Garante per la protezione dei dati personali (Italy) - 9920977

From GDPRhub
Garante per la protezione dei dati personali - 9920977
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 13 GDPR
Article 14 GDPR
Article 35 GDPR
Article 36 GDPR
Article 89 GDPR
Article 110 Codice Privacy
Type: Advisory Opinion
Outcome: n/a
Started: 06.03.2023
Decided: 18.07.2023
Published: 18.07.2023
Fine: n/a
Parties: Azienda Ospedaliera Universitaria Careggi
National Case Number/Name: 9920977
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: co

The Italian DPA authorised a hospital to conduct medical research relating to personal data of contactable and uncontactable (deceased) data subjects.

English Summary

Facts

The hospital “Azienda Ospedaliera Universitaria Careggi” (the controller) intends to perform, among the others, an observational study on the effectiveness of a cancer medicine, “mobocertinib” in treating a specific type of lung cancer. In this context, the controller carried out a DPIA in accordance with Article 35 GDPR. One of the elements under scrutiny was the processing of personal data of both contactable and uncontactable (deceased) oncologic patients. As mandated by Article 110 of the Italian Privacy Code, the hospital first obtained the approval by the local ethics committees involved and then submitted a prior consultation request to the DPA by virtue of Article 36 GDPR in order to obtain authorisation to proceed with the study.

Holding

The DPA issued a favourable opinion on the processing of personal data of deceased patients for purposes of medical research, as the hospital indicated the adequate legal basis for processing and rightfully specified the reasons why it was not possible to obtain consent in this case, in line with Article 110(1) of the Italian Privacy Code. The Garante further approved the safeguards foreseen by the hospital in line with Article 89 GDPR. However, the DPA pointed out that the hospital also needs to ensure that the number of aggregation statistics it wishes to make public is significantly lower than the number of considered variables, so as to avoid the possibility of a reconstruction attack. For the same reasons, the DPA held that during the periodic evaluations on the efficiency of anonymization techniques, the hospital should engage in removing any singularities in order to achieve a 1% level of singularity identification on the total of records included in the dataset.

In addition to this, the DPA stated in its opinion that, in order to ensure conformity with the data subject’s rights of information under Article 13 GDPR and Article 14 GDPR, the hospital should firstly make clear what the legal basis for a potential transfer of data to third countries should be. Secondly, it shall specify that in case of a withdrawal of consent, the controller will cease the processing in absence of any other legal basis justifying its storage and further processing. Lastly, the hospital needs to make public all information to be provided to data subjects in line with Article 14 GDPR, also via the single research centres’ websites.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9920977]

Provision of 18 July 2023

Register of measures
n. 315 of 18 July 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE-General Data Protection Regulation (hereinafter “Regulation”);

GIVEN, in particular, the articles. 35 and 36 of the Regulation relating, respectively, to the impact assessment on data protection and to the prior consultation of the Authority;

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing “Code regarding the protection of personal data (hereinafter “Code”);

GIVEN the art. 110 paragraph 1, second sentence of the Code which, in relation to the processing of personal data for medical, biomedical and epidemiological research, provides in particular that "consent is also not necessary when, due to particular reasons, informing the interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the objectives of the research. In such cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is the subject of a reasoned favorable opinion from the competent ethical committee at territorial level and must be subjected to prior consultation with the Guarantor pursuant to article 36 of the Regulation”;

GIVEN the ethical rules for processing for statistical or scientific research purposes adopted by the Guarantor, pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, n. 101, with provision no. 515, of 19 December 2018 (web doc. no. 9069637, hereinafter "Ethical rules");

GIVEN the provisions relating to the processing of personal data carried out for scientific research purposes, annex no. 5 to the Provision which identifies the provisions contained in the General Authorizations which are compatible with the Regulation and with Legislative Decree no. 101/2018 for adaptation of the Code, of 5 June 2019 (web doc. 9124510, hereinafter "Requirements");

GIVEN the request for prior consultation presented, pursuant to articles. 110 of the Code and 36 of the Regulation, by the Careggi University Hospital, with registered office in Largo G.A. Brambilla, 3 - 50134 Florence, for the implementation of the multicenter retrospective and prospective observational study “MOBO-Real OSS22465” (note dated 6 March 2023, prot. no. aouc_fi 0005671);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

Speaker: the lawyer. Guido Scorza;

PREMISE

1. The request for prior consultation and the investigative activity carried out

With the note in reference, the Careggi University Hospital (hereinafter the Company) has made a request, pursuant to art. 110 of the Code and art. 36 of the Regulation, for the implementation of the "retrospective and prospective multicenter observational [Italian] study to evaluate the safety and efficacy of mobocertinib in pre-treated patients with metastatic non-small cell lung cancer with EGFR exon20ins. (MOBO-real)” (hereinafter “Study”), due to the fact that it involves uncontactable or deceased patients, providing in documents the Study protocol, the opinion of the territorially competent ethics committee and the impact assessment (hereinafter also VIP), carried out pursuant to art. 35 of the Regulation (note dated 6 March 2023).

The Office of the Guarantor has started an in-depth investigation, which is acknowledged below (note dated 20 March 2023, prot. no. 47462, reply note dated 19 April 2023, prot. no. apuc_fi 0009442 and note dated 29 May 2023 , Prot. aouc_fi 0012607).

The Study involves all the Italian Oncology Units (26 Centres) "involved in the IPRP (Individual Patient Request Programme) with an estimated sample size of 50 patients" [who have received at least one dose of the aforementioned drug mobocertinib] overall, suffering from lung cancer (the deadliest cancer in the world in the form of non-small cell cancer (NSCLC) in advanced stages and characterized by specific mutations (exons 20)). The duration of the Study is 12 months, "with an additional follow-up of 30 months".

The study is aimed at evaluating the effectiveness of the drug "mobocertinib".

All centers participating in the Study are indicated as data controllers and each will have to obtain the opinion of the relevant ethics committee.

Recalling the parts of the protocol most relevant for personal data protection profiles, it is highlighted that the Firm's primary objectives are:

“Epidemiology: evaluation of the different variants of EGFR exon 20 insertions in the Italian population;

Safety and tolerability: incidence of treatment-related adverse events (TRAEs), AEs and SAEs in a real-world population;

Efficacy: to evaluate in a real, unselected population, ORR, disease control rate (DCR), duration of response (DOR) and time to progression (TTP)”.

The following are indicated as secondary objectives:

− “Overall survival (OS)

− Progression-free survival (PFS)

− Correlation between outcome and clinical characteristics (age, sex, smoking history, comorbidities, metastatic sites/disease burden, ECOG PS, previous treatments)

− Description of outcome and biological characteristics (type of mutation)

− Evaluation of the percentage of patients in treatment 3, 6 and 12 months after the start

− Identification of a subgroup of patients who benefit from the treatment”.

It is also indicated that "[...] data will be collected from patients currently being treated with mobocertinib or from those who have interrupted treatment for any reason", using "an online platform (https://www.project -redcap.org/ ) available at our University (University of Florence), activating all the Oncology Units involved in the protocol". In particular, through this platform each oncology unit involved will be able to provide data by accessing the platform with user name and password. To this end, each participating center will be able to indicate up to two names among the staff responsible for uploading the data to the aforementioned platform.

“The data will be collected and recorded in compliance with Italian laws and international standards regarding GCP and privacy, also according to the general principles established by the Declaration of Helsinki and its subsequent updates. The database will be protected by credentials in the exclusive possession of the investigators. Patient names will be anonymized, assigning each patient an encoded alpha-numeric identification code. No patient identifying information will appear in any of the study documents. The clinical site manager will store the original informed consents in a locked cabinet. The Study Coordinator will store a copy of the informed consents in a locked cabinet and will keep a list of study participants and their codes in a double identification file.

Furthermore, the protocol states that "The person responsible for the data and anonymization measures is the Principal Investigator. Only the investigators included in the study will have access to the data and results before their publication. Patient names will be anonymized, assigning each a coded alphanumeric value. [...] At the end of the study, the Study Coordinator will destroy this file, eliminating all links between the study participants, the data and the samples collected during the research of the patients included in the study."

