);

- 2) “Study of lung disease prediction in patients with stage 3 chemo-radiotherapy non-small cell lung cancer (NSCLC) treated using artificial intelligence techniques on clinical and imaging data”, retrospective and single-center (hereinafter, “Study 2”, examined on October 23, 2024).

In this regard, for what is relevant here, the following emerged.

On the first day of investigations, the Institute declared, in particular, that it bases the processing of personal data necessary for the implementation of current, retrospective, observational and single-center research projects on “art. 110-bis, paragraph 4 of the Code”, and that in any case, “upon acceptance of the patient for treatment purposes, information is provided” and that “where possible [the Institute] attempts to reach the patient to acquire specific consent to voluntary participation in individual research projects”.

With specific reference to Study 2) - the Institute, after clarifying that the enrollment phase was still ongoing, confirmed that, since it is a retrospective study, it is being conducted on the basis of art. 110-bis, paragraph 4 of the Code.

In relation to the information obligations, the Institute considered the general information provided during the patient acceptance phase for care purposes to be sufficient, in which it is indicated, among other things, that the data collected for treatment purposes may be further processed for research purposes. In any case, it was clarified that living patients, at the time of enrollment, are in any case provided with the specific information prepared for the Study and that the information for the processing of data of deceased or uncontactable patients is not required.

With specific reference to the impact assessment, pursuant to art. 35 of the Regulation (Vip), the Institute represented that, in general terms, it is carried out only for certain types of studies, which involve a particular type of profiling on patient data or if there are repercussions on their care, through automated processing. The Institute also declared that in relation to Study 2), Vip was not carried out, as it "uses both clinical data and characteristics extracted from radiomic images (simulation CT) that patients undergoing radiotherapy take (where the patient has signed the informed consent also for further treatment for research)".

With specific reference to the data retention period in Study 2), the Institute stated that “the protocol indicates that the enrollment phase and the Study have a duration of 24 months, linked to the duration of the funding” and that “the research data in raw format must remain available in this form for an indefinite period for control activities on the scientific nature of the data, reserving the right to corroborate this assertion with specific documents if possible”.

In relation to the data flow, the Institute stated that the clinical data are entered into the e-CRFs manually, using the data from the paper medical records, as the electronic medical record is not probative as “it may not be complete and does not represent the reference medical-legal document”.

The manual data loading phase in the e-CRFs “is often corroborated by a double check (Pi [Principal Investigator] and data manager). Each patient is assigned a progressive code, given the small number of patients enrolled in Study 2, the correlation list remains in the possession of the PI in paper format. The e-crf and the correlation table, where in electronic format, are both password protected, encrypted and stored in two different partitions”.

Also in relation to Study 1), the Institute stated that since it is a retrospective study, the legal basis for the processing was identified in art. 110-bis, paragraph 4 of the Code. In any case, both for the prospective and retrospective phases, if the patient is alive and contactable, their consent is acquired in any case.

In this regard, in general terms it was represented that the choice to base the processing of personal data on art. 110-bis, paragraph 4 of the Code or on the consent of the interested parties is based on the prospective or retrospective nature of the study; where there is a dead or uncontactable patient, the processing is based on art. 110-bis, paragraph 4 of the Code. In any case, if possible, the interested party’s consent is always obtained, in particular, in retrospective studies.
With reference to Study 1), the Institute also stated that the residual risk of the treatment was considered low and that for this reason, as for Study 2), the VIP was not carried out, pursuant to art. 35 of the Regulation.

In any case, for this last study it was clarified that “neither deceased patients nor uncontactable patients were enrolled, as only the prospective phase of the Study was carried out at the time”.

With specific reference to the VIP, it was further stated that “it is prepared for studies in which the risk detected by the PI in collaboration with the DPO requires such a VIP. The same, if drafted, is presented to the Ethics Committee. In the event that the Study enrolls a limited number of patients, it is not assessed as high risk and therefore the VIP is not prepared”.

In this regard, it was clarified that the doctor in charge of the project is required to fill out an attachment describing how the data is processed by the researchers (Annex B) and that based on what the doctor indicated in the aforementioned attachment, it is assessed whether or not to carry out the VIP.

As part of the inspection activity, the Office also acquired numerous documents containing internal guidelines containing indications on the technical and organizational measures implemented by the Institute for the application of the discipline on the protection of personal data, as well as some information prepared for the interested parties.

From a first perspective, the Institute represented that at present the organizational measures are by far prevalent compared to the technical ones and that the staff has been subjected to training activities on the protection of personal data.

With specific reference to the transparency of the treatments, the following were provided:

the information form on the processing of personal data carried out in the context of healthcare services, issued upon acceptance of the patient at the hospital facility, for treatment purposes, in which, in the section on the purposes of the processing, "medical, biomedical and epidemiological research activities" carried out on the basis of "art. 9, par. 2, letter a) of the GDPR (acquisition of consent) are also indicated: art. 9, letter j) of the GDPR "the processing is necessary for scientific research purposes on the basis of Union or national law (in cases of untraceable or deceased patients) and art. 110-bis, c.4 of Legislative Decree no. 196/03";

the informed consent form for the processing of personal data, which includes a section with the following wording “I consent to the use of my personal data for research purposes in the sector ….. for purposes ………” followed by two fields to be filled in “yes” or “no” in which the patient is also informed that “before the start of each Study I may be contacted again to give further specific consent to give further specific consent”;

the information sheet and informed consent for Study 2) which contains a section called “information and expression of consent to the processing of personal data”. This information sheet states that “from 25 May the new General Data Protection Regulation (GDPR) came into force, replacing resolution 52 of 24/7/2008 Guidelines for the processing of personal data in the context of clinical trials of medicinal products, in order to describe your rights in more detail […]”. It is also indicated that “at the end of the study your personal data will be stored at the clinical center for the period required by current regulations”. In the section “your specific rights regarding your personal data” it is stated that the interested party “has the right to review your personal data. However, during the Study, access to the Personal Data may be limited to protect the integrity of the Study. You may have access to the Personal Data at the end of the study”.

