Garante per la protezione dei dati personali (Italy) - 9791886

From GDPRhub
Garante per la protezione dei dati personali - 9791886
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 35 GDPR
Article 36 GDPR
D.Lgs. 30 giugno 2003, n. 196, art. 110
Prescrizioni relative al trattamento dei dati personali effettuato per scopi di ricerca scientifica, allegato n. 5 al Provvedimento che individua le prescrizioni contenute nelle Autorizzazioni generali che risultano compatibili con il Regolamento e con il d.lgs. n. 101/2018 di adeguamento del Codice, del 5 giugno 2019
Regole deontologiche per trattamenti a fini statistici o di ricerca scientifica adottate dal Garante, ai sensi dell’art. 20, comma 4, del d.lgs. 10 agosto 2018, n. 101, con provvedimento n. 515, del 19 dicembre 2018
Type: Advisory Opinion
Outcome: n/a
Started: 04.02.2022
Decided: 30.06.2022
Published: 30.06.2022
Fine: n/a
Parties: Azienda Ospedaliera Universitaria Integrata di Verona
National Case Number/Name: 9791886
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Italian
Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Newsletter del Garante (in IT)
Initial Contributor: InLoveWithPrivacy

Medical research: green light from the Italian Garante for 'step-by-step' consent

English Summary

Facts

The Garante authorised the collection and storage of data in the 'Torax' database on the basis of an initial consent, expressed by patients when they took part in the study, provided that the hospital subsequently acquires specific consents from patients or the opinion of the Garante for those who have died or can no longer be contacted, as the research projects are further defined and approved by the territorially competent ethics committees.

Holding

Favourable opinion of the Italian Garante on the processing of data by the Azienda Ospedaliera Universitaria Integrata di Verona aimed at studying patients suffering from neoplastic, infectious, degenerative and traumatic diseases of the thoracic district. The project envisages the creation of a database and research activities in nine areas that will be the subject of further specific protocols and submitted to the relevant ethics committees. In order to give the go-ahead the Authority required researchers to base the collection - and subsequent processing of health data for medical research purposes - on 'stepwise' consent.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.



SEE ALSO NEWSLETTER OF 26 JULY 2022



[doc. web n. 9791886]

Opinion pursuant to pursuant to art. 110 of the Code and art. 36 of the Regulation - 30 June 2022

Record of measures
n. 238 of 30 June 202

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC-General Data Protection Regulation (hereinafter the "Regulation");

GIVEN, in particular, the articles 35 and 36 of the Regulation relating, respectively, to the impact assessment on data protection and the prior consultation of the Authority;

GIVEN the legislative decree 30 June 2003, n. 196 containing the “Code regarding the protection of personal data (hereinafter the“ Code ”);

GIVEN art. 110, paragraph 1, second sentence of the Code which, in relation to the processing of personal data for medical, biomedical and epidemiological research, provides in particular that "consent is also not necessary when, due to particular reasons, informing the interested parties is impossible either it involves a disproportionate effort, or it risks making it impossible or seriously jeopardizing the achievement of the research objectives. In such cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, the research program is subject to a reasoned favorable opinion from the competent ethics committee at local level and must be subject to prior consultation with the Guarantor pursuant to article 36 of the Regulation ";

GIVEN the legislative decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and repealing Directive 95/46 / EC (general regulation on data protection) ", in particular art. 21;

HAVING REGARD to the Prescriptions relating to the processing of personal data carried out for scientific research purposes, attachment no. 5 to the Provision which identifies the provisions contained in the General Authorizations that are compatible with the Regulation and with Legislative Decree no. 101/2018 to adapt the Code, dated 5 June 2019 (web doc. 9124510, hereinafter "Prescriptions");

GIVEN the deontological rules for processing for statistical or scientific research purposes adopted by the Guarantor, pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, n. 101, with provision no. 515, of December 19, 2018 (web doc. No. 9069637, hereinafter "Deontological Rules");

GIVEN the request for prior consultation submitted, pursuant to Articles 110 of the Code and 36 of the Regulation, by the Integrated University Hospital of Verona, with registered office in P.le A. Stefani, 1 - 37126 Verona, for the realization of a clinical study called "DB Torax" (note of 4 February 2022);

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n. 1098801;

Rapporteur the lawyer Guido Scorza;

WHEREAS

1. The request for prior consultation

The Integrated University Hospital of Verona (hereinafter the "Company") has submitted a request for prior consultation, pursuant to art. 110, paragraph 1, last paragraph of the Code and art. 36 of the Regulation, as promoter of the interdepartmental, prospective, retrospective, non-pharmacological observational study called "DB Torax" (hereinafter the "Study"), by sending the protocol and the related impact assessment, drawn up pursuant to art. 35 of the Regulation, due to the fact that among the enrolled patients there are also deceased or no longer contactable subjects (note of 4 February 2022).

The Study provides for the creation of a "register" or "database" through "the collection of structured data that allows to examine the population of patients suffering from neoplastic and non-thoracic pathologies".

Specifically, "the data of the patients being treated include:

- "personal data,

- identification data (patient code);

- underlying conditions of patients,

- diagnosis and medical treatment,

- laboratory and imaging framework,

- outcomes of remote treatments in terms of clinical results, complications,

- percentage of recovery during the hospital stay

- relapse rates based on the different modalities of therapy and follow-up ".

Based on the impact assessment, the processing of data relating to the racial and ethnic origin of the data subjects would also be envisaged and it is specified that "The purpose of the processing is to create a database on which to build future analyzes and studies aimed at improving the knowledge and clinical practice in the thoracic district pathologies sector ".

More specifically, "The purposes for setting up this database are as follows:

- Evaluate the impact and results of the various surgical, medical and radiotherapy therapeutic practices, alone or in association with complementary therapies in various malignant and benign pathological conditions.

- Evaluate the prognostic impact of environmental and professional factors;

- Evaluate the prognostic impact of clinical factors.

- Validate the new classification editions of the TNM1, identify and validate new additional features for possible inclusion in future revisions of the TNM classification.

- To study new conditions not included in the present TNM and to evaluate their prognostic impact (biomarkers, mutations present in the tumor tissue, clinical data, residual tumor) in thoracic oncological pathology.

- Assess the prognostic impact of complete, incomplete and uncertain resections, according to the proposed definitions of IASLC2.

- Assess the prognostic impact of new surgical therapies alone or in combination with other methods.

- Assess the prognostic impact of new oncological therapies alone or in combination with other methods.

- Evaluate the reliability of the methods used in clinical staging (for those tumors with pre- and post-treatment classification and pre- and post-surgical modalities) according to the new and future modifications of the international classifications ”(point 2 of the study protocol).

In this regard, the study protocol specifies that “Detailed statistical analysis plans will be set up in future research protocols that will use this database as a data source in order to achieve the objectives [of] the specific studies”.

The Study provides that "Personal data, including health data, [of about 500 patients per year] will be collected both retrospectively, starting from January 1, 2010, and prospectively for the next 15 years" and “Will be kept for a period of 20 years”.

With specific reference to the legal bases of the processing, the Company has represented that for the prospective collection of data, they are to be found in the consent of the interested parties acquired "upon delivery of the information to patients regarding the processing of their personal data, bearing in below the relative formula for the acquisition of consent ". In relation to the retrospective collection, the data are already present in the systems of the data controller and collected on the occasion of health services. In this regard, since "numerous patients have died, or are no longer in charge for [the] follow up (also by choice of the individual patient) and are not available", it being impossible to inform them and collect their consent, the Company has resorted to the “procedure of art. 110 of Legislative Decree 196/2003 ”which is the subject of this opinion. In this regard, the Company represented that it had "tried to contact the patients selected to be retrospectively included in the Study, but only less than 10% was found to be available, so there is a residual numerical component essential for the scientific validity of the Study, deceased or not contactable ".

For the purposes of patient enrollment, "the doctor will check the inclusion and exclusion criteria by consulting the medical record and will enroll in the study" which will be monitored "taking into account two objectives: to keep track of the recruitment of specific subgroups defined on the basis of the geography, stage or modality of treatment in order to target clinical data on subgroups, and demonstrate the objectivity of the study sample with regard to the selected subjects ".

In relation to the processing methods, the Company has highlighted in the impact assessment that personal data will mainly be processed in an automated form, using an e-CRF (electronic Case Report Form) created specifically for the Firm, managed and stored through the “secure, web-based software platform” called “REDCap (Research Electronic Data Capture)” […] “designed to support the acquisition and storage of data for research studies”. In particular, “The platform generates a unique identification code associated with each subject involved in the Study, which allows researchers to locally maintain the association with their respective personal data. The possibility of tracing the origin of the data is justified by the need to carry out follow-up studies for patients under treatment at the Operational Units involved, or in the case of scientific results that may have a detectable impact for the subject himself, on the basis of decisions expressed in the informed consent to participate in the Study ".