On this point, during the preliminary investigation it was clarified that the Principal Investigator (PI) "in the Company is qualified as a person expressly designated pursuant to 2-quaterdecies of the Code. With Provision of the General Director n. 378 of 24 May 2019 General Data Protection Regulation 2016/679/EU. Determinations regarding organizational measures for adaptation to European legislation: assignment of functions and tasks to specifically designated subjects pursuant to art. 2-quaterdecies of Legislative Decree 196/2003, in the Company we have redefined the person expressly designated as Data Processor, to mean the natural person who, in charge of a given activity, is specifically responsible for the processing of data such activity necessary, also with reference to the authorized persons involved in it".

It was also clarified that "the "anonymisation measures" are improperly referred to, at least where it is observed that the data "will be made anonymous, assigning each a coded alphanumeric value".

It is then stated that "Every living patient will be given a written informed consent, which must be signed after receiving the appropriate explanations. As required by the Privacy Guarantor [...] the data for scientific research purposes will in any case be processed without informed consent for patients who are deceased and/or who cannot be contacted at the time of enrollment, after having made every reasonable effort to contact them (verification of the status of life, consultation of the data reported in the clinical documentation, use of any telephone numbers provided, as well as the acquisition of contact data from the registry of patients or the resident population)".

In this regard, in the section of the impact assessment called “How are data subjects informed of the processing?” it is indicated that "Data for scientific research purposes will in any case be processed without informed consent for patients who are deceased and/or who cannot be contacted at the time of enrollment, after having made every reasonable effort to contact them (verification of their alive status, the consultation of the data reported in the clinical documentation, the use of any telephone numbers provided, as well as the acquisition of contact details from the registry of patients or the resident population)”.

Regarding the reasons why informing some interested parties may be impossible, the Company observed "that the population involved in the study is characterized by a mutation (insertion of exon 20) defined as "rare" in the panorama of EGFR mutations, affecting the 1-2% of the population affected by non-small cell lung cancer. Recent scientific evidence has defined this mutation as resistance to the main anti-EGFR drugs, finding chemotherapy as the only therapy currently in use in practice. Based on data from the EXCLAIM study and retrospective analysis data, the median overall survival for this population pre-treated with at least one previous line of chemotherapy is in total (given by the sum of the activity of the first line and subsequent lines) less than 24 months. Therefore, the aggressiveness of the disease often makes it necessary to manage post-mortem clinical data. The Company is also able, as regards at least those registered with the Regional Health Service who have undergone hospitalization, to verify their living status through a connection to the Regional Health Registry".

With reference to the patients who can be contacted, it was clarified that the patient is expected to sign two distinct forms, one relating to participation in the research ("Informed consent form for participation in the study version 1.0 of 30 July 2021") and one relating to the use of personal data for research purposes ("Declaration of consent to the processing of personal data pursuant to the EU general data protection regulation 2016/679 and Legislative Decree 196/2003 version 1.0 of 30 July 2021" ) which follows the relevant information ("Information on the processing of personal data pursuant to the general regulation on data protection EU 2016/679 and Legislative Decree 196/2003 version 1.0 of 30 July 2021")" and which "is an information model for observational research is therefore proposed".

Regarding information obligations, it was also specified that "The method with which, pursuant to art. 6 paragraph 3 of the Ethics Rules for processing for statistical or scientific research purposes of 19 December 2018, it is intended to inform interested parties who cannot be contacted (or deceased, for the benefit of any legitimate third parties pursuant to art. 2-terdecies of the Code) regarding the processing carried out, is represented by the publication of the information on the Company's institutional website".

With particular reference to the methods of data collection and processing, in the VIP it is further specified that the "data are extrapolated from the DnWeb and/or ArchiAmb company folder system which can be consulted via access with personal credentials or SPID. Access with credentials is limited to the permanent medical staff employed in the Company (AOU Careggi) who are part of the trial group. Registration: The data is transferred and recorded on the RedCap portal [...] with access limited to temporary users and passwords held only by doctors who are authorized to access the single database [...]. The database is organized into 9 sections [...]. Each section has some fields in which to insert data with constraints relating to the type of data inserted [...]. The platform generates a unique identification code associated with each subject involved in the Study, which allows researchers to locally maintain the association with their respective personal data. The possibility of tracing the origin of the data is justified by the need to carry out follow-up studies for patients being treated at the Operating Units involved. [...]. The acquired data are stored within the aforementioned database for the entire duration of the study. [...] Each single center, through personal credentials activated one for PI and one subinvestigator, can access their own data to view and/or modify them".

VIP correctly indicates that the data is processed in a pseudonymized form. It then contains a section called "standards applicable to processing" where the indication "Ex. Codes of conduct, guidelines, international standards".

The VIP also contains a section dedicated to risk management in which the Company limits itself to indicating the main threats that could materialize the risks associated with the processing of personal data such as "illegitimate access to data", "unwanted modifications of data" and “data loss”.

In this regard, the owner further clarified that "Regarding the risk of illegitimate access to the data, the probability of the risk is considered negligible as the data is managed on the database in a pseudonymized manner, and the server hosting the database is accessible exclusively through the https protocol (TLS) with the exclusion of any other type of access (SMB, FTP or others). System service access (for maintenance or software updates) is permitted only through encrypted protocols (ssh or similar) and only from the company intranet. Administrative credentials are held only by authorized personnel. The application management credentials are personal and issued only to authorized employees who have been trained regarding their correct custody and use.

Regarding the risk of data modifications, their probability is considered negligible in light of the planned measures. The data is backed up daily, with the possibility of rapid restoration in the event of an unwanted modification occurring. Write access to data is reserved for selected users, and occurs through interfaces that minimize the probability of error.

Regarding the risk of data loss, it is assessed as undefined, but substantially low. The estimate considers the redundant hardware structures on which the system is based, the systematic backup procedures and the intrinsic resilience of the data center hosting the application. For any data losses caused by unfaithful operators, the considerations of the previous points apply (the people authorized to process are extremely limited and motivated)".

Regarding data retention times, it was clarified that "the duration of the study is 12 months, with an additional follow-up of 30 months. To this period must be added an extension for data retention to 7 years, according to current legislation (observational studies not being included in EU Regulation 536/2014, which for trials on drugs and devices extends retention to "at least 25 years ")". In particular, this retention period of at least 7 years was "inferred from the art. 18 of Legislative Decree 6 November 2007, n. 200 Implementation of Directive 2005/28/EC containing detailed principles and guidelines for good clinical practice relating to medicinal products undergoing investigation for human use, as well as requirements for the authorization to manufacture or import such medicinal products" also in light of the fact that “This regulation was cited in the Measure of this Authority no. 52 of 24 July 2008 containing Guidelines for the processing of personal data in the context of clinical trials of medicinal products, in which, in § 13, observational studies were referred to".

The aforementioned term in fact "seemed appropriate both to this Company and to the territorially competent Ethics Committee (Central Vast Area Ethics Committee - CEAVC) in particular especially in reference to observational studies, for which the conservation of data is substantially functional to a possible subsequent verification of the correct use of the information collected and processed".

The Company has specified that it keeps "a list of study participants and their codes in a file with a double identification code (for each subject enrolled, initials of name and surname are indicated in the same field and date of birth in the DD- format MM-YYYY), and at the end of the Study, will destroy this file by eliminating the correlation between data and patients, and aggregating the data according to a threshold value of 4; if this value is not achievable, the data will be deleted".