It is also provided that “questions about the collection and use of the information should [be asked] to the Study physician. You should also inform him/her if you wish to exercise your rights regarding that information; for example, if you decide to correct some personal data or withdraw consent”. There is also the section in which the interested party gives his/her consent to the processing of personal data for research purposes;

the documentation relating to Studies 1) and 2): study protocol, information sheet and informed consent containing a specific section relating to the privacy information and consent to the processing of personal data and Annex B, filled out by the Doctor in charge of the project.

The Institute then sent further documentation relating to the “storage of research data in raw format for control activities on the scientific nature of the data” (note of XX).

In this regard, the Institute stated in particular that:

“The research data "raw data" (numerical data, symbols, texts, images etc.), used as primary sources of scientific research necessary to validate the results of the research itself, are stored with adequate technical and organizational security measures and appropriate pseudonymization/anonymization techniques”.

In the context of clinical trials of medicinal products for human use (Reg. 536/14), the data storage period of 25 years is observed.

In general, the data storage period is defined for each research project, considering that this IRCCS, if at the end of the Study it should deem it appropriate not to delete the archived data as they are considered to be of interest for scientific research (secondary use pursuant to art. 110-bis c.4 of the Code), the same, pursuant to art. 5 of EU Regulation 2016/679, may be retained for a longer period, in accordance with the provisions of art. 89 of the GDPR;

Changes in the retention periods of personal data in the context of research are always subject to maximum information transparency (pursuant to art. 13-14 of the GDPR).

2. Contested violations

On the basis of the elements acquired in the context of the aforementioned inspection activity as well as the subsequent assessments carried out, the Office - with act of XX (protocol no. XX), which must be considered reproduced in its entirety here - has initiated, pursuant to art. 166, paragraph 5 of the Code, a procedure for the adoption of the provisions referred to in art. 58, par. 2 of the Regulation, against the Institute, inviting it to produce written defenses or documents to the Guarantor and to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, Law no. 689 of 24 November 1981).

With the aforementioned act, the Office notified the Institute that it has been ascertained that the processing of personal data carried out by the Institute for research purposes in the medical, biomedical and epidemiological fields within its own research lines and in particular in Studies 1) and 2), were carried out in violation of:

1. Articles 5, paragraph 1, letter a) and 9, paragraph 2, letter j) of the Regulation, 110 and 110-bis, paragraph 4 of the Code;

2. Article 35 of the Regulation;

3. Articles 12, 13 and 14, paragraph 5, letter b) of the Regulation and art. 6, paragraph 3 of the Rules of Ethics;

4. art. 5, paragraph 1, letter e) of the Regulation;

5. art. 5, paragraph 2, and 25 of the Regulation.

More specifically, with respect to each of the aforementioned violations, the Office has noted the following.

2.1. On the principle of lawfulness and the legal bases of the processing

In relation to the processing of personal data on health, including where applicable genetic data, for scientific research purposes carried out by the Institute in the lines of research authorised by the Ministry of Health and in particular for those analysed during the inspection - Study 1) and Study 2) -, as highlighted above, the legal basis has been identified in art. 110-bis, paragraph 4 of the Code, except for the acquisition of consent in the event that the patient is alive and contactable (present in the informed consent forms of the aforementioned Studies) and except, furthermore, the consent acquired in any case on the occasion of healthcare services.

In this regard, the Office of the Guarantor has considered that in general terms there is partial knowledge by the Institute of the conditions of lawfulness relating to the processing of personal data on health and genetic data for medical, biomedical and epidemiological research purposes, which, inevitably, is reflected in their application, in the performance of the related obligations and in the information for the interested parties.

In fact, on the one hand, the Institute declares and represents to the interested parties during the acceptance phase at the hospital facility that the further processing of data collected for treatment purposes carried out for research purposes is based on art. 110-bis, paragraph 4 of the Code, on the other hand it systematically fails to provide for the performance and publication of the impact assessment (mandatory obligations in this case, according to the regulatory reconstruction indicated in the following paragraph 3 and already illustrated to the Institute with notes of XX, prot. no. XX and of XX, prot. no. XX).

The Institute, however, at the same time declared and proved that the aforementioned processing is also based on the consent of the interested parties (where materially possible to acquire it) collected at the acceptance stage and subsequently also on the occasion of the enrollment of patients in specific research projects.

On this basis, in relation to the collection and subsequent processing of the data of deceased and uncontactable patients enrolled exclusively in Study 2), given that during the inspection it was declared that the enrollment was in progress, the Institute was charged with failure to fulfill the obligation to carry out and publish the VIP in violation of articles 110 first part of paragraph 1 and 110-bis, paragraph 4 of the Code (art. 166, paragraph 2 of the Code).

The same objection was not raised in relation to Study 1) as it was stated that "neither deceased patients nor uncontactable patients were enrolled, as only the prospective phase of the Study was carried out at the time",

The violation of the principle of lawfulness, pursuant to art. 5, par. 1, letter a) of the Regulation, was also contested in relation to the processing of personal data relating to deceased or uncontactable subjects enrolled in the retrospective studies carried out by the Institute within its lines of research, to the extent that the latter, as the owner, systematically failed to carry out and publish the VIP, obligations which in this case are mandatory, pursuant to art. 9, par. 2, letter j) of the Regulation, 110, paragraph 1, first part and 110-bis paragraph 4 of the Code.