The Company indicated in the impact assessment that the "overall duration of the Study is 15 years, with 10 years of retrospective collection. The data will be kept for a period of 20 years ". On this point, it was clarified that this retention period is necessary in order to "build future analyzes and studies, aimed at improving knowledge and clinical practice in the sector of pathologies of the thoracic district". After this period "the data will be made completely anonymous, eliminating the link between the patient's name and his pseudonym". However, it is indicated in the protocol of the Firm that "The Sponsor undertakes to keep the original paper documentation (eg informed consent) for at least 25 years in compliance with current legislation".

It was also envisaged that "Anonymous access to data by parties external to the research team will be examined from time to time by a scientific commission composed of the main investigators and co-experimenters, which will decide whether to grant access to data for these protocols based on the scientific quality of the same, however assuming compliance with the indications set out in this document establishing the database ".

The impact assessment also describes the existing and planned security measures that will be implemented for the realization of the Study in light of the risks that have been highlighted for the fundamental rights and freedoms of the data subjects.

The Company has represented that it will be provided, pursuant to art. 13 of the Regulations, an information notice on the processing of personal data relating to the Firm to the subjects directly contacted.

The aforementioned study obtained, on February 15, 2022, the favorable opinion of the Ethics Committee territorially competent for the clinical trial of the Company.

2. The applicable legislation

The processing of personal data must take place in compliance with the legislation provided for by the Code and the Regulations. In this regard, it should be noted that "personal data" means "any information concerning an identified or identifiable natural person (" interested party "); the natural person is considered identifiable who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social "(art. 4, par. 1, n. 1 of the Regulations).

On the other hand, "(...) information that does not refer to an identified or identifiable natural person or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the interested party" is considered anonymous, this also for treatments carried out for statistical or research purposes (see recital no. 26 of the Regulation and "WP29 Opinion 05/2014 on Anonymization techniques", adopted on 10 April 2014).

In this context, the processing of personal data for scientific research purposes must be carried out not only in compliance with the specific provisions of the Regulation and the Code (articles 5, paragraph 1, letter b) and e), 9, par. 2, lett. j) 89 of the Regulation and art. 110 of the Code) but also the Prescriptions relating to the processing of genetic data (if necessary) and the Prescriptions relating to the processing of personal data carried out for scientific research purposes, annexes 4 and 5 to the provision of 5 June 2019 (web doc 9124510) , as well as the deontological rules for processing for statistical or scientific research purposes annex A5 to the Code, which constitute an essential condition of lawfulness and correctness of the processing (Article 2-quater of the Code and Article 21, paragraph 5 of Legislative Decree 10 August 2018, n.101).

With specific reference to the pursuit of scientific research purposes in the medical, biomedical and epidemiological fields, it should be noted that they are admitted after obtaining the consent of the interested party.

Without invalidating the obligations relating to consent, recital 33 of the Regulation recognizes that “In many cases it is not possible to fully identify the purpose of the processing of personal data for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research where there is compliance with recognized ethical standards for scientific research. Interested parties should have the possibility to give their consent only to certain research sectors or parts of research projects to the extent permitted by the intended purpose "(articles 5, paragraph 1 letter a) 6, 7 and 9 of the Regulation; Guidelines 5/2020 on consent pursuant to regulation (EU) 2016/679 of 4 May 2020 of the European Data Protection Board, cf. point 7.2).

The deontological rules for treatments for statistical or scientific research purposes also establish that "In giving his consent to a medical or epidemiological investigation, the interested party is required to declare whether or not he wants to know any unexpected discoveries that emerge against him during the research "providing for specific procedures for the communication of such so-called incidental findings to the interested parties, in order to ensure respect for their dignity as well as the protection of informative self-determination of the same, also in relation to the so-called" right not to know "(Article 8 ).

The assumption of consent is not necessary "(...) when, due to particular reasons, informing the interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the purposes of the research. In the latter cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, the research program is subject to a reasoned favorable opinion from the competent ethics committee at local level and must be subjected to prior consultation. of the Guarantor pursuant to article 36 of the Regulation "(article 110 of the Code, article 9, paragraph 2, letter j) and par. 4 of the Regulation).

In the latter cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, the research program is subject to a reasoned favorable opinion from the competent ethics committee at local level and must be subjected to prior consultation. of the Guarantor pursuant to article 36 of the Regulation (article 110 of the Code, article 9, paragraph 2, letter j) and par. 4 of the Regulation).

It is also pointed out that further processing and further storage of personal data for scientific research purposes are allowed within the limits of the reference regulatory framework (cons. 50, articles 5, paragraph 1, letter b) and e), 6 , para. 4 of the Regulation, point 5.6 of the Prescriptions for the processing of personal data for scientific research purposes; see also A Preliminary Opinion on data protection and scientific research, adopted on January 6, 2020 by the European data protection Supervisor, (EDPS), and Opinion 3/2019 on questions and answers on the interaction between the clinical trial regulation and the General Data Protection Regulation (Article 70, paragraph 1, letter b), of 23 January 2019 and the Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research, of 2 February 2021, adopted by the European data protection Board (EDPB).

Continuing with the indication of the main provisions on the protection of personal data relevant in the case in question, it is finally pointed out that, if the data are obtained from third parties, the data controller may not provide the information referred to in par. from 1 to 4 of art. 14 of the Regulation, to the extent that their communication is impossible or involves a disproportionate effort. This, in particular, in the context of the treatments carried out for scientific research purposes, without prejudice to the conditions and guarantees referred to in Article 89, par. 1 of the Regulation. In such cases, the data controller is in any case required to take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, also making the information public (Article 14, paragraph 5, letter b) of the Regulation) . On this point, art. 6, paragraph 3 of the Deontological Rules for processing for statistical or scientific research purposes, states that "When the data is collected from third parties, or the processing carried out for statistical or scientific purposes concerns data collected for other purposes, and the information disproportionate effort compared to the protected right, the owner adopts suitable forms of advertising ", providing information in this regard by way of example.

3. The preliminary activity

In light of the aforementioned legislation, during the investigation (note of 25 February 2022, prot. No. 12699 and meetings of 11 and 27 April 2022), the Office deemed it necessary to acquire specific information in order:

- to the further processing purposes, the related legal conditions and the measures referred to in art. 89 of the Regulation;

- the methods envisaged for providing information to interested parties not directly contacted, pursuant to art. 14, paragraph 5, lett. b) of the Regulations and art. 6 of the Deontological Rules;

- the data anonymization techniques for the transmission of the same to third parties.

With reference to the further processing purposes, the Company first clarified that "What these specific studies have in common is the use of the same data source - namely the Torax DB which contains pseudonymised data, as implemented from year to year year for the entire duration of the Study [...] - since these studies refer to the same pathologies of the thoracic district object of the DB Torax Study, with the effect that the purposes of the further specific studies are compatible with those indicated in the Original study ".

Having said this, in relation to the legal prerequisite for conducting the analyzes listed above, "which will also be the subject of specific spontaneous observational studies" (the "future studies"), it was considered that it is to be found in the consent given by the interested parties contacted during of recruitment "granularized on the basis of the individual purposes listed in paragraphs 2 and 8 of the protocol of the Firm for the establishment of the DB Torax", or in the procedure referred to in art. 110 of the Code advanced with the request of February 4, 2022, for deceased or non-contactable subjects. This, without prejudice to the submission of the relative “specific protocols”, from time to time to the competent Ethics Committee for the relative approval.

In this regard, it was clarified that "The interested party can therefore freely decide not only whether or not to participate in the Study, but also whether the data collected within the Study can be used for the specific studies that will be conducted in the areas listed in the paragraph 2 of the study protocol. The above takes into account the "EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health reserach" adopted on February 2, 2021, and in particular the requirements of paragraphs 20 and following for the application of art. 5, par. 1, lett. b), of art. 89 and of Recital 33, RGPD ".

The Company also provided specific clarifications regarding the retention times of the data indicated in 20 years from the closure of the study, "meaning the date of enrollment of the last patient". In particular, it was shown that "This deadline was determined taking into account the need to allow the carrying out of observational studies with long follow-up". In this regard, it was reiterated in fact that "the DB Torax will constitute the starting point for subsequent spontaneous studies, in any case relating to the pathologies of the thoracic district, conducted within the company on data that, in case of need, can allow those entitled to trace the identity of the patients involved ". The Company also underlined that it is necessary to "consider that in tumors of the thoracic district the survival curves are five / ten years after surgery, and that among the patients enrolled in the study there are people with a normal life expectancy post surgery, and therefore the need to follow over time, even for a long time, the evolution of their disease is not uncommon ”.