From another perspective, taking into account that the Study is aimed (also) at evaluating the effectiveness of a drug, as well as, where appropriate, collecting and transmitting information to the sponsor regarding any adverse events, the Company has clarified that "[... ] the treatment concerns an observational study relating to a drug dispensed for compassionate use, authorized by an AIFA program and, for each patient, by a specific opinion of the CEAVC. This drug was actually being tested, but EMA, with a communication dated 19 August 2022, informed us that the pharmaceutical company had withdrawn the request for marketing authorization on 20 July 2022. Compassionate use is independent of testing, and the basis legal nature of communication therefore does not appear to be represented by Regulation 536/2014 (art. 41), but by the Decree of 7 September 2017, which in art. art.1, c.1, f provides for the indication of nominal therapeutic use (IPRP - individual patient request program) and, in particular, in relation to the communication of adverse events, in art. 7 paragraph 2". prescribes the following: Doctors and other healthcare workers, as part of their activity, are required to report to the pharmacovigilance manager of the healthcare facility to which the reporter belongs or directly to the national pharmacovigilance network through the AIFA web portal and to the competent Ethics Committee, the suspected adverse reactions, specifying that it is a medicinal product used pursuant to this decree; the report must be sent within two days and, for medicines of biological origin no later than thirty-six hours, completely and according to the methods published on the AIFA institutional website. Subsequently, it will be the responsibility of the pharmacovigilance manager of the health facility to which the reporter belongs to notify the report to AIFA and to the company that supplied the medicine used pursuant to this decree according to the methods and timescales established by the decree of the Minister of Health of 30 April 2015. The purpose is therefore that envisaged by the art. 2 sexies paragraph 2 letter z) of the Code, for the item relating to Pharmacovigilance".

2. The applicable legislation

As a preliminary point, it is stated that the processing of personal data must take place in compliance with the applicable legislation on the protection of personal data.
According to the Regulation, personal data must be processed "in a lawful, correct and transparent manner towards the interested party" (principle of "lawfulness, correctness and transparency" (art. 5, par. 1, letter a) of the Regulation ).

The principle of lawfulness requires that any processing is based on a specific legal basis (art. 6 of the Regulation). In relation to particular categories of data, including health data, art. 9 of the Regulation establishes a general prohibition on processing unless one of the specific exemptions to this prohibition occurs, which includes the consent of the interested party.

In the event that the condition of lawfulness is represented by consent, it must be given through a positive act with which the interested party expresses a free, specific, informed and unequivocal will relating to the processing of personal data concerning him (Recital 32, 42 and 43, articles 5, 6, paragraph 1, letter a) and 7 of the Regulation and Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Committee for the Protection of Personal Data on May 4, 2020).

With specific reference to particular categories of data, this consent, taking into account the nature of such data, which is particularly sensitive in terms of fundamental rights and freedoms, must not only be explicit but also expressed in writing (art. 9, par. 2 letter a) of the Regulation and par. 4 of the aforementioned Guidelines 5/2020 on consent and art. 7, paragraph 2, letter. b) of the ethical rules for processing for statistical or scientific research purposes published pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, n. 101 of 19 December 2018, annex A5 to the Code (web doc. no. 9069637).

In this context, the European Committee for the Protection of Personal Data in relation to Clinical Trials has clarified that "the informed consent provided for by the Clinical Trials Regulation should not be confused with consent as the legal basis for the processing of personal data under the Regulation general data protection policy. The provisions of Chapter V of the Clinical Trials Regulation relating to informed consent, in particular Article 28, primarily respond to the fundamental ethical requirements of research projects involving humans arising from the Declaration of Helsinki. The obligation to obtain informed consent from participants in a clinical trial is first and foremost a measure that guarantees the protection of the right to human dignity and the right to the integrity of the person referred to in Articles 1 and 3 of the Charter of Fundamental Rights of the Union European; it is not designed to comply with data protection obligations. According to the General Data Protection Regulation, consent to processing must be given freely and must be specific, informed and unambiguous and, in relation to special categories of data such as health data, it must be explicit” (see points 15 , 16 and 17 of Opinion 3/2019 on questions and answers on the interaction between the Clinical Trials Regulation and the General Data Protection Regulation (Article 70(1)(b), Adopted on 23 January 2019).

We then highlight the principle of limitation of conservation on the basis of which the data must be and stored only for the time necessary to achieve the purposes of the collection (art. 5, par. 1 letter e) of the Regulation).

In this framework, the processing of personal data for scientific research purposes must also be carried out in compliance with the Code, the Provisions and the Rules of Ethics, which constitute an essential condition for the lawfulness and correctness of the processing (art. 2-quater of the Code and art. 21, paragraph 5, of Legislative Decree no. 101 of 10 August 2018).

Specifically, art. 110 of the Code which concerns medical, biomedical and epidemiological research and provides that "The consent of the interested party for the processing of data relating to health, for the purposes of scientific research in the medical, biomedical or epidemiological field, is not necessary when [...] due to particular reasons, informing interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the objectives of the research. In such cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is the subject of a reasoned favorable opinion from the competent ethical committee at territorial level and must be subjected to prior consultation with the Guarantor pursuant to article 36 of the Regulation”.

In this regard, "when it is not possible to acquire the consent of the interested parties, the data controllers must document, in the research project, the existence of the reasons, considered completely particular or exceptional, for which informing the interested parties is impossible or implies an disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the objectives of the research" (see point 5.3 of the Provisions relating to the processing of personal data carried out for scientific research purposes).

Furthermore, personal data must be processed in compliance with the principle of transparency (art. 5, par. 1 letter a) of the Regulation), providing the interested parties with the information referred to in the art. 13 of the Regulation, in the case of data collected directly from them, or pursuant to art. 14, in case of data collected from third parties.

It should also be noted that the aforementioned legislation provides that, if the data is obtained from third parties, as in the case in question, the data controller may not provide the information referred to in paragraphs. from 1 to 4 of the art. 14 of the Regulation, to the extent that communicating such information is impossible or involves a disproportionate effort. This, in particular, in the context of processing carried out for scientific research purposes, without prejudice to the conditions and guarantees referred to in article 89, par. 1 of the Regulation. In such cases, the data controller is in any case required to adopt appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, including by making the information public (art. 14, par. 5, letter b) of the Regulation) .

On this point, the ethical rules for processing for statistical or scientific research purposes, annex A5 to the Code, provide that, if the owner collects personal data from third parties and providing the information to the interested party involves a disproportionate effort compared to the protected right, it must adopt suitable forms of advertising, indicating by way of example certain specific methods (art. 6, paragraph 3).

The regulation on the protection of personal data also concerns data subject to prior pseudonymisation, meaning: "the processing of personal data in such a way that the personal data can no longer be attributed to a specific interested party without the use of information additional, provided that such additional information is stored separately and subject to technical and organizational measures intended to ensure that such personal data is not attributed to an identified or identifiable natural person" (cons. 26 and art. 4 point 5 of the Regulation). Pseudonymisation constitutes an extremely important measure in the scientific research sector, in particular in order to guarantee effective application of the principle of minimization (art. 5, par. 1, letter c) and 89 of the Regulation).

However, the regulations regarding the protection of personal data do not apply in relation to anonymous data. In this regard, it is also worth specifying that "(...) information that does not refer to an identified or identifiable natural person or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the interested party" is considered anonymous. , this also applies to processing carried out for statistical or research purposes (see recital no. 26 of the Regulation). The risk of re-identification of the interested party must, however, be carefully assessed taking into account "all the means, [...], which the data controller or a third party can reasonably use to identify said natural person directly or indirectly. To ascertain the reasonable probability of using the means to identify the natural person, consideration should be given to all objective factors, including the costs and time required for identification, taking into account both the technologies available at the time of the processing , and technological developments" (see recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymization techniques, adopted on 10 April 2014).

In particular, anonymisation cannot be considered achieved through the mere removal of the data subject's details or replacement of the same with a pseudonymous code. The anonymized data, in fact, is such only if it does not allow in any way the direct or indirect identification of a person, taking into account all the means (economic, information, technological resources, skills, time) available to the person (owner or other person) try to use these tools to identify an interested party. An anonymization process cannot be effectively defined as such if it is not suitable for preventing anyone who uses such data, in combination with "reasonably available" means, from:

1. isolate a person in a group (single-out);

2. link anonymized data to data relating to a person present in a distinct data set (linkability);

3. deduce new information relating to a person from anonymized data (inference).

Finally, with reference to the impact assessment, the Regulation identifies the minimum content of this document, among which it highlights in particular the assessment of the risks for the rights and freedoms of the interested parties and the measures to address the identified risks which must include the guarantees , security measures and mechanisms to guarantee the protection of personal data and demonstrate compliance with the Regulation (art. 35, par. 7, letters c) and d); Guidelines concerning the data protection impact assessment as well as the criteria for establishing whether a processing "may present a high risk" pursuant to Regulation 2016/679 - WP248rev.01, adopted on 4 April 2017, as last amended and adopted on October 4, 2017).