Furthermore, the investigations carried out revealed that the Institute, with particular reference to the processing of personal data of patients who can be contacted for research purposes in the medical, biomedical and epidemiological fields, collects two different consents, the first of which is acquired on the occasion of health services and would appear to be aimed at authorizing the processing of data for medical research purposes in certain sectors, except for the possibility of acquiring further consent with respect to specific projects.

In this regard, the Office noted the unsuitability of this expression of will, particularly in terms of specificity, to allow the aforementioned treatments since the scientific research sector to be indicated in the consent form is limited to identifying macro purposes of the research itself and not a specific project.

Furthermore, such consent not being preceded by a complete information notice at least of its essential elements would be fundamentally flawed in terms of specificity and specificity (Articles 13 of the Regulation; see points 23 et seq. of the Guidelines on transparency pursuant to Regulation 2016/679, adopted on 29 November 2017, Amended version adopted on 11 April 2018).

Such collection of consent was therefore considered in conflict with the principles of transparency and fairness pursuant to Article 5, paragraph 1, letter a) of the Regulation since, even if in practice the subsequent processing of data for scientific research purposes is based on a new expression of consent or on Article 110-bis paragraph 4 of the Code, it was considered likely to generate confusion among the interested parties regarding the fate of their data, in violation of the principle of information self-determination and therefore of fairness and transparency.

2.2. On the impact assessment

With reference to the need to carry out a preventive VIP on the processing of personal data for medical research purposes, the Institute declared that it will only carry out this obligation when the study involves a particular type of profiling on patient data or if there are repercussions on their care through automated processing, on the basis of the assessment carried out by the trial office/PI reported in the aforementioned document called Annex B) acquired in the proceedings. The document does not contain the examination and assessment of the risks associated with the processing but only a description of some aspects of the same including, in particular, the types of data collected, the legal basis of the processing and some generic technical and organizational measures.

In this regard, the Office noted that the Institute limits the performance of the impact assessment to a number of cases far lower than those for which it, even if not required by law pursuant to the combined provisions of Articles 110 and 110-bis paragraph 4 of the Code, is in any case necessary pursuant to Article 35 of the Regulation.

Considering that, in general terms, for the implementation of clinical studies in the medical, biomedical and epidemiological fields, the promoter as the data controller processes health data (and if applicable also genetic data, data suitable for revealing racial and ethnic origin, or relating to sexual life and orientation) relating to vulnerable subjects, such as patients and/or minors, it is noted that in such cases the failure to carry out the VIP prior to carrying out the study must be considered exceptional and in any case should be extensively justified (page 13 of the Guidelines of 4 October 2017, cit.), in homage to the principle of accountability, where the rule should instead be to carry out this obligation.

On this basis, it was noted that the Institute does not take into due consideration the centrality of the risk-based approach imposed by the Regulation, omitting as a general rule and in particular with reference to the data of patients enrolled or who intend to enroll in Studies 1) and 2), to carry out the VIP, in violation of art. 35 of the Regulation.

2.3 On the principle of transparency and the obligation to provide information to interested parties

The Institute has declared that it provides patients with information on the processing of general data upon their admission to the hospital for treatment purposes, attaching a copy thereof, and then to provide interested parties enrolled in clinical trials with further specific information regarding the related processing, providing a copy of those relating to Studies 1) and 2).

The first information concerns the processing of personal data carried out in the context of the healthcare services offered by the Institute.

The Office has noted its incompleteness in relation to some elements referred to in art. 13 of the Regulation.

Through this information, in any case, the Institute informs interested parties that the data collected for treatment purposes may be further processed for research purposes, pursuant to art. 110-bis, paragraph 4 of the Code or on the basis of the relative consent pursuant to art. 9, paragraph 1, letter a) of the Regulation.

However, this does not exempt the data controller from the duty to provide specific information for each individual research project, at least to provide information that is different from that already made known to the interested parties (Articles 13, paragraph 3 and 14, paragraph 5, letter b) of the Regulation).

However, this additional information is systematically not provided for deceased or uncontactable subjects, in violation of Article 14, paragraph 5, letter b) of the Regulation and Article 6, paragraph 3 of the Deontological Rules. The Institute has in fact declared that, for such patients, the information is that provided upon acceptance of the patient at its facility for the provision of healthcare services.

Indeed, it is reiterated that the data controller has the obligation to provide the information directly to the interested parties in advance if possible, or through its publication if they are deceased or uncontactable (Article 14, paragraph 5, letter b) of the Regulation and Article 6, paragraph 3 of the Ethical Rules).

It was also noted that the information on the processing of personal data relating to Studies 1) and 2) prepared for the contactable subjects, were completely similar in their content and erroneous and incomplete in the part where:

it is indicated that following the entry into force of the Regulation it would have replaced resolution 52 of 24/7/2008 containing the "Guidelines for the processing of personal data in the context of clinical trials of medicinal products, in order to describe in more detail your rights [...]"; in fact, the aforementioned guidelines remain in force where compatible with the Regulation;

they do not clearly indicate the legal bases of the processing (art. 13, par. 1, letter c) of the Regulation);

they do not indicate the period of retention of personal data or the criteria used to determine it (art. 13, par. 2, letter a) of the Regulation), despite the fact that, moreover, the Institute has declared on this point that “Changes in the retention periods of personal data in the context of research are always subject to maximum information transparency (pursuant to art. 13-14 of the GDPR; see the Institute’s note of XX)”;

the rights of the interested parties and the right to withdraw consent are not clearly represented;

the possibility of exercising access to the data is foreseen only at the end of the Study. In fact, this limitation is not provided for by the current regulatory framework (see also the “Guidelines 01/2022 on data subject rights - Right of access”, Version 1.0, Adopted on 18 January 2022).