In relation to the measures referred to in art. 89 of the Regulations, the Company, in reiterating all of the above in relation to pseudonymisation techniques, specified that "The only subjects who will be able to access the DB Torax, and the e-CRF of the Firm, are the researchers of AOUI Verona who will participate to the Firm and specific studies, duly authorized pursuant to art. 29 of the GDPR and art. 2-quaterdecies of the Code, with the express exclusion of any third party ".

It was also specified that “at the end of the study, the data in the Torax DB will be kept for 20 years, and subsequently anonymized”.

With reference to data anonymization, it was specified that "AOUI Verona will adopt the randomization technique by adding noise (par. 3.1.1. Of WP216" Opinion 05/2014 on anonymization techniques "adopted by WP29 on 10 / 04/2014), eliminating some parameters from the e-CRF and, consequently, from the DB Torax "and that the data are disclosed to third parties only in anonymized form.

More specifically, in relation to this aspect it was clarified that "The anonymization techniques adopted are the following:

A) ELIMINATION from the e-CRF and, consequently, from the Torax DB of some parameters;

B) RANDOMIZATION by adding noise [...]

C) GENERALIZATION through aggregation and K-anonymity [...] ".

The "elimination" will involve 51 variables including those that lead to the direct identification of the interested parties ("record_id" and "patient code"), additional variables in excess or suitable for increasing the risk of re-identification (eg date of birth, signature of the informed consent), as well as those "useful more for the organizational purposes of the Firm than for the purposes of data analysis".

The variables subject to "randomization" will instead be 57 and will concern 3 categories: "value in years for age at enrollment (" age_at_enrollment ") [...] age at diagnosis (" age_diagnosis "), and [. ..] days for the remaining variables of the section concerning all the dates reported in the Torax DB ". In this regard, it was clarified that "The randomization technique with the addition of noise provides for a fixed range of values for a variable within which to randomly choose the one to add or subtract the source value of the variable subjected to to this technique ".

On the other hand, 293 roads will be subject to "generalization". On this point, it was clarified in particular that "The generalization technique by means of aggregation and K-anonymity consists in ensuring that each value relating to an interested party is shared by at least a minimum number (k) of other people within the whole . Therefore, if this does not happen, it is necessary to plan to aggregate the subjects into groups that contain at least k subjects ".

Finally, in relation to the methods for making public the information to be provided to interested parties in relation to the data collected from third parties, the Company stated that "it will inform users of the promotion of the Firm and related specific studies through a specific information page published on its website, to be disseminated on the Company's social channels, inviting you to get in touch, for whatever reason, with the competent UOCs, in order to reach patients who cannot be contacted "(notes March 17 and May 24, 2022) .

4. Evaluation of the Authority

4.1 The legal bases of the processing

The Company, as Promoter of the DB Torax Firm and data controller, as required by art. 110 of the Code and art. 36 of the Regulation, submitted to the Guarantor the protocol and the impact assessment on the protection of personal data connected to the processing necessary for its implementation.

From the documentation examined, the Guarantor believes that the Company has proven the need to create the aforementioned database, representing how it can allow "to examine the population of patients suffering from neoplastic pathologies and not of the thoracic district, which includes in detail: basic conditions of the patients, their diagnosis, their treatment, the laboratory and imaging picture, as well as the results of remote treatments […]. This will allow us to generate and test biological hypotheses, correlated with each other by numerous clinical factors with multivariate analyzes and quality controls of clinical procedures "and that" The collection of this information will allow us to have an overall picture in terms of survival and to be able to compare and evaluate the results of our interventions ". In fact, the project and the impact assessment do not present elements such as to make the establishment of the database and the related treatments disproportionate to the aims to be pursued. This noted in particular that the project, in providing for the establishment of the DB Torax with a single data controller, excludes that the data collected therein can be accessed by third parties external to the owner's structure unless they have been previously anonymized.

The Company has also correctly identified the legal bases (consent or art.110 of the Code) for the establishment of the aforementioned database, which contains a reasoned set of data aimed at constituting the starting point for the realization of specific future studies, including longitudinal ones. (follow-up) relating to thoracic pathologies, neoplastic and not, related to the nine objectives indicated in point 2 of the protocol and referred to above, having also adequately proved the impossibility to contact all the subjects who intend to enroll in the study. In this regard, the Company represented that it had "tried to contact the patients selected to be retrospectively included in the Study, but only less than 10% was found to be available, so there is a residual numerical component essential for the scientific validity of the Study, deceased or not contactable ".

The same considerations, on the other hand, cannot be formulated in relation to the legal conditions identified for the subsequent phases of the treatment concerning the conduct of what are defined as “further and specific studies”. To this end, the Company would, in fact, intend to limit itself to obtaining the favorable opinion of the competent ethics committee at the local level, by virtue of the alleged compatibility of these purposes with that of the collection.

Consensus in progressive stages

In relation to the aforementioned successive phases of the processing concerning the conduct of what are defined as "further and specific studies", it should be noted that the proposed legal reconstruction does not appear to be correct as the case in point, rather than concerning hypotheses of personal data processing for the pursuit of additional (and compatible) purposes with respect to that of collection, is attributable to that contemplated by recital 33 of the Regulation which, in residual circumstances, admits that the interested parties can give consent in progressive stages for the processing of personal data for scientific research purposes, when at the time of collection it is not possible to fully identify the specific purposes of the processing. This, taking into account that, even in relation to the treatments in question, it is not possible to derogate from the requirement of the specificity and granularity of consent (articles 6 and 7 of the Regulation and paragraph 7.2 of the Guidelines no. pursuant to Regulation (EU) 2016/679).

In the case in question, the Company, in fact, at the time of data collection, is in a position to acquire the consent of the interested parties only for the collection and storage of the same within the DB Torax (hereinafter referred to for brevity as "first consent" ), taking care to acquire further consent for the nine areas of investigation indicated in the aforementioned point 2 of the protocol (hereinafter "second consent" for brevity).

Indeed, even if the data controller foresees, with an appreciable effort in terms of accoutability, to acquire the aforementioned two manifestations of will at the time of data collection, they are substantially overlapping and in themselves not suitable for legitimizing the data processing. personnel for the realization of further and, in any case, future research projects, not yet defined. The nine areas of investigation indicated in the aforementioned point 2 of the protocol represent, in fact, the macro research purposes for which the DB is created. In the absence of such indications, the collection and storage of data in the DB would not have been possible either, due to the lack of the preliminary indication of the purpose of the processing, intended to be fully represented in future research projects (Article 5, paragraph 1, lett. b) of the Regulation).

In this regard, it is emphasized that the European Data Protection Board has recently reiterated that "the notion of research cannot be extended beyond its common meaning and that" scientific research "in this context means a research project established in accordance with the relevant sectorial methodological and ethical standards, in line with good practices ", thereby confirming that in this sector the purpose of the treatment must be identified in the specific research project to be carried out (Guidelines 5/2020 on consent pursuant to regulation (EU) 2016/679, cit.).

Furthermore, it should be noted that the Deontological Rules expressly provide that the research must be carried out on the basis of a project drawn up in accordance with the methodological standards of the relevant disciplinary sector (art.3)

In the case in question, however, it is the owner himself who declares that future studies, including those relating to the nine areas of observation indicated in the study protocol, will be subject to specific protocols that will be submitted to the ethics committees territorially competent for the acquisition of the expected opinion. This demonstrates how the determined and specific purpose of the processing will be identified in progressive stages in a complete and timely manner only upon the outcome of the approval of future research projects.

With reference to patients who cannot be contacted, the prior consultation in question, together with the favorable opinion of the territorially competent Ethics Committee, constitutes the legal prerequisite equivalent to consent, for the collection and storage of data in the database.

It follows that the Company, as data controller, upon the outcome of the approval of future research projects by the competent Ethics Committees, will have to integrate the manifestations of will of the interested parties already collected, with specific consents to reach, in progressive way to obtain a suitable legal basis for the processing of data for scientific research purposes (Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679 of 4 May 2020 of the European Data Protection Committee, cf. point 7.2) or where it is in one of the conditions referred to in art. 110 of the Code and in point 5.3 of the Prescriptions, it will have to make specific requests for prior consultation pursuant to the aforementioned art. 110 of the Code.