3. The Authority's assessments

3.1. The legal bases of data processing

From the documentation examined and the outcome of the preliminary investigation carried out, the Guarantor believes that the Company has correctly identified the legal bases of the processing, adequately specifying, as better described in paragraph 1, the reasons justifying the impossibility of being able to inform interested parties and acquire valid consent. This circumstance is, in particular, related to the probable death of the majority of patients who are intended to be enrolled due to the high incidence of mortality of the pathology observed as well as to the reasonable and proportionate effort that is intended to be made to try to contact each of them even through the regional health registry and the resident population registry (point 5.3 of the Requirements). From another point of view, in compliance with the provisions of art. 110, paragraph 1, second sentence of the Code, according to which the research program must be previously subject to a reasoned favorable opinion from the competent ethical committees at territorial level, it remains understood that the participating Centers will be able to begin the processing of personal data necessary for the implementation of the Study only after obtaining the favorable opinions of the respective ethics committees, as the presence of this element constitutes a condition of lawfulness of the processing of personal data for the purposes in question, where it is not possible to obtain the consent of the interested parties (see provision no. 202 of 29 October 2020, web doc. 9517401 and provision no. 406 of 1 November 2021, web doc. 9731827).

3.2. Measures pursuant to art. 89 of the Regulation

The Guarantor, having taken note of the clarifications recently provided by the Company which declared that it had improperly used the term "data anonymisation" in the context of the processing carried out for the implementation of the Study, since it was instead pseudonymized data, notes that the aforementioned Company , has correctly applied the art. 89 of the Regulation, providing that the data is subject to minimization implemented through specific pseudonymisation measures throughout the processing phase, as indicated in the documentation in the proceedings and briefly described in the previous paragraph 1.

With regard to the anonymisation of the data, expected at the end of the retention period indicated as 7 years, also in order to allow the dissemination of the results of the Study, the Company has declared that, having eliminated the list of correlations between the direct identifiers of the patients and the pseudonym codes attributed to each of them, the data will be aggregated “[...] according to a threshold value of 4; if this value is not achievable, the data will be deleted".

With reference to the aforementioned aggregation techniques, it is however necessary to consider that the availability of a high number of aggregate statistics compared to a sample made up of a very limited number of patients can increase the identifying power of each of them, up to the possible complete reconstruction of a dataset (so-called “reconstruction attack”). To avoid this, the number of statistics disseminated must be significantly lower than the number of variables intended to be disclosed. In other words, by ensuring the dissemination of a limited number of statistics, we avoid the possibility of identifying the individual subjects forming part of the sample through mathematical calculations.

Having said all this, it is considered necessary that the Company, at the end of the data retention period for carrying out the Study, indicated as 7 years, in consideration of the number of variables being aggregated, ensures that the number of aggregate statistics to be rendered knowable is significantly lower than the number of variables considered; this, in order to avoid the risk of reconstructing data referable to single individuals.

Furthermore, as part of the periodic checks that the data controller is required to carry out also in reference to the persistence of the effectiveness of the data anonymization measures and technological evolution, it is considered necessary that the Company undertakes to remove any singularity , if, by any means, it becomes aware of them in a phase following the application of the aforementioned anonymization techniques and to keep track of such events in order to repeat the re-identification risk assessment upon reaching 1% of singularities identified on the total of records included in the dataset (see, on this point, the Opinion issued on 30 June 2022, available on www.gpdp.it web doc. 9791886).

3.3. The personal data protection roles of the subjects involved in the Study

In the documentation sent by the Company, in representing the multi-centre nature of the Study, it is declared that the entities participating in it, as participating Centres, operate as independent data controllers and that the Principal Investigator is qualified as a person expressly designated pursuant to 2 -quaterdecies of the Code which is "specifically responsible for the processing of data necessary for this activity, also with reference to the authorized persons involved in it"

In this regard, it is believed that the organizational structure implemented for the realization of the Study complies with the regulatory framework regarding the protection of personal data and as such is suitable to exclude that unauthorized third parties may be involved in data processing operations on the health of the patients enrolled in the aforementioned Study and compliant with the principle of correctness and transparency (art. 5, par. 1 letter a) of the Regulation and Guidelines 07/2020 on the concepts of data controller and data controller pursuant to the GDPR , Version 2.0 Adopted July 7, 2021 ).

3.4. The measures aimed at guaranteeing the effectiveness of the principle of transparency towards the patients enrolled in the Study

In relation to the information obligations, first of all it is noted that the information model acquired in the proceedings documents (see document called "Annex 4_Information and consent") is only that relating to the information to be provided to interested parties still alive pursuant to the 'art. 13 of the Regulation, with respect to which it is noted that:

in the document acquired in the documents, the legal bases of the processing, including the processing carried out ex lege such as those relating to pharmacovigilance activities, are not clearly represented to the interested parties nor the legal basis on the basis of which any transfer of data to Third countries (see articles 13, par. 1 letter c), 14, par. 1 letter c), 45 et seq. of the Regulation and point 12 et seq. of the Guidelines on transparency pursuant to regulation 2016/679 adopted by the Article 29 Working Group on 29 November 2017, Amended version adopted on 11 April 2018).

in the event of revocation of consent by the interested party, although all processing based on consent remains legitimate, it is not specified that the owner must cease processing activities, in the absence of another legal basis that justifies its retention for further treatments and that the data will therefore be deleted (see points 22 et seq. of Opinion 3/2019 relating to the questions and answers on the interaction between the Clinical Trials Regulation and the General Data Protection Regulation (Article 70, paragraph 1, letter b)), cit.);

the indication in point 4, entitled "data retention" of the right of the interested party "to request, at any time, the deletion of the data, in compliance with the GDPR and the data protection law" is not relevant given the right of cancellation indicated in the following point 5, entitled "exercise of rights".

It is therefore necessary for the Company to modify the document transmitted in this sense.

With specific regard to the methods for providing information to non-contactable interested parties, the Company has declared that the information for non-contactable patients, prepared pursuant to art. 14, par. 5, letter. b) of the Regulation will be published on its website.

Having said this, taking into account that the Study involves numerous participating Centers in addition to the Sponsor, also in order to ensure the effective application of the aforementioned principles of correctness and transparency, it is deemed necessary that the Company makes public, for the entire duration of the Study, the information to be provided to interested parties, pursuant to art. 14 of the Regulation, also through a specific advertisement on the institutional websites of the testing centers involved in the Study in an easily accessible section.

3.5. The security measures implemented

The Company, as data controller, as mentioned above and as required by the procedure pursuant to articles. 110 of the Code and 36 of the Regulation, has presented to the Guarantor the VIP connected to the processing necessary for the implementation of the Study in which the technical and organizational measures briefly described in paragraph 1, envisaged for the security of the data processed, are identified in particular.

In fact, it should be noted that the implementation of the measures referred to in art. 89 of the Regulation, aimed, in particular, at the effective application of the principle of minimization, does not exempt the data controller from also introducing suitable technical and organizational measures pursuant to art. 32 of the Regulation, for an effective application of the principle of data integrity and confidentiality (art. 5, par. 1, letter f) of the Regulation).