In light of the above, the Office therefore contested the violation of the obligation to provide contactable data subjects with clear, complete and easily intelligible information in advance in relation to the processing of personal data necessary for the implementation of Studies 1) and 2), in violation of Articles 12 and 13 of the Regulation.

Furthermore, the violation of the obligation to make public the information on the processing of personal data relating to deceased and uncontactable subjects enrolled in Study 2) was contested, in violation of Article 14, paragraph 5, letter b) of the Regulation and Article 6, paragraph 3 of the ethical rules.

Finally, for the reasons set out above, the Institute was found to have violated the principle of transparency, given the preparation of incomplete and/or incorrect information forms, the total absence of organizational measures or a specific policy to make public the information on the processing for research purposes of personal data of deceased or uncontactable data subjects (Article 5, paragraph 1, letter a) of the Regulation).

2.4. On the limitation of data retention

Finally, during the inspection it emerged, on the one hand, that in the information provided to data subjects upon acceptance at the hospital facility it is indicated that the retention period of data processed for research purposes should be indicated in the relevant protocols, on the other hand, that not only is this period not defined (at least in the protocols relating to Studies 1 and 2 and not even in the information documents addressed to data subjects) but the criteria for their relative determination are not even indicated. The aforementioned terms are not even defined in the "Privacy Guidelines for the processing of personal data for scientific research purposes".

In this regard, the legislation on the protection of personal data in no case exempts the data controller from the obligation to define the data retention period or a suitable criterion for this purpose, in particular in order to be able to comply with the specific transparency obligations provided for towards the interested parties. Therefore, it was found that the Institute processes personal data for scientific research purposes in violation of the principle of limitation of data retention pursuant to art. 5, par. 1, letter e) of the Regulation.

2.5. On the Principle of accountability and privacy by design and by default

For all that has already been noted, the violation of the principles of accountability and privacy by design pursuant to art. 5, par. 2 and 25 of the Regulation, since the data controller, in general terms, has not demonstrated an active conduct aimed at ensuring from the design stage and by default the effective application of the principles of protection of personal data (in particular, those of lawfulness, correctness and transparency and limitation of data retention) through the implementation and constant review and updating of specific, adequate and measurable measures also in relation to the particular context in which the processing operations examined take place and the related risks for the rights and freedoms of the interested parties.

The Institute has in fact produced copious documentation prepared in the privacy field, with particular reference to the resolutions of the General Director with which the "Regulation for the protection of personal data of natural persons, in compliance with EU Regulation 2016/679 (GDPR)" and the "Privacy Guidelines for the processing of personal data for scientific research purposes" were approved (resolution 1100 of 27 December 2019).

In this regard, it was also noted that the aforementioned documents can be considered as mere organizational measures, more formal than substantial, and in themselves ineffective if not supported by further technical and organizational measures identified in relation to the specific processing carried out by the owner and proportionate to the protection objective that is specifically intended to be pursued.

On the merits, in addition, inaccurate or at least incomplete indications emerged in the aforementioned documents, for example in relation to the retention times or further processing for scientific research purposes of personal data collected for treatment purposes - for which no reference is made to art. 110-bis, paragraph 4 of the Code, as the legal basis of the processing, nor to the specific obligations required by the owner, (such as the performance and publication of the Vip).

The lack of adequate technical security measures was on the other hand confirmed by the owner himself who, during the preliminary investigation, declared that “at present, organizational measures are far more prevalent than technical measures and he reserves the right to provide proof of the training activity carried out”.

On this point, in particular, the absence of adequate technical measures to ensure by design the accuracy of the data during the collection phase for the pursuit of further research purposes in the context of single-center studies was noted. As highlighted above, in fact, the data loading phase in the e-CRFs is manual although “often corroborated by a double check (PI and data manager)”.

Furthermore, it was noted that although the Privacy Guidelines for the processing of personal data for scientific research purposes adopted by the Institute expressly provide that at the "start up" of each research project an audit to verify compliance with the same be carried out by a commission, it was not possible to acquire the audit reports carried out on Studies 1) and 2) during the inspections.

For all of the above, it was noted that the Institute had not effectively applied the principle of accountability and the obligations to protect personal data by design, in violation of Articles 5, paragraph 2 and 25 of the Regulation).

3. Applicable legislation

The processing of personal data for scientific research purposes must be carried out in compliance with the Regulation and the Code, the Provisions relating to the processing of genetic data (if necessary) and the Provisions relating to the processing of personal data carried out for scientific research purposes (web doc. no. 9124510) as well as the Deontological Rules (web doc. no. 9069637) which constitute an essential condition for the lawfulness and correctness of the processing (art. 2-quater of the Code and art. 21, paragraph 5, of Legislative Decree 10 August 2018, no. 101).

According to the Regulation, personal data must be processed “lawfully, fairly and in a transparent manner in relation to the data subject” (principle of “lawfulness, fairness and transparency” (art. 5, par. 1, letter a) of the Regulation).

The principle of lawfulness requires that each processing be based on a specific legal basis (Article 6 of the Regulation). In relation to the particular categories of data, including health data, Article 9 of the Regulation establishes a general prohibition on processing unless one of the specific exemptions to this prohibition applies, among which the consent of the interested party is provided for.

In the event that the condition of lawfulness is represented by consent, it must be given through a positive act with which the interested party expresses a free, specific, informed and unequivocal will relating to the processing of personal data concerning him or her (Recitals 32, 42 and 43, Articles 5, 6, paragraph 1, letter a) and 7 of the Regulation and Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Data Protection Board on 4 May 2020).