On this point, the European Protection Committee clarified, in fact, that “recital 33 does not affect the obligations relating to the requirement of specific consent. This means that, in principle, scientific research projects can include personal data on the basis of consent only if they have a well-described purpose "(see par. 7.2 and point 155), admitting in an exceptional and residual way that" when it is not possible to fully specify the purposes of the search, the data controller must look for other ways to ensure compliance with the essence of the consent requirements, for example by allowing interested parties to consent to a search purpose in more general terms and to specific stages of a research project that is known from the outset will take place. As the research progresses, it will therefore be possible to obtain consent for the subsequent phases of the project before the start of the corresponding phase. However, such consent should in any case be in line with the ethical rules applicable to scientific research "(see par. 7.2 and point 158).

- Further treatments

Therefore, the reference given by the data controller in the documentation in the documents appears unsuitable - moreover in a completely incidental form with the declaration of the Company that "the purposes of the specific further studies are compatible with those indicated in the original Study" - presumably aimed at founding the legal prerequisite for carrying out further specific studies on the presumption of non-incompatibility of the same with the purpose of the collection, as they would always focus on chest pathologies (cons. 50 and art.5, par. 1, letter b) of the Regulation) .

In this regard, it is emphasized, as noted above, that at the time of collection the purposes of the processing are not duly defined except for what concerns the creation of the database. In fact, the Company itself declares that "The purpose of the treatment is to create a database on which to build future analyzes and studies aimed at improving knowledge and clinical practice in the field of pathologies of the thoracic district".

It follows that the consents collected for the creation of the DB Torax (or, alternatively, the prior consultation procedure in question) cannot also constitute the legal basis for further processing, since they represent a still partial manifestation of will that will go to progressively complete with further and specific requests for consent that must be made by the Company when carrying out future studies (cons. 50, art. 6 par. 4, of the Regulation and Guidelines 5/2020 on consent pursuant to of Regulation (EU) 2016/679, cit.).

According to recital 50 of the Regulation, in fact, in order to carry out further processing on the assumption of lawfulness of the original processing, the owner must have verified that it satisfies all the requirements of the Regulation. This, without prejudice to the fact that the data controller must also verify the possibility, in practice, that the legal basis of the first processing can also support any further processing (see cons. 50, second part, of the Regulation).

From another point of view, without prejudice to the further and more specific indications, currently being drawn up, which will come from the European Data Protection Committee and the European Supervisor on this issue, there must be a need to bring back the "presumption of non-incompatibility of the purpose of research "pursuant to art. 5, par. 1, lett. b) of the Regulation, to the nature of exception that is its own and which as such does not admit analogous or extensive interpretations, increasingly in the case of processing of particular categories of data for which there is, in general terms, a prohibition of processing (cf. . Opinion 3/2019 on questions and answers on the interaction between the regulation on clinical trials and the general regulation on data protection, of 23 January 2019; A preliminary Opinion on data protection and scientific research, of 6 January 2020, cit .; Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research, of February 2, 2021, cit; provision of the Guarantor of November 1, 2021, web doc. 9731827). Having said all this, it is therefore considered necessary that the Company also acquire additional and specific consents from the patients registered in the DB Torax in relation to each of the studies. of future research that it intends to carry out, following the approval of the same research projects by the competent ethics committees.

Where the company is in one of the conditions referred to in art. 110 of the Code and in point 5.3 of the Prescriptions, instead of acquiring consent, it will have to make specific requests for prior consultation pursuant to the aforementioned art. 110 of the Code.

4.2 Retention times

As noted above, the data retention times are indicated in 20 years from the closure of the study, "meaning the date of enrollment of the last patient". Patient enrollment is expected to last 15 years.

In other words, the Company will process personal data for a total period of 35 years, of which the first 15 are intended for the enrollment of patients as well as for carrying out specific research studies and the subsequent 20 years used only for scientific research purposes.

Taking into account the reasons given by the data controller, referred to in particular in point 3 of this provision, it is believed that the storage time indicated is proportionate with respect to the purposes of the collection.

However, it is considered necessary that the provision reported in the protocol regarding the retention of personal data for 25 years be removed. In fact, it would seem to be deduced from the discipline referred to in Regulation (EU) no. 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials of medicinal products for human use and repealing Directive 2001/20 / EC, according to which "Unless EU law provides for a period of storage major, the sponsor and the investigator keep the contents of the permanent dossier of the clinical trial for at least twenty-five years from the conclusion of the same. However, the patients' medical records are archived in accordance with national law ”(art. 58). This reference is considered irrelevant given that the study in question is not aimed at drug testing, on the contrary it is expressly defined as non-pharmacological.

4.3 Types of data processed

As part of the Firm, the data controller declares to collect, among others, data relating to the racial and ethnic origin of the data subjects.

Preliminarily, it is believed that the data indicated in the protocol of the Firm are proportionate with respect to the purpose underlying the establishment of the DB Torax recall. It is understood that, on the occasion of the realization of future studies, the Company, in homage to the principle of data minimization, must select and extract from the database only the adequate data, relevant and limited to what is necessary with respect to the purposes it intends to pursue ( Article 5, paragraph 1, letter c) of the Regulation).

With regard to the data relating to the racial and ethnic origin of the interested parties, it is considered appropriate to represent that the aforementioned Prescriptions establish, in point 5.4, that "In application of the principle of minimization, the processing of personal data for scientific research purposes in the medical field , biomedical or epidemiological data may concern data suitable for revealing the state of health of the interested parties and, only where indispensable for the achievement of the purposes of the research, jointly also data suitable for revealing sexual life and racial and ethnic origin (art. 5 , par. 1, lett. c), EU Regulation 2016/679) ". It is therefore recommended that this circumstance be assessed and adequately motivated in the individual research projects for which the processing of such information will be envisaged.

4.4 The technical and organizational measures implemented

From the impact assessment presented by the Company, it emerges that appropriate and suitable measures have been put in place to protect the rights and freedoms of the cohort of interested parties involved in the Study as well as to ensure effective application of the principle of data minimization. An exhaustive analysis was also conducted of the risks associated with the processing of personal data necessary for the pursuit of the purpose of the research in question, in order to determine in particular the origin, nature, severity of these risks and the measures implemented to mitigate them. (articles 5, par. 2 letter c), f), 89 and 32 of the Regulation).

It is understood that the data controller will have to carry out a specific impact assessment in relation to future research projects taking into account, with a view to simplification, that a single assessment can examine a set of similar treatments that present similar high risks (art . 35, par. 1, last sentence of the Regulation).

Furthermore, the Guarantor takes positive note of the anonymization techniques identified by the Company, most recently in the note of 24 May 2022 and referred to in point 3 above, which on the one hand ensure in general terms the reduction of the risk of re-identification of data subjects to a acceptable level, on the other hand they favor an effective circulation of information in the context of scientific research.

In this context, however, it is considered necessary that the Company undertakes to remove any singularity, if, by any means, it becomes aware of it at a later stage after the application of the aforementioned anonymization techniques and to keep track of such events in a manner re-identification risk assessment to be repeated upon reaching 1% of singularities identified on the total of records included in the database.

4.5. Information charges

We favorably acknowledge the measures taken by the Company to ensure the effective implementation of the principle of transparency, also in relation to non-contactable subjects (Articles 13 and 14 of the Regulation and point 6.3 of the Deontological Rules). It is understood that in contacting the interested parties for the acquisition of further and more specific consents necessary for the performance of future studies, they must be informed in relation to the still unknown aspects of the treatment (articles 5, paragraphs 1 and 13 of the Regulation ). In relation to patients who cannot be contacted, such additional information must be provided in the forms referred to in art. 14, par. 5, lett. b) of the Regulation and art. 6, paragraph 3 of the Deontological Rules.

It is recommended that the information prepared for the interested parties enrolled in the studies highlight the option for each of them to know or not any unexpected discoveries that emerge against them during the research (Article 8 of the Deontological Rule).

ALL OF THIS GIVEN THE GUARANTOR

pursuant to art. 110 of the Code and art. 36 of the Regulations, expresses a favorable opinion to the Integrated University Hospital of Verona, Piazzale Aristide Stefani, 1 - 37126 Verona, VAT number / C.F. 03901420236, on the processing of personal data for medical, biomedical and epidemiological research purposes, in the interdepartmental, prospective and retrospective observational study, on patients undergoing thoracic surgery for neoplastic, infectious, degenerative and traumatic pathologies called "DB Torax" on condition that:

1. the Company also acquires additional and specific consents from the patients registered in the DB Torax in relation to each of the future studies that it intends to carry out or makes requests for prior consultation, pursuant to art. 110 of the Code with reference to patients who cannot be contacted or who have died, if they are in one of the conditions referred to in point 5.3 of the Prescriptions (paragraph 4.1);

2. the provision reported in the protocol regarding the retention of personal data for 25 years is removed (paragraph 4. 2);

3. the Company undertakes to remove any singularity, if, by any means, it becomes aware of it at a stage subsequent to the application of the aforementioned anonymization techniques and to keep track of such events in order to repeat the risk assessment of - identification upon reaching 1% of singularities identified on the total of records included in the database (par. 4.4).