From this document, in addition to what is highlighted in the previous paragraph 1, it emerges that the Company, in order to guarantee compliance with the principle of integrity and confidentiality, has prepared appropriate and suitable measures to protect the rights and freedoms of the cohort of interested parties involved in the Studio.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 110 of the Code and art. 36 of the Regulation, expresses to the Careggi University Hospital, with registered office in Largo G.A. Brambilla, 3 - 50134 Florence, C.F. and P.I.: 04612750481, favorable opinion regarding the processing of personal data for medical, biomedical and epidemiological research purposes, referring to the cohort of deceased or uncontactable patients enrolled in the multicentre study, "retrospective and prospective multicentre observational [Italian] study to evaluate the safety and efficacy of mobocertinib in pre-treated patients with metastatic non-small cell lung cancer with EGFR exon20ins. (MOBO-real)” provided that the Company:

a) at the end of the data retention period for carrying out the Study, in consideration of the number of variables being aggregated, ensure that the number of aggregate statistics to be made available is significantly lower than the number of variables considered (point 3.2);

b) as part of the periodic checks that the data controller is required to carry out also in reference to the persistence of the effectiveness of the data anonymization measures and technological evolution, undertakes to remove any singularity, if, by any means, becomes aware of them in a phase following the application of the aforementioned anonymization techniques and to keep track of such events in order to repeat the assessment of the risk of re-identification upon reaching 1% of singularities identified on the total records included in the dataset ( point 3.2);

c) modifies the information provided to interested parties, pursuant to art. 13 of the Regulation (point 3.4):

clearly indicating the legal bases of the processing including the legal basis on the basis of which any transfer of data to third countries is carried out;

specifying, in the event of revocation of consent by the interested party, that the owner must cease processing activities in the absence of another legal basis that justifies their conservation for further processing and that therefore the data will be deleted;

eliminating in point 4 entitled "data retention" of the document called "Annex 4_Information and consent", the right of the interested party "to request, at any time, the deletion of data, in compliance with the GDPR and the law on data protection ” as the right to cancellation is already mentioned in the following point 5, entitled “exercise of rights”.

d) makes public the information to be provided to interested parties, pursuant to art. 14 of the Regulation, also through a specific advertisement on the institutional websites of the testing centers involved in the Study in an easily accessible section (point 3.4).

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to lodge an appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 18 July 2023

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei

[doc. web no. 9920977]

Provision of 18 July 2023

Register of measures
n. 315 of 18 July 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE-General Data Protection Regulation (hereinafter “Regulation”);

GIVEN, in particular, the articles. 35 and 36 of the Regulation relating, respectively, to the impact assessment on data protection and to the prior consultation of the Authority;

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing “Code regarding the protection of personal data (hereinafter “Code”);

GIVEN the art. 110 paragraph 1, second sentence of the Code which, in relation to the processing of personal data for medical, biomedical and epidemiological research, provides in particular that "consent is also not necessary when, due to particular reasons, informing the interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the objectives of the research. In such cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is the subject of a reasoned favorable opinion from the competent ethical committee at territorial level and must be subjected to prior consultation with the Guarantor pursuant to article 36 of the Regulation”;

GIVEN the ethical rules for processing for statistical or scientific research purposes adopted by the Guarantor, pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, n. 101, with provision no. 515, of 19 December 2018 (web doc. no. 9069637, hereinafter "Ethical rules");

GIVEN the provisions relating to the processing of personal data carried out for scientific research purposes, annex no. 5 to the Provision which identifies the provisions contained in the General Authorizations which are compatible with the Regulation and with Legislative Decree no. 101/2018 for adaptation of the Code, of 5 June 2019 (web doc. 9124510, hereinafter "Requirements");

GIVEN the request for prior consultation presented, pursuant to articles. 110 of the Code and 36 of the Regulation, by the Careggi University Hospital, with registered office in Largo G.A. Brambilla, 3 - 50134 Florence, for the implementation of the multicenter retrospective and prospective observational study “MOBO-Real OSS22465” (note dated 6 March 2023, prot. no. aouc_fi 0005671);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

Speaker: the lawyer. Guido Scorza;

PREMISE

1. The request for prior consultation and the investigative activity carried out

With the note in reference, the Careggi University Hospital (hereinafter the Company) has made a request, pursuant to art. 110 of the Code and art. 36 of the Regulation, for the implementation of the "retrospective and prospective multicenter observational [Italian] study to evaluate the safety and efficacy of mobocertinib in pre-treated patients with metastatic non-small cell lung cancer with EGFR exon20ins. (MOBO-real)” (hereinafter “Study”), due to the fact that it involves uncontactable or deceased patients, providing in documents the Study protocol, the opinion of the territorially competent ethics committee and the impact assessment (hereinafter also VIP), carried out pursuant to art. 35 of the Regulation (note dated 6 March 2023).

The Office of the Guarantor has started an in-depth investigation, which is acknowledged below (note dated 20 March 2023, prot. no. 47462, reply note dated 19 April 2023, prot. no. apuc_fi 0009442 and note dated 29 May 2023 , Prot. aouc_fi 0012607).

The Study involves all the Italian Oncology Units (26 Centres) "involved in the IPRP (Individual Patient Request Programme) with an estimated sample size of 50 patients" [who have received at least one dose of the aforementioned drug mobocertinib] overall, suffering from lung cancer (the deadliest cancer in the world in the form of non-small cell cancer (NSCLC) in advanced stages and characterized by specific mutations (exons 20)). The duration of the Study is 12 months, "with an additional follow-up of 30 months".

The study is aimed at evaluating the effectiveness of the drug "mobocertinib".

All centers participating in the Study are indicated as data controllers and each will have to obtain the opinion of the relevant ethics committee.

Recalling the parts of the protocol most relevant for personal data protection profiles, it is highlighted that the Firm's primary objectives are:

“Epidemiology: evaluation of the different variants of EGFR exon 20 insertions in the Italian population;

Safety and tolerability: incidence of treatment-related adverse events (TRAEs), AEs and SAEs in a real-world population;

Efficacy: to evaluate in a real, unselected population, ORR, disease control rate (DCR), duration of response (DOR) and time to progression (TTP)”.

The following are indicated as secondary objectives:

− “Overall survival (OS)

− Progression-free survival (PFS)

− Correlation between outcome and clinical characteristics (age, sex, smoking history, comorbidities, metastatic sites/disease burden, ECOG PS, previous treatments)

− Description of outcome and biological characteristics (type of mutation)

− Evaluation of the percentage of patients in treatment 3, 6 and 12 months after the start

− Identification of a subgroup of patients who benefit from the treatment”.

It is also indicated that "[...] data will be collected from patients currently being treated with mobocertinib or from those who have interrupted treatment for any reason", using "an online platform (https://www.project -redcap.org/ ) available at our University (University of Florence), activating all the Oncology Units involved in the protocol". In particular, through this platform each oncology unit involved will be able to provide data by accessing the platform with user name and password. To this end, each participating center will be able to indicate up to two names among the staff responsible for uploading the data to the aforementioned platform.

“The data will be collected and recorded in compliance with Italian laws and international standards regarding GCP and privacy, also according to the general principles established by the Declaration of Helsinki and its subsequent updates. The database will be protected by credentials in the exclusive possession of the investigators. Patient names will be anonymized, assigning each patient an encoded alpha-numeric identification code. No patient identifying information will appear in any of the study documents. The clinical site manager will store the original informed consents in a locked cabinet. The Study Coordinator will store a copy of the informed consents in a locked cabinet and will keep a list of study participants and their codes in a double identification file.

Furthermore, the protocol states that "The person responsible for the data and anonymization measures is the Principal Investigator. Only the investigators included in the study will have access to the data and results before their publication. Patient names will be anonymized, assigning each a coded alphanumeric value. [...] At the end of the study, the Study Coordinator will destroy this file, eliminating all links between the study participants, the data and the samples collected during the research of the patients included in the study."

On this point, during the preliminary investigation it was clarified that the Principal Investigator (PI) "in the Company is qualified as a person expressly designated pursuant to 2-quaterdecies of the Code. With Provision of the General Director n. 378 of 24 May 2019 General Data Protection Regulation 2016/679/EU. Determinations regarding organizational measures for adaptation to European legislation: assignment of functions and tasks to specifically designated subjects pursuant to art. 2-quaterdecies of Legislative Decree 196/2003, in the Company we have redefined the person expressly designated as Data Processor, to mean the natural person who, in charge of a given activity, is specifically responsible for the processing of data such activity necessary, also with reference to the authorized persons involved in it".

It was also clarified that "the "anonymisation measures" are improperly referred to, at least where it is observed that the data "will be made anonymous, assigning each a coded alphanumeric value".

It is then stated that "Every living patient will be given a written informed consent, which must be signed after receiving the appropriate explanations. As required by the Privacy Guarantor [...] the data for scientific research purposes will in any case be processed without informed consent for patients who are deceased and/or who cannot be contacted at the time of enrollment, after having made every reasonable effort to contact them (verification of the status of life, consultation of the data reported in the clinical documentation, use of any telephone numbers provided, as well as the acquisition of contact data from the registry of patients or the resident population)".