With specific reference to the particular categories of data, consent must also be expressed in writing (art. 9, par. 2, letter a) of the Regulation and par. 4 of the aforementioned Guidelines 5/2020 on consent and art. 7, paragraph 2, letter b) of the Deontological Rules).

On this point, it is noted that the European Data Protection Board has reiterated that "the notion of research cannot be extended beyond its common meaning and that "scientific research" in this context means a research project established in accordance with the relevant sector methodological and ethical standards, in line with good practices", thereby confirming that in this sector the purpose of the processing must be identified in the specific research project that is intended to be carried out (Guidelines 5/2020 on consent cit.; "A preliminary Opinion on scientific research" of the European Data Protection Supervisor, cit.).

Without affecting the obligations relating to consent, recital 33 of the Regulation recognises that “In many cases, it is not possible to fully identify the purpose of the processing of personal data for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research where recognised ethical standards for scientific research are respected. Data subjects should have the possibility to give their consent only to certain areas of research or parts of research projects to the extent permitted by the intended purpose”. It therefore, in residual circumstances, admits that data subjects may give consent to progressive phases for the processing of personal data for scientific research purposes, when at the time of collection it is not possible to fully identify the specific purposes of the processing. This, taking into account that, also in relation to the processing in question, it is not possible to derogate from the requirement of specificity and granularity of consent (Articles 6 and 7 of the Regulation and point 7.2 of the Guidelines no. 5/2020 on consent cit.).

In this case, therefore, the data controller is subsequently required to define one or more specific research projects in accordance with the ethical and methodological rules of the sector and integrate the expressions of will of the interested parties already collected, with specific consents to progressively obtain a suitable legal basis for the processing of data for scientific research purposes (articles 5, par. 1, letter a) 6, 7 and 9 of the Regulation; Guidelines 5/2020 on consent, cit.; see also “A Preliminary Opinion on data protection and scientific research”, of the European Data Protection Authority, of 6 January 2020; ”Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research” adopted by the European Data Protection Committee, on 2 February 2021), or, where it is in one of the conditions referred to in art. 110 of the Code and point 5.3 of the Prescriptions, carry out the obligations set out in art. 110 of the Code as amended by art. 44, paragraph 1-bis of Legislative Decree no. 19 of 2 March 2024, converted into law no. 56 and indicated by the Guarantor in the resolution promoting the new ethical rules for the processing of data for statistical and scientific research purposes ( (provision of 9 May 2024 web doc. 10016146).

For what is relevant here, it is also noted that the pursuit of scientific research purposes in the medical, biomedical and epidemiological fields is permitted after obtaining the interested party's consent. "Consent is not necessary when the research is carried out on the basis of provisions of law or regulation or European Union law in accordance with Article 9, paragraph 2, letter j), of the Regulation, including the case in which the research is part of a biomedical or health research program provided for pursuant to Article 12-bis of Legislative Decree 30 December 1992, n. 502, and an impact assessment is conducted and made public pursuant to Articles 35 and 36 of the Regulation” (Article 110 of the Code, Article 9, paragraph 2, letter j) and paragraph 4 of the Regulation).

With specific reference to the processing of personal data for scientific research purposes carried out by IRCCS, it is reiterated here, as already highlighted in the note of XX, prot. no. XX, which notes Article 110-bis, paragraph 4, of the Code, according to which “The processing of personal data collected for clinical activity, for research purposes, by scientific hospital and care institutes, public and private, does not constitute further processing by third parties, due to the instrumental nature of the health care activity carried out by the aforementioned institutes with respect to research, in compliance with the provisions of Article 89 of the Regulation”.

Article 110-bis, paragraph 4 of the Code, must be read in conjunction with the sector regulations of the IRCCS referred to, in particular, in Legislative Decree no. 288 of 16 October 2003 and (ss.mm.ii) containing “Reorganization of the regulations of the Scientific Hospitalization and Treatment Institutes” which identifies appropriate and specific measures to protect the fundamental rights and interests of the interested party (see in particular art. 8, paragraph 5-bis of Legislative Decree no. 288 of 2003).

It follows that art. 110-bis, paragraph 4 of the Code, offers the IRCCS a specific regulatory basis, by virtue of which, pursuant to art. 9, paragraph 2, letter j) of the Regulation, they can process the data collected for treatment purposes also for further scientific research purposes in the medical, biomedical and epidemiological fields without the need to obtain prior consent from the patients

Article 110-bis, paragraph 4 of the Code, therefore constitutes one of those "legal provisions" referred to in art. 110 (first part of the first paragraph) of the Code, which prescribes as a further fulfillment for the processing of data for research purposes in the medical, biomedical and epidemiological fields, carried out pursuant to art. 9, paragraph 2, letter j) of the Regulation, the performance and publication of the impact assessment, pursuant to art. 35 of the Regulation (see FAQ on the legal prerequisites and main fulfillments for the processing by IRCCS of personal data collected for health care purposes for further research purposes of 6 May 2024, web doc. no. 10024215).

In any case, the principle of alternative legal bases remains unchanged, therefore, in implementation of the principle of lawfulness, it is up to the owner to identify with respect to each individual Study among the different conditions of lawfulness provided for in articles. 6 and 9, par. 2 of the Regulation, the most appropriate in practice, corresponding to the purpose and essence of the processing and consequently indicate it in the impact assessment and in the information prepared for the interested parties, also taking into account the different implications that each of them may have on the rights of the interested parties (articles 15-22 of the Regulation).

The principles of transparency and fairness imply that the interested party is informed in advance of the existence of the processing and its purposes by providing, in a concise, transparent, intelligible and easily accessible form, with clear and plain language, the information referred to in art. 13 of the Regulation, in the case of data collected directly from them, or pursuant to art. 14 of the Regulation, in the case of data collected from third parties (recitals 58 and 60 and arts. 5, par. 1, letter a) and 12 of the Regulation).