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, June 30, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Peel

THE SECRETARY GENERAL
Mattei



1 [ed] The TNM system is a universally recognized means of defining the anatomical extension of neoplastic disease by resorting to the evaluation of three parameters such as: the extension of the primary tumor (factor T), the lymph node involvement (factor N) and the presence of any distant metastases (factor M) (see AIOM Guidelines, Italian Association of Medical Oncology, on Lung Neoplasms, 2020 edition at https://www.aiom.it/wp-content/uploads/2020/10/ 2020_LG_AIOM_Polmone.pdf.

2 [ed] IASLC - International Association for Study Lung Cancer https://www.iaslc.org/.



SEE ALSO NEWSLETTER OF 26 JULY 2022



[doc. web n. 9791886]

Opinion pursuant to pursuant to art. 110 of the Code and art. 36 of the Regulation - 30 June 2022

Record of measures
n. 238 of 30 June 202

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC-General Data Protection Regulation (hereinafter the "Regulation");

GIVEN, in particular, the articles 35 and 36 of the Regulation relating, respectively, to the impact assessment on data protection and the prior consultation of the Authority;

GIVEN the legislative decree 30 June 2003, n. 196 containing the “Code regarding the protection of personal data (hereinafter the“ Code ”);

GIVEN art. 110, paragraph 1, second sentence of the Code which, in relation to the processing of personal data for medical, biomedical and epidemiological research, provides in particular that "consent is also not necessary when, due to particular reasons, informing the interested parties is impossible either it involves a disproportionate effort, or it risks making it impossible or seriously jeopardizing the achievement of the research objectives. In such cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, the research program is subject to a reasoned favorable opinion from the competent ethics committee at local level and must be subject to prior consultation with the Guarantor pursuant to article 36 of the Regulation ";

GIVEN the legislative decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and repealing Directive 95/46 / EC (general regulation on data protection) ", in particular art. 21;

HAVING REGARD to the Prescriptions relating to the processing of personal data carried out for scientific research purposes, attachment no. 5 to the Provision which identifies the provisions contained in the General Authorizations that are compatible with the Regulation and with Legislative Decree no. 101/2018 to adapt the Code, dated 5 June 2019 (web doc. 9124510, hereinafter "Prescriptions");

GIVEN the deontological rules for processing for statistical or scientific research purposes adopted by the Guarantor, pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, n. 101, with provision no. 515, of December 19, 2018 (web doc. No. 9069637, hereinafter "Deontological Rules");

GIVEN the request for prior consultation submitted, pursuant to Articles 110 of the Code and 36 of the Regulation, by the Integrated University Hospital of Verona, with registered office in P.le A. Stefani, 1 - 37126 Verona, for the realization of a clinical study called "DB Torax" (note of 4 February 2022);

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n. 1098801;

Rapporteur the lawyer Guido Scorza;

WHEREAS

1. The request for prior consultation

The Integrated University Hospital of Verona (hereinafter the "Company") has submitted a request for prior consultation, pursuant to art. 110, paragraph 1, last paragraph of the Code and art. 36 of the Regulation, as promoter of the interdepartmental, prospective, retrospective, non-pharmacological observational study called "DB Torax" (hereinafter the "Study"), by sending the protocol and the related impact assessment, drawn up pursuant to art. 35 of the Regulation, due to the fact that among the enrolled patients there are also deceased or no longer contactable subjects (note of 4 February 2022).

The Study provides for the creation of a "register" or "database" through "the collection of structured data that allows to examine the population of patients suffering from neoplastic and non-thoracic pathologies".

Specifically, "the data of the patients being treated include:

- "personal data,

- identification data (patient code);

- underlying conditions of patients,

- diagnosis and medical treatment,

- laboratory and imaging framework,

- outcomes of remote treatments in terms of clinical results, complications,

- percentage of recovery during the hospital stay

- relapse rates based on the different modalities of therapy and follow-up ".

Based on the impact assessment, the processing of data relating to the racial and ethnic origin of the data subjects would also be envisaged and it is specified that "The purpose of the processing is to create a database on which to build future analyzes and studies aimed at improving the knowledge and clinical practice in the thoracic district pathologies sector ".

More specifically, "The purposes for setting up this database are as follows:

- Evaluate the impact and results of the various surgical, medical and radiotherapy therapeutic practices, alone or in association with complementary therapies in various malignant and benign pathological conditions.

- Evaluate the prognostic impact of environmental and professional factors;

- Evaluate the prognostic impact of clinical factors.

- Validate the new classification editions of the TNM1, identify and validate new additional features for possible inclusion in future revisions of the TNM classification.

- To study new conditions not included in the present TNM and to evaluate their prognostic impact (biomarkers, mutations present in the tumor tissue, clinical data, residual tumor) in thoracic oncological pathology.

- Assess the prognostic impact of complete, incomplete and uncertain resections, according to the proposed definitions of IASLC2.

- Assess the prognostic impact of new surgical therapies alone or in combination with other methods.

- Assess the prognostic impact of new oncological therapies alone or in combination with other methods.

- Evaluate the reliability of the methods used in clinical staging (for those tumors with pre- and post-treatment classification and pre- and post-surgical modalities) according to the new and future modifications of the international classifications ”(point 2 of the study protocol).

In this regard, the study protocol specifies that “Detailed statistical analysis plans will be set up in future research protocols that will use this database as a data source in order to achieve the objectives [of] the specific studies”.

The Study provides that "Personal data, including health data, [of about 500 patients per year] will be collected both retrospectively, starting from January 1, 2010, and prospectively for the next 15 years" and “Will be kept for a period of 20 years”.

With specific reference to the legal bases of the processing, the Company has represented that for the prospective collection of data, they are to be found in the consent of the interested parties acquired "upon delivery of the information to patients regarding the processing of their personal data, bearing in below the relative formula for the acquisition of consent ". In relation to the retrospective collection, the data are already present in the systems of the data controller and collected on the occasion of health services. In this regard, since "numerous patients have died, or are no longer in charge for [the] follow up (also by choice of the individual patient) and are not available", it being impossible to inform them and collect their consent, the Company has resorted to the “procedure of art. 110 of Legislative Decree 196/2003 ”which is the subject of this opinion. In this regard, the Company represented that it had "tried to contact the patients selected to be retrospectively included in the Study, but only less than 10% was found to be available, so there is a residual numerical component essential for the scientific validity of the Study, deceased or not contactable ".

For the purposes of patient enrollment, "the doctor will check the inclusion and exclusion criteria by consulting the medical record and will enroll in the study" which will be monitored "taking into account two objectives: to keep track of the recruitment of specific subgroups defined on the basis of the geography, stage or modality of treatment in order to target clinical data on subgroups, and demonstrate the objectivity of the study sample with regard to the selected subjects ".

In relation to the processing methods, the Company has highlighted in the impact assessment that personal data will mainly be processed in an automated form, using an e-CRF (electronic Case Report Form) created specifically for the Firm, managed and stored through the “secure, web-based software platform” called “REDCap (Research Electronic Data Capture)” […] “designed to support the acquisition and storage of data for research studies”. In particular, “The platform generates a unique identification code associated with each subject involved in the Study, which allows researchers to locally maintain the association with their respective personal data. The possibility of tracing the origin of the data is justified by the need to carry out follow-up studies for patients under treatment at the Operational Units involved, or in the case of scientific results that may have a detectable impact for the subject himself, on the basis of decisions expressed in the informed consent to participate in the Study ".

The Company indicated in the impact assessment that the "overall duration of the Study is 15 years, with 10 years of retrospective collection. The data will be kept for a period of 20 years ". On this point, it was clarified that this retention period is necessary in order to "build future analyzes and studies, aimed at improving knowledge and clinical practice in the sector of pathologies of the thoracic district". After this period "the data will be made completely anonymous, eliminating the link between the patient's name and his pseudonym". However, it is indicated in the protocol of the Firm that "The Sponsor undertakes to keep the original paper documentation (eg informed consent) for at least 25 years in compliance with current legislation".

It was also envisaged that "Anonymous access to data by parties external to the research team will be examined from time to time by a scientific commission composed of the main investigators and co-experimenters, which will decide whether to grant access to data for these protocols based on the scientific quality of the same, however assuming compliance with the indications contained in this document establishing the database ".