In this regard, in the section of the impact assessment called “How are data subjects informed of the processing?” it is indicated that "Data for scientific research purposes will in any case be processed without informed consent for patients who are deceased and/or who cannot be contacted at the time of enrollment, after having made every reasonable effort to contact them (verification of their alive status, the consultation of the data reported in the clinical documentation, the use of any telephone numbers provided, as well as the acquisition of contact details from the registry of patients or the resident population)".

Regarding the reasons why informing some interested parties may be impossible, the Company observed "that the population involved in the study is characterized by a mutation (insertion of exon 20) defined as "rare" in the panorama of EGFR mutations, affecting the 1-2% of the population affected by non-small cell lung cancer. Recent scientific evidence has defined this mutation as resistance to the main anti-EGFR drugs, finding chemotherapy as the only therapy currently in use in practice. Based on data from the EXCLAIM study and retrospective analysis data, the median overall survival for this population pre-treated with at least one previous line of chemotherapy is in total (given by the sum of the activity of the first line and subsequent lines) less than 24 months. Therefore, the aggressiveness of the disease often makes it necessary to manage post-mortem clinical data. The Company is also able, at least for those registered with the Regional Health Service who have undergone hospitalization, to verify their living status through a connection to the Regional Health Registry".

With reference to the patients who can be contacted, it was clarified that the patient is expected to sign two distinct forms, one relating to participation in the research ("Informed consent form for participation in the study version 1.0 of 30 July 2021") and one relating to the use of personal data for research purposes ("Declaration of consent to the processing of personal data pursuant to the EU general data protection regulation 2016/679 and Legislative Decree 196/2003 version 1.0 of 30 July 2021" ) which follows the relevant information ("Information on the processing of personal data pursuant to the general regulation on data protection EU 2016/679 and Legislative Decree 196/2003 version 1.0 of 30 July 2021")" and which "is an information model for observational research is therefore proposed".

Regarding information obligations, it was also specified that "The method with which, pursuant to art. 6 paragraph 3 of the Ethics Rules for processing for statistical or scientific research purposes of 19 December 2018, it is intended to inform interested parties who cannot be contacted (or deceased, for the benefit of any legitimate third parties pursuant to art. 2-terdecies of the Code) regarding the processing carried out, is represented by the publication of the information on the Company's institutional website".

With particular reference to the methods of data collection and processing, in the VIP it is further specified that the "data are extrapolated from the DnWeb and/or ArchiAmb company folder system which can be consulted via access with personal credentials or SPID. Access with credentials is limited to the permanent medical staff employed in the Company (AOU Careggi) who are part of the trial group. Registration: The data is transferred and recorded on the RedCap portal [...] with access limited to temporary users and passwords held only by doctors who are authorized to access the single database [...]. The database is organized into 9 sections [...]. Each section has some fields in which to insert data with constraints relating to the type of data inserted [...]. The platform generates a unique identification code associated with each subject involved in the Study, which allows researchers to locally maintain the association with their respective personal data. The possibility of tracing the origin of the data is justified by the need to carry out follow-up studies for patients being treated at the Operating Units involved. [...]. The acquired data are stored within the aforementioned database for the entire duration of the study. [...] Each single center, through personal credentials activated one for PI and one subinvestigator, can access their own data to view and/or modify them".

VIP correctly indicates that the data is processed in a pseudonymized form. It then contains a section called "standards applicable to processing" where the indication "Ex. Codes of conduct, guidelines, international standards".

The VIP also contains a section dedicated to risk management in which the Company limits itself to indicating the main threats that could materialize the risks associated with the processing of personal data such as "illegitimate access to data", "unwanted modifications of data" and “data loss”.

In this regard, the owner further clarified that "Regarding the risk of illegitimate access to the data, the probability of the risk is considered negligible as the data is managed on the database in a pseudonymized manner, and the server hosting the database is accessible exclusively through the https protocol (TLS) with the exclusion of any other type of access (SMB, FTP or others). System service access (for maintenance or software updates) is permitted only through encrypted protocols (ssh or similar) and only from the company intranet. Administrative credentials are held only by authorized personnel. The application management credentials are personal and issued only to authorized employees who have been trained regarding their correct custody and use.

Regarding the risk of data modifications, their probability is considered negligible in light of the planned measures. The data is backed up daily, with the possibility of rapid restoration in the event of an unwanted modification occurring. Write access to data is reserved for selected users, and occurs through interfaces that minimize the probability of error.

Regarding the risk of data loss, it is assessed as undefined, but substantially low. The estimate considers the redundant hardware structures on which the system is based, the systematic backup procedures and the intrinsic resilience of the data center hosting the application. For any data losses caused by unfaithful operators, the considerations of the previous points apply (the people authorized to process are extremely limited and motivated)".

Regarding data retention times, it was clarified that "the duration of the study is 12 months, with an additional follow-up of 30 months. To this period must be added an extension for data retention to 7 years, according to current legislation (observational studies not being included in EU Regulation 536/2014, which for trials on drugs and devices extends retention to "at least 25 years ")". In particular, this retention period of at least 7 years was "inferred from the art. 18 of Legislative Decree 6 November 2007, n. 200 Implementation of Directive 2005/28/EC containing detailed principles and guidelines for good clinical practice relating to medicinal products undergoing investigation for human use, as well as requirements for the authorization to manufacture or import such medicinal products" also in light of the fact that “This regulation was cited in the Measure of this Authority no. 52 of 24 July 2008 containing Guidelines for the processing of personal data in the context of clinical trials of medicinal products, in which, in § 13, observational studies were referred to".

The aforementioned term in fact "seemed appropriate both to this Company and to the territorially competent Ethics Committee (Central Vast Area Ethics Committee - CEAVC) in particular especially in reference to observational studies, for which the conservation of data is substantially functional to a possible subsequent verification of the correct use of the information collected and processed".

The Company has specified that it keeps "a list of study participants and their codes in a file with a double identification code (for each subject enrolled, initials of name and surname are indicated in the same field and date of birth in the DD- format MM-YYYY), and at the end of the Study, will destroy this file by eliminating the correlation between data and patients, and aggregating the data according to a threshold value of 4; if this value is not achievable, the data will be deleted".

From another perspective, taking into account that the Study is aimed (also) at evaluating the effectiveness of a drug, as well as, where appropriate, collecting and transmitting information to the sponsor regarding any adverse events, the Company has clarified that "[... ] the treatment concerns an observational study relating to a drug dispensed for compassionate use, authorized by an AIFA program and, for each patient, by a specific opinion of the CEAVC. This drug was actually being tested, but EMA, with a communication dated 19 August 2022, informed us that the pharmaceutical company had withdrawn the request for marketing authorization on 20 July 2022. Compassionate use is independent of testing, and the basis legal nature of communication therefore does not appear to be represented by Regulation 536/2014 (art. 41), but by the Decree of 7 September 2017, which in art. art.1, c.1, f provides for the indication of nominal therapeutic use (IPRP - individual patient request program) and, in particular, in relation to the communication of adverse events, in art. 7 paragraph 2". prescribes the following: Doctors and other healthcare workers, as part of their activity, are required to report to the pharmacovigilance manager of the healthcare facility to which the reporter belongs or directly to the national pharmacovigilance network through the AIFA web portal and to the competent Ethics Committee, the suspected adverse reactions, specifying that it is a medicinal product used pursuant to this decree; the report must be sent within two days and, for medicines of biological origin no later than thirty-six hours, completely and according to the methods published on the AIFA institutional website. Subsequently, it will be the responsibility of the pharmacovigilance manager of the health facility to which the reporter belongs to notify the report to AIFA and to the company that supplied the medicine used pursuant to this decree according to the methods and timescales established by the decree of the Minister of Health of 30 April 2015. The purpose is therefore that envisaged by the art. 2 sexies paragraph 2 letter z) of the Code, for the item relating to Pharmacovigilance".

2. The applicable legislation

As a preliminary point, it is stated that the processing of personal data must take place in compliance with the applicable legislation on the protection of personal data.
According to the Regulation, personal data must be processed "in a lawful, correct and transparent manner towards the interested party" (principle of "lawfulness, correctness and transparency" (art. 5, par. 1, letter a) of the Regulation ).