It should be noted, in particular, that the aforementioned regulation provides that, if the data are previously collected for other purposes, as in the case in question, the data controller shall provide the data subject with information on this different purpose and any other relevant information before such further processing (Article 13, paragraph 4 of the Regulation).

In any case, in relation to data not collected from the data subjects, the data controller may not provide the information, to the extent that communicating it is impossible or involves a disproportionate effort. This applies in particular to processing carried out for scientific research purposes, without prejudice to the conditions and guarantees referred to in Article 89, paragraph 1 of the Regulation and the adoption of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including by making the information public (Article 14, paragraph 5, letter b) of the Regulation and Article 6, paragraph 3 of the Deontological Rules).

It is also important to note the principle of limitation of data storage, which requires that data be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed” (Article 5, paragraph 1, letter e) of the Regulation).

Among the principles applicable to processing established in Article 5 of the Regulation, it is worth highlighting the principle of accountability, according to which “the data controller must comply with and be able to demonstrate compliance with the principles and obligations set out in the Regulation” (Articles 5, paragraph 2, 24 and of the Regulation).

Connected to this is the duty to ensure that the law and regulations on the protection of personal data of data subjects are protected and applied from the design stage and by default (privacy by design and by default, Article 25 of the Regulation).

In compliance with the obligation of data protection by design, controllers must take an active conduct in the application of the principles, aiming to obtain a real protection effect. The requirement set out in Article 25 of the Regulation obliges controllers to ensure that data protection is integrated into the processing by design and by default throughout the entire life cycle of the processing.

The Regulation also provides that "where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks” (Article 35; Article 29 Working Party Guidelines No. 248 on "Data protection impact assessment and the criteria for determining whether a processing operation is appropriate" adopted in amended form on 4.10.2017).

In particular, an impact assessment is required whenever processing operations are likely to result in a high risk to the rights and freedoms of natural persons, meaning in particular those involving: (i) assessment or scoring; (ii) automated decision-making which produces legal effects concerning the data subject or similarly significantly affects him or her; (iii) systematic monitoring; (iv) processing of sensitive data or data of a highly personal nature; (v) processing on a large scale; (vi) matching or combining data sets; (vii) processing of data relating to vulnerable data subjects; (viii) innovative use or application of new technological or organisational solutions; ix) processing that prevents the interested parties from exercising a right or from availing themselves of a service or a contract. In particular, the European Data Protection Board believes that the VIP must certainly be carried out whenever at least two of the aforementioned criteria are simultaneously met (part III, letter B) of the aforementioned Guidelines).

4. The defensive briefs and assessments of the Guarantor

With note of XX (prot. no. XX), the Institute sent its defensive briefs, without asking to be heard in a hearing, as provided for by art. 166, paragraph 5 of the Code.

4.1. On the principle of lawfulness, correctness and transparency

In relation to the objections raised by the Office of the Guarantor, the Institute has represented, with declarations for the truthfulness of which it is criminally liable pursuant to art. 168 of the Code, preliminarily that "within the two studies, the subject of the dispute, the patient enrollment phase had not been started, as stated in the minutes [...], a decisive circumstance for the purpose of declaring the merely potential and theoretical nature of the possible harmfulness of the contested violations and, therefore, exculpatory, or at least strongly mitigating, of the contested violations".

This declaration, confirming what has already been represented in relation to study 1), also clarifies the meaning of what was reported at the end of the inspections of XX, during which the Institute, with regard to Study 2), declared that "[...]. The study is ongoing and the enrollment phase has not yet been completed. At present, 58 potential patients, both alive and dead, have been identified".

In particular, with reference to the dispute of the violation of the principles of transparency and fairness, linked to the circumstance that during the patient acceptance phase a prior and generic consent for research purposes is collected from the interested parties, the Institute represented that it intended to collect such consent by implementing recital 33 of the Regulation, assuming a sort of progressive phase consent.

In this regard, without prejudice to what was highlighted above in relation to the case referred to in the aforementioned recital 33 of the Regulation, taking into account the good faith of the data controller, which emerges widely from the briefs presented and in particular the circumstance that, where possible, the consent of the interested parties is acquired in any case before the start of the processing of personal data for research purposes, the dispute of the violation of the principles of transparency and fairness referred to in art. 5, par. 1, letter a) of the Regulation is considered to be overcome.

4.2 On the impact assessment

With reference to the challenge of the violation of the obligation to carry out the VIP in relation to the processing of personal data necessary for the implementation of clinical studies and in particular those examined during the inspection (study 1 and 2), the Institute defended itself by representing in particular that it is "preparing the [impact] assessment activities certainly for those that are being started again and, in any case, also for studies in progress".

While acknowledging the commitment undertaken by the owner, it is noted however that the processing of personal data relating to health and, if applicable, genetic data, relating to vulnerable subjects (such as patients) often carried out through combinations of data or on a large scale or through the use of new technologies (such as, for example, in Study 2, which involves the use of artificial intelligence techniques for the analysis of clinical and imaging data), certainly falls within those for which the VIP must be carried out in advance, pursuant to art. 35 of the Regulation (see Guidelines no. 248 cited in Part III, letter B). This is also relevant with specific reference to the retrospective clinical studies that the Institute claims to be based on art. 110-bis, paragraph 4 of the Code.

Considering, moreover, that the document on the basis of which the Institute decides whether the treatment is worthy of VIP or not does not have as its object the examination of the risks related to the treatment, no elements emerged from the defense briefs that could overcome the challenge of the violation of art. 35 of the Regulation.