The impact assessment also describes the existing and planned security measures that will be implemented for the realization of the Study in light of the risks that have been highlighted for the fundamental rights and freedoms of the data subjects.

The Company has represented that it will be provided, pursuant to art. 13 of the Regulations, a notice on the processing of personal data relating to the Firm to the subjects directly contacted.

The aforementioned study obtained, on February 15, 2022, the favorable opinion of the Ethics Committee territorially competent for the clinical trial of the Company.

2. The applicable legislation

The processing of personal data must take place in compliance with the legislation provided for by the Code and the Regulations. In this regard, it should be noted that "personal data" means "any information concerning an identified or identifiable natural person (" interested party "); the natural person is considered identifiable who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social "(art. 4, par. 1, n. 1 of the Regulations).

On the other hand, "(...) information that does not refer to an identified or identifiable natural person or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the data subject", this also for treatments carried out for statistical or research purposes (see recital no. 26 of the Regulation and "WP29 Opinion 05/2014 on Anonymization techniques", adopted on 10 April 2014).

In this context, the processing of personal data for scientific research purposes must be carried out not only in compliance with the specific provisions of the Regulation and the Code (articles 5, paragraph 1, letter b) and e), 9, par. 2, lett. j) 89 of the Regulation and art. 110 of the Code) but also the Prescriptions relating to the processing of genetic data (if necessary) and the Prescriptions relating to the processing of personal data carried out for scientific research purposes, annexes 4 and 5 to the provision of 5 June 2019 (web doc. 9124510) , as well as the deontological rules for processing for statistical or scientific research purposes annex A5 to the Code, which constitute an essential condition of lawfulness and correctness of the processing (Article 2-quater of the Code and Article 21, paragraph 5 of Legislative Decree 10 August 2018, n.101).

With specific reference to the pursuit of scientific research purposes in the medical, biomedical and epidemiological fields, it should be noted that they are admitted after obtaining the consent of the interested party.

Without invalidating the obligations relating to consent, recital 33 of the Regulation recognizes that “In many cases it is not possible to fully identify the purpose of the processing of personal data for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research where there is compliance with recognized ethical standards for scientific research. Interested parties should have the possibility to give their consent only to certain research sectors or parts of research projects to the extent permitted by the intended purpose "(articles 5, paragraph 1 letter a) 6, 7 and 9 of the Regulation; Guidelines 5/2020 on consent pursuant to regulation (EU) 2016/679 of 4 May 2020 of the European Data Protection Board, cf. point 7.2).

The deontological rules for treatments for statistical or scientific research purposes also establish that "In giving his consent to a medical or epidemiological investigation, the interested party is required to declare whether or not he wants to know any unexpected discoveries that emerge against him during the research "providing for specific procedures for the communication of these so-called incidental findings to the interested parties, in order to ensure respect for their dignity as well as the protection of informative self-determination of the same, also in relation to the so-called" right not to know "(Article 8 ).

The assumption of consent is not necessary "(...) when, due to particular reasons, informing the interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the purposes of the research. In the latter cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, the research program is subject to a reasoned favorable opinion from the competent ethics committee at local level and must be subjected to prior consultation. of the Guarantor pursuant to article 36 of the Regulation "(article 110 of the Code, article 9, paragraph 2, letter j) and par. 4 of the Regulation).

In the latter cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, the research program is subject to a reasoned favorable opinion from the competent ethics committee at local level and must be subjected to prior consultation. of the Guarantor pursuant to article 36 of the Regulation (article 110 of the Code, article 9, paragraph 2, letter j) and par. 4 of the Regulation).

It is also pointed out that further processing and further storage of personal data for scientific research purposes are allowed within the limits of the reference regulatory framework (cons. 50, articles 5, paragraph 1, letter b) and e), 6 , para. 4 of the Regulation, point 5.6 of the Prescriptions for the processing of personal data for scientific research purposes; see also A Preliminary Opinion on data protection and scientific research, adopted on January 6, 2020 by the European data protection Supervisor, (EDPS), and Opinion 3/2019 on questions and answers on the interaction between the clinical trial regulation and the General Data Protection Regulation (Article 70, paragraph 1, letter b), of 23 January 2019 and the Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research, of 2 February 2021, adopted by the European data protection Board (EDPB).

Continuing with the indication of the main provisions on the protection of personal data relevant in the case in question, it is finally pointed out that, if the data are obtained from third parties, the data controller may not provide the information referred to in par. from 1 to 4 of art. 14 of the Regulation, to the extent that their communication is impossible or involves a disproportionate effort. This, in particular, in the context of the treatments carried out for scientific research purposes, without prejudice to the conditions and guarantees referred to in Article 89, par. 1 of the Regulation. In such cases, the data controller is in any case required to take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, also making the information public (Article 14, paragraph 5, letter b) of the Regulation) . On this point, art. 6, paragraph 3 of the Deontological Rules for treatments for statistical or scientific research purposes, states that "When data is collected from third parties, or the treatment carried out for statistical or scientific purposes concerns data collected for other purposes, and the information disproportionate effort compared to the protected right, the owner adopts suitable forms of advertising ", providing information in this regard by way of example.

3. The preliminary activity

In light of the aforementioned legislation, during the investigation (note of 25 February 2022, prot. No. 12699 and meetings of 11 and 27 April 2022), the Office deemed it necessary to acquire specific information in order:

- to the further processing purposes, the related legal conditions and the measures referred to in art. 89 of the Regulation;

- the methods envisaged for providing information to interested parties not directly contacted, pursuant to art. 14, paragraph 5, lett. b) of the Regulations and art. 6 of the Deontological Rules;

- the data anonymization techniques for the transmission of the same to third parties.

With reference to the further processing purposes, the Company first clarified that "What these specific studies have in common is the use of the same data source - namely the Torax DB which contains pseudonymised data, as implemented from year to year year for the entire duration of the Study [...] - since these studies refer to the same pathologies of the thoracic district covered by the DB Torax Study, with the effect that the purposes of the further specific studies are compatible with those indicated in the Original study ".

Having said this, in relation to the legal prerequisite for conducting the analyzes listed above, "which will also be the subject of specific spontaneous observational studies" (the "future studies"), it was considered that it is to be found in the consent given by the interested parties contacted during of recruitment "granularized on the basis of the individual purposes listed in paragraphs 2 and 8 of the protocol of the Firm for the establishment of the DB Torax", or in the procedure referred to in art. 110 of the Code advanced with the request of February 4, 2022, for deceased or non-contactable subjects. This, without prejudice to the submission of the relative “specific protocols”, from time to time to the competent Ethics Committee for the relative approval.

In this regard, it was clarified that "The interested party can therefore freely decide not only whether or not to participate in the Study, but also whether the data collected within the Study can be used for the specific studies that will be conducted in the areas listed in the paragraph 2 of the study protocol. The above takes into account the "EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health reserach" adopted on February 2, 2021, and in particular the requirements of paragraphs 20 and following for the 'application of art. 5, par. 1, lett. b), of art. 89 and of Recital 33, RGPD ".

The Company also provided specific clarifications regarding the retention times of the data indicated in 20 years from the closure of the study, "meaning the date of enrollment of the last patient". In particular, it was shown that "This deadline was determined taking into account the need to allow the carrying out of observational studies with long follow-up". In this regard, it was reiterated in fact that "the DB Torax will constitute the starting point for subsequent spontaneous studies, in any case relating to the pathologies of the thoracic district, conducted within the company on data that, in case of need, can allow those entitled to trace the identity of the patients involved ". The Company also underlined that it is necessary to "consider that in tumors of the thoracic district the survival curves are five / ten years after surgery, and that among the patients enrolled in the study there are people with a normal life expectancy post surgery, and therefore the need to follow over time, even for a long time, the evolution of their disease is not uncommon ”.

In relation to the measures referred to in art. 89 of the Regulations, the Company, in reiterating all of the above in relation to pseudonymisation techniques, specified that "The only subjects who will be able to access the DB Torax, and the e-CRF of the Firm, are the researchers of AOUI Verona who will participate to the Firm and specific studies, duly authorized pursuant to art. 29 of the GDPR and art. 2-quaterdecies of the Code, with the express exclusion of any third party ".

It was also specified that “at the end of the study, the data in the Torax DB will be kept for 20 years, and subsequently anonymized”.

With reference to data anonymization, it was specified that "AOUI Verona will adopt the randomization technique by adding noise (par. 3.1.1. Of WP216" Opinion 05/2014 on anonymization techniques "adopted by WP29 on 10 / 04/2014), eliminating some parameters from the e-CRF and, consequently, from the DB Torax "and that the data are disclosed to third parties only in anonymized form.