The principle of lawfulness requires that any processing is based on a specific legal basis (art. 6 of the Regulation). In relation to particular categories of data, including health data, art. 9 of the Regulation establishes a general prohibition on processing unless one of the specific exemptions to this prohibition occurs, which includes the consent of the interested party.

In the event that the condition of lawfulness is represented by consent, it must be given through a positive act with which the interested party expresses a free, specific, informed and unequivocal will relating to the processing of personal data concerning him (Recital 32, 42 and 43, articles 5, 6, paragraph 1, letter a) and 7 of the Regulation and Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Committee for the Protection of Personal Data on May 4, 2020).

With specific reference to particular categories of data, this consent, taking into account the nature of such data, which is particularly sensitive in terms of fundamental rights and freedoms, must not only be explicit but also expressed in writing (art. 9, par. 2 letter a) of the Regulation and par. 4 of the aforementioned Guidelines 5/2020 on consent and art. 7, paragraph 2, letter. b) of the ethical rules for processing for statistical or scientific research purposes published pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, n. 101 of 19 December 2018, annex A5 to the Code (web doc. no. 9069637).

In this context, the European Committee for the Protection of Personal Data in relation to Clinical Trials has clarified that "the informed consent provided for by the Clinical Trials Regulation should not be confused with consent as the legal basis for the processing of personal data under the Regulation general data protection policy. The provisions of Chapter V of the Clinical Trials Regulation relating to informed consent, in particular Article 28, primarily respond to the fundamental ethical requirements of research projects involving humans arising from the Declaration of Helsinki. The obligation to obtain informed consent from participants in a clinical trial is first and foremost a measure that guarantees the protection of the right to human dignity and the right to the integrity of the person referred to in Articles 1 and 3 of the Charter of Fundamental Rights of the Union European; it is not designed to comply with data protection obligations. According to the General Data Protection Regulation, consent to processing must be given freely and must be specific, informed and unambiguous and, in relation to special categories of data such as health data, it must be explicit” (see points 15 , 16 and 17 of Opinion 3/2019 on questions and answers on the interaction between the Clinical Trials Regulation and the General Data Protection Regulation (Article 70(1)(b), Adopted on 23 January 2019).

We then highlight the principle of limitation of conservation on the basis of which the data must be and stored only for the time necessary to achieve the purposes of the collection (art. 5, par. 1 letter e) of the Regulation).

In this framework, the processing of personal data for scientific research purposes must also be carried out in compliance with the Code, the Provisions and the Rules of Ethics, which constitute an essential condition for the lawfulness and correctness of the processing (art. 2-quater of the Code and art. 21, paragraph 5, of Legislative Decree no. 101 of 10 August 2018).

Specifically, art. 110 of the Code which concerns medical, biomedical and epidemiological research and provides that "The consent of the interested party for the processing of data relating to health, for the purposes of scientific research in the medical, biomedical or epidemiological field, is not necessary when [...] due to particular reasons, informing interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the objectives of the research. In such cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is the subject of a reasoned favorable opinion from the competent ethical committee at territorial level and must be subjected to prior consultation with the Guarantor pursuant to article 36 of the Regulation”.

In this regard, "when it is not possible to acquire the consent of the interested parties, the data controllers must document, in the research project, the existence of the reasons, considered completely particular or exceptional, for which informing the interested parties is impossible or implies an disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the objectives of the research" (see point 5.3 of the Provisions relating to the processing of personal data carried out for scientific research purposes).

Furthermore, personal data must be processed in compliance with the principle of transparency (art. 5, par. 1 letter a) of the Regulation), providing the interested parties with the information referred to in the art. 13 of the Regulation, in the case of data collected directly from them, or pursuant to art. 14, in case of data collected from third parties.

It should also be noted that the aforementioned legislation provides that, if the data is obtained from third parties, as in the case in question, the data controller may not provide the information referred to in paragraphs. from 1 to 4 of the art. 14 of the Regulation, to the extent that communicating such information is impossible or involves a disproportionate effort. This, in particular, in the context of processing carried out for scientific research purposes, without prejudice to the conditions and guarantees referred to in article 89, par. 1 of the Regulation. In such cases, the data controller is in any case required to adopt appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, including by making the information public (art. 14, par. 5, letter b) of the Regulation) .

On this point, the ethical rules for processing for statistical or scientific research purposes, annex A5 to the Code, provide that, if the owner collects personal data from third parties and providing the information to the interested party involves a disproportionate effort compared to the protected right, it must adopt suitable forms of advertising, indicating by way of example certain specific methods (art. 6, paragraph 3).

The regulation on the protection of personal data also concerns data subject to prior pseudonymisation, meaning: "the processing of personal data in such a way that the personal data can no longer be attributed to a specific interested party without the use of information additional, provided that such additional information is kept separately and subject to technical and organizational measures intended to ensure that such personal data is not attributed to an identified or identifiable natural person" (cons. 26 and art. 4 point 5 of the Regulation). Pseudonymisation constitutes an extremely important measure in the scientific research sector, in particular in order to guarantee effective application of the principle of minimization (art. 5, par. 1, letter c) and 89 of the Regulation).

However, the regulations regarding the protection of personal data do not apply in relation to anonymous data. In this regard, it is also worth specifying that "(...) information that does not refer to an identified or identifiable natural person or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the interested party" is considered anonymous. , this also applies to processing carried out for statistical or research purposes (see recital no. 26 of the Regulation). The risk of re-identification of the interested party must, however, be carefully assessed taking into account "all the means, [...], which the data controller or a third party can reasonably use to identify the said natural person directly or indirectly. To ascertain the reasonable probability of using the means to identify the natural person, consideration should be given to all objective factors, including the costs and time required for identification, taking into account both the technologies available at the time of the processing , and technological developments" (see recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymization techniques, adopted on 10 April 2014).

In particular, anonymisation cannot be considered achieved through the mere removal of the data subject's details or replacement of the same with a pseudonymous code. The anonymized data, in fact, is such only if it does not allow in any way the direct or indirect identification of a person, taking into account all the means (economic, information, technological resources, skills, time) available to the person (owner or other person) try to use these tools to identify an interested party. An anonymization process cannot be effectively defined as such if it is not suitable for preventing anyone who uses such data, in combination with "reasonably available" means, from:

1. isolate a person in a group (single-out);

2. link anonymized data to data relating to a person present in a distinct data set (linkability);

3. deduce new information relating to a person from anonymized data (inference).

Finally, with reference to the impact assessment, the Regulation identifies the minimum content of this document, among which it highlights in particular the assessment of the risks for the rights and freedoms of the interested parties and the measures to address the identified risks which must include the guarantees , security measures and mechanisms to guarantee the protection of personal data and demonstrate compliance with the Regulation (art. 35, par. 7, letters c) and d); Guidelines concerning the data protection impact assessment as well as the criteria for establishing whether a processing "may present a high risk" pursuant to Regulation 2016/679 - WP248rev.01, adopted on 4 April 2017, as last amended and adopted on October 4, 2017).

3. The Authority's assessments

3.1. The legal bases of data processing

From the documentation examined and the outcome of the preliminary investigation carried out, the Guarantor believes that the Company has correctly identified the legal bases of the processing, adequately specifying, as better described in paragraph 1, the reasons justifying the impossibility of being able to inform interested parties and acquire valid consent. This circumstance is, in particular, related to the probable death of the majority of patients who are intended to be enrolled due to the high incidence of mortality of the pathology observed as well as to the reasonable and proportionate effort that is intended to be made to try to contact each of them even through the regional health registry and the resident population registry (point 5.3 of the Requirements). From another point of view, in compliance with the provisions of art. 110, paragraph 1, second sentence of the Code, according to which the research program must be previously subject to a reasoned favorable opinion from the competent ethical committees at territorial level, it remains understood that the participating Centers will be able to begin the processing of personal data necessary for the implementation of the Study only after obtaining the favorable opinions of the respective ethics committees, as the presence of this element constitutes a condition of lawfulness of the processing of personal data for the purposes in question, where it is not possible to obtain the consent of the interested parties (see provision no. 202 of 29 October 2020, web doc. 9517401 and provision no. 406 of 1 November 2021, web doc. 9731827).