In this last regard, it should be noted that the circumstance that the Institute did not start the patient enrollment phase in Studies 1) and 2), although it may be considered as a mitigating factor, is not in itself sufficient in this case to invalidate the contested violation, since the VIP by its very nature must be carried out before the start of the treatments and the documentation of the studies shows how the Institute carried out internal assessments, erroneously reaching the conclusion that it did not have to carry out this obligation.

4.3 On the principle of transparency and the obligation to provide information to the interested parties

With reference to the contested violation of the principle of transparency pursuant to art. 5, par. 1, letter a) of the Regulation and the obligation to make public the information on the processing of personal data relating to deceased and uncontactable subjects enrolled in Study 2), pursuant to art. 14, par. 5, letter b) of the Regulation and art. 6, paragraph 3 of the Rules of Ethics, in its defense briefs the Institute stated that it considered it "satisfied precisely because of the double information provided to the patient, one at the first access to the Institute, the other at the start of the specific research for the individual project, in addition to the privacy information also provided on the website of the Institution, on the page dedicated to this purpose" and that "all retrospective and prospective studies are published on the company website, in the form of a resolution of acknowledgement".

In this regard, while acknowledging favorably the commitments undertaken by the Institute in relation to the information obligations, no elements useful for overcoming the challenge of violation of the principle of transparency, pursuant to art. 5, paragraph 1, letter a) of the Regulation, are found in the briefs presented, also in relation to the processing of personal data relating to deceased subjects who cannot be contacted due to the systematic omission of the obligation to publish the information pursuant to art. 14, paragraph 5, letter a). b) of the Regulation and art. 6, paragraph 3 of the Deontological Rules.

With reference, however, to the information on data processing in the context of healthcare services, additional documentation has been produced to the records which proves that the previous one was incomplete, as the last page (3/3) was missing. The complete text containing all the information referred to in art. 13 and 14 of EU Reg. 2016/679 has been transmitted to the records and is available in the specific Privacy section of the institutional website (https://www.sanita.puglia.it/web/irccs/privacy1).

The challenge of the violation of art. 12 and 13 of the Regulation in relation to the information provided during patient acceptance is therefore considered to be overcome.

Finally, it should be noted that the objections relating to the information on the processing of personal data relating to Studies 1) and 2) prepared for the contactable subjects, placed at the bottom of the documentation and information preparatory to the collection of informed consent, have not been overcome. In fact, they are erroneous and incomplete as contested by the Office of the Guarantor and referred to in the previous point 2.3.

For these reasons, the violation by the Institute of the principle of transparency is therefore ascertained, taking into account the preparation of incomplete and/or erroneous information forms and the total absence of organizational measures as well as a specific policy to make public the information on the processing for research purposes of the personal data of deceased or uncontactable data subjects (art. 5, par. 1, letter a) and 13 of the Regulation).

4.4 On the limitation of data retention

With reference to the challenge of the violation of the principle of limitation of data retention, the Institute represented that "the limitation of the retention time will be indicated in compliance with the law and taking into account the specificity of the case, as already specified above".
In acknowledging favorably "the manifest will of the Entity to comply with the rules on health and research regarding the correct processing of personal data" and the commitment undertaken in this sense by the Institute, the violation of the principle of limitation of retention, pursuant to art. 5, par. 1 letter e) of the Regulation is nevertheless ascertained for the reasons set out above (see par. 2 or 3).

4.5 On the Principle of accountability and privacy by design and by default

With regard to the challenge of the Institute's failure to effectively apply the principle of accountability and the obligations to protect personal data by design, in violation of art. 5, par. 2 and 25 of the Regulation), the latter, in defense, asked the Authority to "benevolently evaluate the company system of the Entity" by providing evidence of some specific actions that are intended to be undertaken.

On this basis, the Guarantor, in acknowledging the good faith of the Institute and the commitment already made in order to improve the technical and organizational measures aimed at ensuring effective application of the principles regarding the protection of personal data, nevertheless considers the violation of the obligations of protection of personal data by design to be ascertained and confirmed, in violation of Articles 5, paragraph 2 and 25 of the Regulation, for the reasons set out above (see paragraph 2.5).

5. Conclusions

In light of the assessments referred to above, taking into account the declarations made pursuant to art. 168 of the Code during the investigation and the elements provided by the data controller in the defense brief, although worthy of consideration, do not allow, as illustrated and motivated above, to overcome most of the findings notified by the Office with the act of initiation of the proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

For these reasons, the processing of personal data carried out by the Giovanni Paolo II Scientific Hospital and Care Institute of Bari is found to be unlawful as it violates art. 5, par. 1, letter e), par. 2, 9, par. 2, letter j), art. 14, par. 5, letter b), 25 and 35 of the Regulation, of the Regulation, 110, paragraph 1, first part and 110-bis, paragraph 4 of the Code, art. 6, paragraph 3 of the Rules of Ethics. Violation of the aforementioned provisions also makes the administrative sanction provided for by art. 83, paragraphs 4 and 5 of the Regulation applicable, pursuant to art. 58, paragraph 2, letter i), and 83, paragraph 3, of the Regulation itself and 166 paragraph 2 of the Code.

6. Corrective Measures

Article 58, paragraph 2 of the Regulation provides the Guarantor with a series of corrective powers, of a prescriptive and sanctioning nature, to be exercised in the event that unlawful processing of personal data is ascertained, including that of "ordering the controller or processor to bring the processing into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specific period" (Article 58, paragraph 2, letter d) of the Regulation).

In light of the assessments referred to above, it is believed that it is necessary to order the Institute, pursuant to the aforementioned Article 58, paragraph 2, letter d) of the Regulation, to adopt, within ninety days of notification of this provision, the following corrective measures:

- to carry out the impact assessment pursuant to Article 35 of the Regulation and Articles 110 and 110 bis, paragraph 4 of the Code (par. 4.2);

- to publish the information in relation to the processing of personal data relating to deceased and uncontactable subjects, pursuant to art. 14, paragraph 5, letter b) of the Regulation and art. 6, paragraph 3 of the Rules of Ethics (par. 4.3);

- to integrate, modify and rectify the information on the processing of personal data relating to Studies 1) and 2) prepared for contactable subjects (par. 2.3 and 4.3), in particular:

eliminating the indication that following the entry into force of the Regulation, it would replace resolution 52 of 24/7/2008 containing the “Guidelines for the processing of personal data in the context of clinical trials of medicinal products, in order to describe in more detail your rights […]”;

clearly indicating the legal bases of the processing (Article 13, paragraph 1, letter c) of the Regulation);

indicating the period of retention of personal data or the criteria used to determine it (Article 13, paragraph 2, letter a) of the Regulation);

clearly representing the rights of the interested parties and the right to withdraw consent;

providing for the possibility of exercising the right of access for the entire duration of the processing.

7. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (Articles 58, paragraph 2, letters i and 83 of the Regulation; Article 166, paragraph 7, of the Code).

Violation of Article 5, paragraph 1, letter e) and paragraph 2, of Article 9, paragraph 2, letter j), of Articles 13, 14, paragraph 5, letter b) and of Articles 25 and 35 of the Regulation, of articles 110, paragraph 1, first part and 110-bis, paragraph 4 of the Code and of art. 6, paragraph 3 of the Rules of Ethics committed by the Institute is subject to the application of the administrative pecuniary sanction, pursuant to art. 83, paragraph 4, letter a) and 5, letters a) and b) of the Regulation.

The Guarantor, pursuant to art. 58, paragraph 2, letter i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Garante] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Garante pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Garante Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in Article 83, paragraph 1, of the Regulation, in light of the elements provided for in Article 83, paragraph 2 of the Regulation in relation to which it is noted that:

- the processing carried out concerned, in particular, the information suitable for detecting the state of health referred to patients enrolled in clinical studies conducted by the Institute within its lines of research (Article 4, paragraph 1, no. 13 and 15 of the Regulation and Article 83, paragraph 2, letters a) and g) of the Regulation);

- from the perspective of the subjective element, no intentional attitude on the part of the data controller emerges, the violations ascertained having occurred in good faith (Article 83, paragraph 2, letter b) of the Regulation);

- there are no previous relevant violations committed by the data controller nor have measures pursuant to Article 58 of the Regulation been previously ordered (Article 83, paragraph 2, letter e) of the Regulation);

- the Institute has proven to be cooperative during the inspection and the present proceeding;

- although there are still some non-compliance profiles with the current regulatory framework on the protection of personal data highlighted above, the Institute has already implemented some corrective measures in relation to the processing of personal data carried out (art. 83, par. 2, letter c) of the Regulation).

In light of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction provided for by art. 83, par. 4 and 5, of the Regulation, in the amount of € 10,000.00 (ten thousand/00) for the violation of art. 5, par. 1, letter e), and par. 2, of art. 9, par. 2, letter j), of arts. 13, 14, par. 5, letter b) and of arts. 25 and 35 of the Regulation, of arts. 110, paragraph 1, first part and 110-bis, paragraph 4 of the Code and art. 6, paragraph 3 of the Rules of Ethics as an administrative pecuniary sanction deemed, pursuant to art. 83, paragraphs 1 and 3, of the Regulation, to be effective, proportionate and dissuasive.

It is also believed that the accessory sanction of publication of this provision on the website of the Guarantor should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

CONSIDERING ALL THE ABOVE, THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Istituto di Tumori "Giovanni Paolo II" I.R.C.C.S., with registered office in Viale Orazio Flacco 65, 70124 Bari (BA) - C.F and P.I.:00727270720, for the violation of art. 5, par. 1, letter e), and par. 2, of art. 9, par. 2, letter j), of arts. 13, 14, par. 5, letter b) and of arts. 25 and 35 of the Regulation, of arts. 110, paragraph 1, first part and 110-bis, paragraph 4 of the Code and of art. 6, paragraph 3 of the Rules of Ethics in the terms set out in the reasons.

ORDER

pursuant to arts. 58, par. 2, letter i) and 83 of the Regulation, as well as art. 166 of the Code, to the Institute, to pay the sum of € 10,000.00 (ten thousand/00) as a pecuniary administrative sanction for the violations indicated in this provision. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed. 

ORDERS

to the Institute:

1. to pay the sum of € 10,000.00 (ten thousand/00) - in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code -, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

2. to conform the treatments to the provisions of the Regulation, adopting the corrective measures indicated in paragraph 6 of this provision, no later than 90 days from notification of this provision, pursuant to art. 58, paragraph 2, letter d), of the Regulation. Failure to comply with an order formulated pursuant to art. 58, paragraph 2, of the Regulation, is punishable by the administrative sanction referred to in art. 83, paragraph 6, of the Regulation;

3. to communicate what initiatives have been undertaken in order to implement the provisions of the aforementioned paragraph. 6) and to provide, in any case, adequately documented feedback, no later than 20 days after the expiry of the deadline indicated above, pursuant to art. 58, paragraph 1, letter a), of the Regulation and art. 157 of the Code. Failure to respond to a request made pursuant to art. 157 of the Code is punishable by an administrative sanction, pursuant to the combined provisions of art. 83, paragraph 5, of the Regulation and 166 of the Code.

ORDERS

pursuant to art. 166, paragraph 7 of the Code, the publication of this provision in full on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 17 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE GENERAL SECRETARY
Mattei