More specifically, in relation to this aspect it was clarified that "The anonymization techniques adopted are the following:

A) ELIMINATION of some parameters from the e-CRF and, consequently, from the Torax DB;

B) RANDOMIZATION by adding noise [...]

C) GENERALIZATION through aggregation and K-anonymity [...] ".

The "elimination" will involve 51 variables including those that lead to the direct identification of the interested parties ("record_id" and "patient code"), additional variables in excess or suitable for increasing the risk of re-identification (eg date of birth, signature of the informed consent), as well as those "useful more for the organizational purposes of the Firm than for the purposes of data analysis".

The variables subject to "randomization" will instead be 57 and will concern 3 categories: "value in years for age at enrollment (" age_at_enrollment ") [...] age at diagnosis (" age_diagnosis "), and [. ..] days for the remaining variables of the section concerning all the dates reported in the DB Torax ". In this regard, it was clarified that "The randomization technique with the addition of noise provides for a fixed range of values for a variable within which to randomly choose the one to add or subtract the source value of the variable subjected to to this technique ".

On the other hand, 293 roads will be subject to "generalization". On this point, it was clarified in particular that "The generalization technique by means of aggregation and K-anonymity consists in ensuring that each value relating to an interested party is shared by at least a minimum number (k) of other people within the whole . Therefore, if this does not happen, it is necessary to plan to aggregate the subjects into groups that contain at least k subjects ".

Finally, in relation to the methods for making public the information to be provided to interested parties in relation to the data collected from third parties, the Company stated that "it will inform users of the promotion of the Firm and related specific studies through a specific information page published on its website, to be disseminated on the Company's social channels, inviting you to get in touch, for whatever reason, with the competent UOCs, in order to reach patients who cannot be contacted "(notes March 17 and May 24, 2022) .

4. Evaluation of the Authority

4.1 The legal bases of the processing

The Company, as Promoter of the DB Torax Firm and data controller, as required by art. 110 of the Code and art. 36 of the Regulation, submitted to the Guarantor the protocol and the impact assessment on the protection of personal data connected to the treatments necessary for its implementation.

From the documentation examined, the Guarantor believes that the Company has proven the need to create the aforementioned database, representing how it can allow "to examine the population of patients suffering from neoplastic pathologies and not of the thoracic district, which includes in detail: basic conditions of the patients, their diagnosis, their treatment, the laboratory and imaging picture, as well as the results of remote treatments […]. This will allow us to generate and test biological hypotheses, correlated with each other by numerous clinical factors with multivariate analyzes and quality controls of clinical procedures "and that" The collection of this information will allow us to have an overall picture in terms of survival and to be able to compare and evaluate the results of our interventions ". In fact, the project and the impact assessment do not present elements such as to make the establishment of the database and the related treatments disproportionate to the aims to be pursued. This noted in particular that the project, in providing for the establishment of the DB Torax with a single data controller, excludes that the data collected therein can be accessed by third parties external to the owner's structure unless they have been previously anonymized.

The Company has also correctly identified the legal bases (consent or art.110 of the Code) for the establishment of the aforementioned database, which contains a reasoned set of data aimed at constituting the starting point for the realization of specific future studies, including longitudinal ones. (follow-up) relating to thoracic pathologies, neoplastic and not, related to the nine objectives indicated in point 2 of the protocol and referred to above, having also adequately proved the impossibility to contact all the subjects who intend to enroll in the study. In this regard, the Company represented that it had "tried to contact the patients selected to be retrospectively included in the Study, but only less than 10% was found to be available, so there is a residual numerical component essential for the scientific validity of the Study, deceased or not contactable ".

The same considerations, on the other hand, cannot be formulated in relation to the legal conditions identified for the subsequent phases of the processing concerning the conduct of what are defined as “further and specific studies”. To this end, the Company would, in fact, intend to limit itself to obtaining the favorable opinion of the competent ethics committee at the local level, by virtue of the alleged compatibility of these purposes with that of the collection.

Consensus in progressive stages

In relation to the aforementioned successive phases of the processing concerning the conduct of what are defined as "further and specific studies", it should be noted that the proposed legal reconstruction does not appear to be correct as the case in point, rather than concerning hypotheses of personal data processing for the pursuit of additional (and compatible) purposes with respect to that of collection, is attributable to that contemplated by recital 33 of the Regulation which, in residual circumstances, admits that the interested parties can give consent in progressive stages for the processing of personal data for scientific research purposes, when at the time of collection it is not possible to fully identify the specific purposes of the processing. This, taking into account that, even in relation to the treatments in question, it is not possible to derogate from the requirement of the specificity and granularity of consent (articles 6 and 7 of the Regulation and paragraph 7.2 of the Guidelines no. pursuant to Regulation (EU) 2016/679).

In the case in question, the Company, in fact, at the time of data collection, is in a position to acquire the consent of the interested parties only for the collection and storage of the same within the DB Torax (hereinafter referred to for brevity as "first consent" ), taking care to acquire further consent for the nine areas of investigation indicated in the aforementioned point 2 of the protocol (hereinafter "second consent" for brevity).

Indeed, even if the data controller foresees, with an appreciable effort in terms of accoutability, to acquire the aforementioned two manifestations of will at the time of data collection, they are substantially overlapping and in themselves not suitable for legitimizing the data processing. personnel for the realization of further and, in any case, future research projects, not yet defined. The nine areas of investigation indicated in the aforementioned point 2 of the protocol represent, in fact, the macro research purposes for which the DB is created. In the absence of such indications, the collection and storage of data in the DB would not have been possible either, due to the lack of the preliminary indication of the purpose of the processing, intended to be fully represented in future research projects (Article 5, paragraph 1, lett. b) of the Regulation).

In this regard, it is emphasized that the European Data Protection Board has recently reiterated that "the notion of research cannot be extended beyond its common meaning and that" scientific research "in this context means a research project established in compliance with the relevant sectorial methodological and ethical standards, in line with good practices ", thereby confirming that in this sector the purpose of the treatment must be identified in the specific research project to be carried out (Guidelines 5/2020 on consent pursuant to regulation (EU) 2016/679, cit.).

Furthermore, it should be noted that the Deontological Rules expressly provide that the research must be carried out on the basis of a project drawn up in accordance with the methodological standards of the relevant disciplinary sector (art.3)

In the case in question, however, it is the owner himself who declares that future studies, including those relating to the nine areas of observation indicated in the study protocol, will be subject to specific protocols that will be submitted to the ethics committees territorially competent for the acquisition of the expected opinion. This demonstrates how the determined and specific purpose of the processing will be identified in progressive stages in a complete and timely manner only upon the outcome of the approval of future research projects.

With reference to patients who cannot be contacted, the prior consultation in question, together with the favorable opinion of the territorially competent Ethics Committee, constitutes the legal prerequisite equivalent to consent, for the collection and storage of data in the database.

It follows that the Company, as data controller, upon the outcome of the approval of future research projects by the competent Ethics Committees, will have to integrate the manifestations of will of the interested parties already collected, with specific consents to reach, in progressive way to obtain a suitable legal basis for the processing of data for scientific research purposes (Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679 of May 4, 2020 of the European Data Protection Committee, cf. point 7.2) or where it is in one of the conditions referred to in art. 110 of the Code and in point 5.3 of the Prescriptions, it will have to make specific requests for prior consultation pursuant to the aforementioned art. 110 of the Code.

On this point, the European Protection Committee clarified, in fact, that “recital 33 does not affect the obligations relating to the requirement of specific consent. This means that, in principle, scientific research projects can include personal data on the basis of consent only if they have a well-described purpose "(see par. 7.2 and point 155), admitting in an exceptional and residual way that" when it is not possible to fully specify the purposes of the search, the data controller must look for other ways to ensure compliance with the essence of the consent requirements, for example by allowing interested parties to consent to a search purpose in more general terms and to specific stages of a research project that is known from the outset will take place. As the research progresses, it will therefore be possible to obtain consent for the subsequent phases of the project before the start of the corresponding phase. However, such consent should in any case be in line with the ethical rules applicable to scientific research "(see par. 7.2 and point 158).

- Further treatments

Therefore, the reference given by the data controller in the documentation in the documents appears unsuitable - moreover in a completely incidental form with the declaration of the Company that "the purposes of the specific further studies are compatible with those indicated in the original Study" - presumably aimed at founding the legal prerequisite for carrying out further specific studies on the presumption of non-incompatibility of the same with the purpose of the collection, as they would always focus on chest pathologies (cons. 50 and art.5, par. 1, letter b) of the Regulation) .

In this regard, it is emphasized, as noted above, that at the time of collection the purposes of the processing are not duly defined except for what concerns the creation of the database. In fact, the Company itself declares that "The purpose of the treatment is to create a database on which to build future analyzes and studies aimed at improving knowledge and clinical practice in the field of pathologies of the thoracic district".

It follows that the consents collected for the creation of the DB Torax (or, alternatively, the prior consultation procedure in question) cannot also constitute the legal basis for further processing, since they represent a still partial manifestation of will that will go to progressively complete with further and specific requests for consent that must be made by the Company when carrying out future studies (cons. 50, art. 6 par. 4, of the Regulation and Guidelines 5/2020 on consent pursuant to of Regulation (EU) 2016/679, cit.).

According to recital 50 of the Regulation, in fact, in order to carry out further processing on the assumption of lawfulness of the original processing, the owner must have verified that it satisfies all the requirements of the Regulation. This, without prejudice to the fact that the data controller must also verify the possibility, in practice, that the legal basis of the first processing can also support any further processing (see cons. 50, second part, of the Regulation).

From another point of view, without prejudice to the further and more specific indications, currently being drawn up, which will come from the European Data Protection Committee and the European Guarantor on this issue, there must be a need to bring back the "presumption of non-incompatibility of the purpose of research "pursuant to art. 5, par. 1, lett. b) of the Regulation, to the nature of exception that is its own and which as such does not admit analogous or extensive interpretations, increasingly in the case of processing of particular categories of data for which there is, in general terms, a prohibition of processing (cf. . Opinion 3/2019 on questions and answers on the interaction between the regulation on clinical trials and the general regulation on data protection, of 23 January 2019; A preliminary Opinion on data protection and scientific research, of 6 January 2020, cit .; Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research, of February 2, 2021, cit; provision of the Guarantor of November 1, 2021, web doc. 9731827). Having said all this, it is therefore considered necessary that the Company also acquire additional and specific consents from the patients registered in the DB Torax in relation to each of the studies. of future research that it intends to carry out, following the approval of the same research projects by the competent ethics committees.

Where the company is in one of the conditions referred to in art. 110 of the Code and in point 5.3 of the Prescriptions, instead of acquiring consent, it will have to make specific requests for prior consultation pursuant to the aforementioned art. 110 of the Code.

4.2 Retention times

As noted above, the data retention times are indicated in 20 years from the closure of the study, "meaning the date of enrollment of the last patient". Patient enrollment is expected to last 15 years.

In other words, the Company will process personal data for a total period of 35 years, of which the first 15 are intended for the enrollment of patients as well as for carrying out specific research studies and the subsequent 20 years used only for scientific research purposes.

Taking into account the reasons given by the data controller, referred to in particular in point 3 of this provision, it is believed that the storage time indicated is proportionate to the purposes of the collection.

However, it is considered necessary that the provision reported in the protocol regarding the retention of personal data for 25 years be removed. In fact, it would seem to be deduced from the discipline referred to in Regulation (EU) no. 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials of medicinal products for human use and repealing Directive 2001/20 / EC, according to which "Unless EU law provides for a period of storage major, the sponsor and the investigator keep the contents of the permanent dossier of the clinical trial for at least twenty-five years from the conclusion of the same. However, the patients' medical records are archived in accordance with national law ”(art. 58). This reference is considered irrelevant given that the study in question is not aimed at drug testing, on the contrary it is expressly defined as non-pharmacological.

4.3 Types of data processed

As part of the Firm, the data controller declares to collect, among others, data relating to the racial and ethnic origin of the data subjects.

Preliminarily, it is believed that the data indicated in the protocol of the Firm are proportionate with respect to the purpose underlying the establishment of the DB Torax recall. It is understood that, on the occasion of the realization of future studies, the Company, in homage to the principle of data minimization, must select and extract from the database only the adequate data, relevant and limited to what is necessary with respect to the purposes it intends to pursue ( Article 5, paragraph 1, letter c) of the Regulation).

With regard to the data relating to the racial and ethnic origin of the interested parties, it is considered appropriate to represent that the aforementioned Prescriptions establish, in point 5.4, that "In application of the principle of minimization, the processing of personal data for scientific research purposes in the medical field , biomedical or epidemiological data may concern data suitable for revealing the state of health of the interested parties and, only where indispensable for the achievement of the purposes of the research, jointly also data suitable for revealing sexual life and racial and ethnic origin (art. 5 , par. 1, lett. c), EU Regulation 2016/679) ". It is therefore recommended that this circumstance be assessed and adequately motivated in the individual research projects for which the processing of such information will be envisaged.

4.4 The technical and organizational measures implemented

From the impact assessment presented by the Company, it emerges that appropriate and suitable measures have been put in place to protect the rights and freedoms of the cohort of interested parties involved in the Study as well as to ensure effective application of the principle of data minimization. An exhaustive analysis was also conducted of the risks associated with the processing of personal data necessary for the pursuit of the purpose of the research in question, in order to determine in particular the origin, nature, severity of these risks and the measures implemented to mitigate them. (articles 5, par. 2 letter c), f), 89 and 32 of the Regulation).

It is understood that the data controller will have to carry out a specific impact assessment in relation to future research projects taking into account, with a view to simplification, that a single assessment can examine a set of similar treatments that present similar high risks (art . 35, par. 1, last sentence of the Regulation).

Furthermore, the Guarantor takes positive note of the anonymization techniques identified by the Company, most recently in the note of 24 May 2022 and referred to in point 3 above, which on the one hand ensure in general terms the reduction of the risk of re-identification of data subjects to a acceptable level, on the other hand they favor an effective circulation of information in the context of scientific research.

In this context, however, it is considered necessary that the Company undertakes to remove any singularity, if, by any means, it becomes aware of it at a later stage after the application of the aforementioned anonymization techniques and to keep track of such events in a manner re-identification risk assessment to be repeated upon reaching 1% of singularities identified on the total of records included in the database.

4.5. Information charges

We favorably acknowledge the measures taken by the Company to ensure the effective implementation of the principle of transparency, also in relation to non-contactable subjects (Articles 13 and 14 of the Regulation and point 6.3 of the Deontological Rules). It is understood that in contacting the interested parties for the acquisition of further and more specific consents necessary for the performance of future studies, they must be informed in relation to the still unknown aspects of the treatment (articles 5, paragraphs 1 and 13 of the Regulation ). In relation to patients who cannot be contacted, such additional information must be provided in the forms referred to in art. 14, par. 5, lett. b) of the Regulation and art. 6, paragraph 3 of the Deontological Rules.

It is recommended that the information prepared for the interested parties enrolled in the studies highlight the option for each of them to know or not any unexpected discoveries that emerge against them during the research (Article 8 of the Deontological Rule).

ALL OF THIS GIVEN THE GUARANTOR

pursuant to art. 110 of the Code and art. 36 of the Regulations, expresses a favorable opinion to the Integrated University Hospital of Verona, Piazzale Aristide Stefani, 1 - 37126 Verona, VAT number / C.F. 03901420236, on the processing of personal data for medical, biomedical and epidemiological research purposes, in the interdepartmental, prospective and retrospective observational study, on patients undergoing thoracic surgery for neoplastic, infectious, degenerative and traumatic pathologies called "DB Torax" on condition that:

1. the Company also acquires additional and specific consents from the patients registered in the DB Torax in relation to each of the future studies that it intends to carry out or makes requests for prior consultation, pursuant to art. 110 of the Code with reference to patients who cannot be contacted or who have died, if they are in one of the conditions referred to in point 5.3 of the Prescriptions (paragraph 4.1);

2. the provision reported in the protocol regarding the retention of personal data for 25 years is removed (paragraph 4. 2);

3. the Company undertakes to remove any singularity, if, by any means, it becomes aware of it at a stage subsequent to the application of the aforementioned anonymization techniques and to keep track of such events in order to repeat the risk assessment of - identification upon reaching 1% of singularities identified on the total of records included in the database (par. 4.4).

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, June 30, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Peel

THE SECRETARY GENERAL
Mattei



1 [ed] The TNM system is a universally recognized means of defining the anatomical extension of the neoplastic disease by resorting to the evaluation of three parameters such as: the extension of the primary tumor (factor T), the lymph node involvement (factor N) and the presence of any distant metastases (factor M) (see AIOM Guidelines, Italian Association of Medical Oncology, on Lung Neoplasms, 2020 edition at https://www.aiom.it/wp-content/uploads/2020/10/ 2020_LG_AIOM_Polmone.pdf.

2 [ed] IASLC - International Association for Study Lung Cancer https://www.iaslc.org/.