3.2. Measures pursuant to art. 89 of the Regulation

The Guarantor, having taken note of the clarifications recently provided by the Company which declared that it had improperly used the term "data anonymisation" in the context of the processing carried out for the implementation of the Study, since it was instead pseudonymized data, notes that the aforementioned Company , has correctly applied the art. 89 of the Regulation, providing that the data is subject to minimization implemented through specific pseudonymisation measures throughout the processing phase, as indicated in the documentation in the proceedings and briefly described in the previous paragraph 1.

With regard to the anonymisation of the data, expected at the end of the retention period indicated as 7 years, also in order to allow the dissemination of the results of the Study, the Company has declared that, having eliminated the list of correlations between the direct identifiers of the patients and the pseudonym codes attributed to each of them, the data will be aggregated “[...] according to a threshold value of 4; if this value is not achievable, the data will be deleted".

With reference to the aforementioned aggregation techniques, it is however necessary to consider that the availability of a high number of aggregate statistics compared to a sample made up of a very limited number of patients can increase the identifying power of each of them, up to the possible complete reconstruction of a dataset (so-called “reconstruction attack”). To avoid this, the number of statistics disseminated must be significantly lower than the number of variables intended to be disclosed. In other words, by ensuring the dissemination of a limited number of statistics, we avoid the possibility of identifying the individual subjects forming part of the sample through mathematical calculations.

Having said all this, it is considered necessary that the Company, at the end of the data retention period for carrying out the Study, indicated as 7 years, in consideration of the number of variables being aggregated, ensures that the number of aggregate statistics to be rendered knowable is significantly lower than the number of variables considered; this, in order to avoid the risk of reconstructing data referable to single individuals.

Furthermore, as part of the periodic checks that the data controller is required to carry out also in reference to the persistence of the effectiveness of the data anonymization measures and technological evolution, it is considered necessary that the Company undertakes to remove any singularity , if, by any means, it becomes aware of them in a phase following the application of the aforementioned anonymization techniques and to keep track of such events in order to repeat the re-identification risk assessment upon reaching 1% of singularities identified on the total of records included in the dataset (see, on this point, the Opinion issued on 30 June 2022, available on www.gpdp.it web doc. 9791886).

3.3. The personal data protection roles of the subjects involved in the Study

In the documentation sent by the Company, in representing the multi-centre nature of the Study, it is declared that the entities participating in it, as participating Centres, operate as independent data controllers and that the Principal Investigator is qualified as a person expressly designated pursuant to 2 -quaterdecies of the Code which is "specifically responsible for the processing of data necessary for this activity, also with reference to the authorized persons involved in it"

In this regard, it is believed that the organizational structure implemented for the realization of the Study complies with the regulatory framework regarding the protection of personal data and as such is suitable to exclude that unauthorized third parties may be involved in data processing operations on the health of the patients enrolled in the aforementioned Study and compliant with the principle of correctness and transparency (art. 5, par. 1 letter a) of the Regulation and Guidelines 07/2020 on the concepts of data controller and data controller pursuant to the GDPR , Version 2.0 Adopted July 7, 2021 ).

3.4. The measures aimed at guaranteeing the effectiveness of the principle of transparency towards the patients enrolled in the Study

In relation to the information obligations, first of all it is noted that the information model acquired in the proceedings documents (see document called "Annex 4_Information and consent") is only that relating to the information to be provided to interested parties still alive pursuant to the 'art. 13 of the Regulation, with respect to which it is noted that:

in the document acquired in the documents, the legal bases of the processing, including the processing carried out ex lege such as those relating to pharmacovigilance activities, are not clearly represented to the interested parties nor the legal basis on the basis of which any transfer of data to Third countries (see articles 13, par. 1 letter c), 14, par. 1 letter c), 45 et seq. of the Regulation and point 12 et seq. of the Guidelines on transparency pursuant to regulation 2016/679 adopted by the Article 29 Working Group on 29 November 2017, Amended version adopted on 11 April 2018).

in the event of revocation of consent by the interested party, although all processing based on consent remains legitimate, it is not specified that the owner must cease processing activities, in the absence of another legal basis that justifies its retention for further treatments and that the data will therefore be deleted (see points 22 et seq. of Opinion 3/2019 relating to the questions and answers on the interaction between the Clinical Trials Regulation and the General Data Protection Regulation (Article 70, paragraph 1, letter b)), cit.);

the indication in point 4, entitled "data retention" of the right of the interested party "to request, at any time, the deletion of the data, in compliance with the GDPR and the data protection law" is not relevant given the right of cancellation indicated in the following point 5, entitled "exercise of rights".

It is therefore necessary for the Company to modify the document transmitted in this sense.

With specific regard to the methods for providing information to non-contactable interested parties, the Company has declared that the information for non-contactable patients, prepared pursuant to art. 14, par. 5, letter. b) of the Regulation will be published on its website.

Having said this, taking into account that the Study involves numerous participating Centers in addition to the Sponsor, also in order to ensure the effective application of the aforementioned principles of correctness and transparency, it is deemed necessary that the Company makes public, for the entire duration of the Study, the information to be provided to interested parties, pursuant to art. 14 of the Regulation, also through a specific advertisement on the institutional websites of the testing centers involved in the Study in an easily accessible section.

3.5. The security measures implemented

The Company, as data controller, as mentioned above and as required by the procedure pursuant to articles. 110 of the Code and 36 of the Regulation, has presented to the Guarantor the VIP connected to the processing necessary for the implementation of the Study in which the technical and organizational measures briefly described in paragraph 1, envisaged for the security of the data processed, are identified in particular.

In fact, it should be noted that the implementation of the measures referred to in art. 89 of the Regulation, aimed, in particular, at the effective application of the principle of minimization, does not exempt the data controller from also introducing suitable technical and organizational measures pursuant to art. 32 of the Regulation, for an effective application of the principle of data integrity and confidentiality (art. 5, par. 1, letter f) of the Regulation).

From this document, in addition to what is highlighted in the previous paragraph 1, it emerges that the Company, in order to guarantee compliance with the principle of integrity and confidentiality, has prepared appropriate and suitable measures to protect the rights and freedoms of the cohort of interested parties involved in the Studio.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 110 of the Code and art. 36 of the Regulation, expresses to the Careggi University Hospital, with registered office in Largo G.A. Brambilla, 3 - 50134 Florence, C.F. and P.I.: 04612750481, favorable opinion regarding the processing of personal data for medical, biomedical and epidemiological research purposes, referring to the cohort of deceased or uncontactable patients enrolled in the multicentre study, "retrospective and prospective multicentre observational [Italian] study to evaluate the safety and efficacy of mobocertinib in pre-treated patients with metastatic non-small cell lung cancer with EGFR exon20ins. (MOBO-real)” provided that the Company:

a) at the end of the data retention period for carrying out the Study, in consideration of the number of variables being aggregated, ensure that the number of aggregate statistics to be made available is significantly lower than the number of variables considered (point 3.2);

b) as part of the periodic checks that the data controller is required to carry out also in reference to the persistence of the effectiveness of the data anonymization measures and technological evolution, undertakes to remove any singularity, if, by any means, becomes aware of them in a phase following the application of the aforementioned anonymization techniques and to keep track of such events in order to repeat the assessment of the risk of re-identification upon reaching 1% of singularities identified on the total records included in the dataset ( point 3.2);

c) modifies the information provided to interested parties, pursuant to art. 13 of the Regulation (point 3.4):

clearly indicating the legal bases of the processing including the legal basis on the basis of which any transfer of data to third countries is carried out;

specifying, in the event of revocation of consent by the interested party, that the owner must cease processing activities in the absence of another legal basis that justifies their conservation for further processing and that therefore the data will be deleted;

eliminating in point 4 entitled "data retention" of the document called "Annex 4_Information and consent", the right of the interested party "to request, at any time, the deletion of data, in compliance with the GDPR and the law on data protection ” as the right to cancellation is already mentioned in the following point 5, entitled “exercise of rights”.

d) makes public the information to be provided to interested parties, pursuant to art. 14 of the Regulation, also through a specific advertisement on the institutional websites of the testing centers involved in the Study in an easily accessible section (point 3.4).

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to lodge an appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 18 July 2023

PRESIDENT
Stanzione

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei