Garante per la protezione dei dati personali (Italy) - 9875254
From GDPRhub
| Garante per la protezione dei dati personali - 9875254 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 9(2)(j) GDPR Article 9(4) GDPR Article 89 GDPR Article 35 GDPR Article 36 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | 02.03.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 9875254 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Garante (Italy) (in IT) |
| Initial Contributor: | mg |
The Italian DPA held that, under national law implementing Article 9 GDPR, the processing of health data for scientific purposes can be carried out without explicit consent when the collection entails a disproportionate effort or impairs the research purposes. In such cases, suitable safeguards to protect privacy and security of the data must be provided.
English Summary
Facts
The controller, an Italian hospital, opened a prior consultation procedure under Article 36 GDPR.
The controller aimed at studying the correlation between covid-19 restrictions and the increase in mental diseases in children. For this purpose, it needed to collect health data of several thousand patients. Before starting the processing, the hospital performed a Data Protection Impact Assessment (DPIA) pursuant to Article 35 GDPR and reported to the DPA that it was not possible to collect consent of the people involved in the study.
The controller claimed that the collection of consent by the children and their family would entail a disproportionate effort by the hospital. Even more importantly, this operation would compromise the validity of the scientific research. According to the hospital, collection of consent would inevitably introduce a selection bias in the study. As a matter of fact, only families with a higher socio-economic background would give consent, as they can dedicate some hours to go to the hospital and sign documents. The study aimed instead to analyse the impact of the restrictions on mental health of all children.
Holding
The DPA pointed out that special categories of data, including health data, can be processed without consent for scientific research purposes pursuant to Article 9(2)(j) GDPR, provided that appropriate safeguards under Article 89(1) GDPR are in place. These safeguards (e.g. pseudonymisation) shall guarantee the principle of data minimisation. Article 9(4) GDPR also enables Member States to adopt or maintain more restrictive rules for the processing of health data.
The Italian Law (Art. 110 of the Privacy Code) implements Article 9(4) GDPR to the extent that consent in the processing of health data for scientific purposes can be derogated only insofar as collection of consent entails a disproportionate effort for by the controller or would impair scientific quality of the research. Moreover, such processing shall obtain prior approval from an ethical committee and from the DPA itself in the context of Article 36 GDPR.
In the present case, the DPA upheld the argument based on the existence of a disproportionate effort for the hospital. On the other hand, the fact that the collection of consent could alter the results of the study was considered irrelevant. According the DPA, consent always introduces a selection bias in scientific research. The existence of such a selection bias is not mentioned by the Italian law as a valid exception to the general rule of consent.
The DPA also found that the hospital implemented suitable safeguards to protect privacy and security of data collected during the study. Therefore, it gave positive answer to the prior consultation procedure and authorised the processing.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 9875254] Provision of 2 March 2023 Register of measures no. 73 of 2 March 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE-General Data Protection Regulation (hereinafter "Regulation"); CONSIDERING, in particular, the articles 35 and 36 of the Regulation relating, respectively, to the impact assessment on data protection and to the prior consultation of the Authority; HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data (hereinafter the "Code"); CONSIDERING the art. 110 paragraph 1, second sentence of the Code which, in relation to the processing of personal data for medical, biomedical and epidemiological research, provides in particular that "consent is also not necessary when, due to particular reasons, informing the interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the research objectives. In such cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is subject to a reasoned favorable opinion from the competent ethics committee at the territorial level and must be subjected to prior consultation of the Guarantor pursuant to article 36 of the Regulation”; HAVING REGARD to the ethical rules for processing for statistical or scientific research purposes adopted by the Guarantor, pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, n. 101, with provision n. 515, of 19 December 2018 (web doc. n. 9069637, hereinafter "Ethical rules"); HAVING REGARD to the provisions relating to the processing of personal data carried out for scientific research purposes, attachment no. 5 to the Provision which identifies the provisions contained in the general Authorizations which are compatible with the Regulation and with Legislative Decree no. 101/2018 adapting the Code, of 5 June 2019 (web doc. 9124510, hereinafter "Prescriptions"); HAVING REGARD to the request for prior consultation presented, pursuant to articles 110 of the Code and 36 of the Regulations, by the Città della Salute e della Scienza University Hospital of Turin, with registered office in Corso Bramante 88/90 – 10126 Turin, for the realization of a multicentre, retrospective, observational and epidemiological study (note of 2 February 2022, prot. no. 0011711/A.4.2.2., subsequently integrated with a note of 8 June 2022, prot. no. 0064367/A.4.2.2.); HAVING REGARD to the documentation in the deeds; GIVEN the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801; Speaker the lawyer Guido Scorza; WHEREAS 1. The application for prior consultation and the preliminary investigation carried out With a note dated 2 February 2022, the Città della Salute e della Scienza University Hospital of Turin (hereinafter the "Company") presented a request for prior consultation, pursuant to art. 110, paragraph 1, last paragraph of the Code and art. 36 of the Regulation, as promoter of the non-profit, multicentre, retrospective, observational, epidemiological and non-pharmacological study, called "Analysis of emergency accesses for neurological and psychiatric pathology in childhood and adolescence" (hereinafter "Study"), as , due to particular reasons (described below), it is not possible to inform patients who intend to enroll in the Study. In this regard, the Company has sent the impact assessment, carried out pursuant to art. 35 of the Regulation. Following the observations made by the Office in the context of the preliminary investigation (note of 18 February 2022, prot. n. 11372) - which highlighted certain critical issues in relation to the protection profiles of personal data in the processing object of the Study and the failure to transmit the research project in the deeds - the Company has transmitted the supplementary documentation and in particular the protocol of the Study and the opinions, obtained up to that moment, of the territorially competent ethics committees (note of 8 June 2022). The Study is aimed at "evaluating the impact of the Covid pandemic and related institutional social distancing measures on emergency access for infantile neuropsychiatric pathology (NPI) and placing this impact in the context of the trend prior to the pandemic itself". It also aims to "describe the change in psychopathology (expressed as a reason for accessing the emergency room), identify more vulnerable populations (in relation to age, sex, socio-economic status), correlate the trend of accesses with the measures institutional social distancing (and therefore school closures), as the weeks progress since the start of the pandemic; evaluate any changes in the hospitalization rate and analyze the revolving door phenomenon, i.e. the return after a short period of time to the hospital of a patient recently discharged from hospitalization. The hypotheses under study are in fact that there has been an increase in emergency accesses for NPI pathology after the pandemic and in particular, that there has been an increase for pathologies that involve a life risk (suicide attempt, extreme anorexia) ”. The Study provides for "the collection of emergency accesses that required NPI specialist consultation in the emergency rooms of the participating centers [...] between 1 January 2018 and 31 December 2021 (...)". In particular, "all patients who have requested an NPI consultation in the emergency room, for neurological or psychiatric reasons" will be included. The Study provides for the collection of the following personal data: “name and surname of the subject, then converted into a randomly generated unique code (UUID); age, expressed in years and months; gender in numerical categorical form; Complete residence zip code; PS access date; episode in numerical categorical form (neurological/psychiatric); episode description; relapsed access (categorical); previous therapy; any previous diagnosis; any previous NPI taking charge; subsequent hospitalization (yes/no), in numerical categorical form. The total number of accesses for a single pediatric emergency department per week will also be collected (aggregate data). The Company also represented that the Study envisages the enrollment of a number of patients between 6,000 and 10,000 and indicated all the participating Centers where the collection of personal data is envisaged. In particular, the methods for collecting, storing and sending data are described in the protocol. In this regard, it was specified that “The data will be collected from the corporate information systems; that the identification data of the enrolled subject (name, surname) will be subjected to pseudonymisation with a randomly generated unique code (UUID); the study data will be collected in a database (spreadsheet) protected by a password and stored on a (non-company) PC located outside the network and will contain only the UUID code and not the identification data; at the same time, another personal data spreadsheet will be created which will contain the correspondence between the unique code and the identification data of the subjects; this personal data database, protected by a password, will be encrypted and stored on an external hard drive. The external hard drive will be stored in a lockable cabinet and placed in a room protected by a lockable door. The protection passwords of the 2 databases and the encryption password will be strictly separate. The personal data database will be kept for the time necessary to conclude the data analysis (12 months), after which it will be eliminated. After 12 months, the data is treated completely anonymously. The database containing the pseudonymized data will be kept for the time necessary to complete the analysis and ensure the replicability control of the results obtained (5 years), subsequently it will be eliminated. In this regard, the Company has also stated that: “Pseudonymised data will be aggregated by week and then anonymised (…) and will be analyzed in that form”. This process is confirmed in the impact assessment which also describes the security measures implemented by the controller to limit the risks to the fundamental rights and freedoms of the data subjects. With particular reference to the transmission of data from the participating Centres, the Company declared that “The data will be transmitted by the participating centers in anonymous and aggregated form according to the following models: week cardinal number; year; week as date; total number of neurological (or psychiatric) accesses; patients who discontinued therapy in the previous three months (total number); total number of hospitalized patients; average deprivation index (calculated by CAP); number of single issue accesses; number of patients who had already accessed in the previous three months; number of subjects with previous drug or other therapy; number of subjects with previous diagnosis; number of subjects with previous NPI taking charge week cardinal number; year; week as date; number of male subjects; average age in years”. The Company, taking into account the observations made by the Office during the preliminary investigation, has better explained the reasons why it is not possible to acquire the consent of the interested parties, specifying in this regard that "this would imply first of all seriously jeopardizing the achievement of the purpose of the research, with alteration of the results and, to a lesser extent, would imply a disproportionate effort, given the existence of ethical reasons and reasons of organizational impossibility [...]. More specifically [...], it is reiterated that the present study, epidemiological observational, aims to obtain an accurate and complete analysis of the trend of all emergency neuropsychiatric emergency accesses in recent years in the main Italian pediatric hospitals. In fact, a selection bias would be introduced due to the fact that subjects sensitive to the research and/or the clinical issues covered by it would more easily express consent, belonging to a higher average socio-economic status and having the possibility of investing approximately one time of their time and come to the hospital to sign informed consents (Enzenbach, 2019; Vose, 2021; Knudsen, 2010; Coughlin, 2006). In the alternative, since it concerns a very high hypothesized sample size (between 6,000 and 10,000 subjects), the economic and personnel resources necessary to obtain the consents, which however would probably only be very partial, would be disproportionate, in the face of a persistent bias of selection that would in any case nullify the scientific significance of the study". On this point it was also represented that "the present study has an epidemiological nature and the evaluations carried out on the data may have a scientific value if they include the total number of actual patients who have accessed the emergency room for infantile neuropsychiatric reasons [...] ”. In relation to the impossibility of informing the interested parties and therefore of acquiring their consent, in response to a specific preliminary investigation by the Guarantor, the Company has better represented that "The population under study is made up of minors (from 0 to 17 years and 11 months) who went to one of the pediatric emergency departments involved in this study and received a specialist pediatric neuropsychiatric consultation. It should therefore be noted that the patients involved in this study are not, in the vast majority of cases, patients taken in charge or followed up on an ongoing basis by Child Neuropsychiatry (NPI) structures” [...] “It is not the parent [but the emergency pediatrician] who requested a specialist visit and this visit could only minimally have been followed by an ongoing therapeutic relationship with the Child Neuropsychiatry facilities". It was also highlighted that "Since this study has an epidemiological objective, retrospectively requesting written informed consent would introduce selection bias [to be understood as] a condition in which the study population is not representative of the target population (i.e. evaluate) that would completely distort the work". The owner then listed various reasons related to the cultural, social, economic and demographic condition of the families of the interested parties involved in the Study, which, also on the basis of a copious scientific literature, lead the latter not to participate in epidemiological medical research that they have not " a personal return (…) from the research in which they are involved” and therefore with direct effects on their health. The owner then reiterated that "Due to the nature of the study it is essential to be able to collect information about all the subjects who have accessed the emergency room for neuropsychiatric emergencies in order to be able to support, thanks to evidence-based medicine data, specific intervention projects for any more vulnerable subjects”. The Company has also documented that attempting to contact every single patient in the study population would involve a disproportionate effort. Following a specific assessment, the Company has in fact calculated that this "would correspond to a full-time employment of healthcare personnel for a minimum of 437 days, with a downward estimate that does not take into account the fact that the parents probably would not come together in one appointment". The owner also declared that "in studies involving minors, it is necessary to obtain the written consent of the minor, who would therefore also be summoned to the hospital, with an impact on school attendance or with the need to schedule appointments dedicated to signing the consents only in the afternoon, thus doubling the time needed to obtain all the consents. It would take 2.3 years to obtain, in theory, all the consensus". These circumstances are aggravated by the fact that "there are no funding foreseen for this research which is carried out by university medical personnel, in parallel with the clinical and welfare activity" (note of 1 February 2023). With specific reference to the ways in which it is intended to provide information to enrolled patients who cannot be contacted, pursuant to art. 14, par. 5, letter. b) of the Regulation and of the art. 6 of the Code of Conduct, the Company has declared that it will be "published on the company website". The Company has also transmitted the favorable opinions of the Intercompany Ethics Committee of the City of Health and Science of Turin AO Ordine Mauriziano di Torino- ASL city of Turin, of 09 July 2020 and those of 16 September and 10 November 2021 and 24 March 2022 , adopted following the presentation of certain amendments. The remaining opinions would have been requested but not yet released when the request for prior consultation was presented. Lastly, the Company, with a note dated July 25, 2022, in response to the preliminary investigation formulated by the Office (note dated June 20, 2022, prot. no. 32869), confirming that it is a "non-profit study without any form of financing”, further clarified that: the participating centers act as autonomous data controllers; each participating Center "holds its own [databases], while the Città della Salute AOU, as promoter, also holds the databases with the aggregated and anonymous data transmitted by the [...] Centres"; “As regards the conservation and the life cycle of the treatment, the personal data base is kept for 12 months and then eliminated as a further security measure, the pseudo-anonymous information database is kept for 5 years and then eliminated. After 5 years, only the database is kept with the data in aggregate form and with the application of the security measures indicated in the DPIA"; “As regards the anonymization techniques that will be employed, they will consist of masking, aggregation and addition of statistical noise”. The Company has therefore sent a new version of the impact assessment and of the information updated in the light of the clarifications recently provided. In relation to data aggregation and anonymization techniques, the Company has represented that the "aggregate database (anonymous)" consists of the "table with which the data of the single center are stored [...] which is sent by the centers to the Promoter" . "The anonymization of the data will be obtained through multiple methodologies aimed at minimizing the risk of re-identification of the subjects involved in the study". In particular, the Company described that: "on the aggregate database: [the] removal of the column relating to the week to which the data refers (suppression) is envisaged; addition of 3 databases with summary data to the database containing real data. The synthesis databases will be obtained with the variational autoencoders technique, will have identical dimensions to the original database and will be concatenated along the horizontal axis to the original database. In this way a potential attacker who obtains the data, with greater difficulty, will be able to acquire new reliable information on the subjects involved, having 4 possible choices for each variable. Only the investigators of the data owner center and of the sponsoring center will be aware of which columns contain the real data to allow denoising of the database; the name of the columns will be deleted; a random integer between 2 and 4 will be added to each column (noise addition). Only the investigators of the data owner center and of the sponsoring center will know the sequence of integers added to the database (to allow denoising)”. 2. Applicable legislation The processing of personal data for scientific research purposes must be carried out in compliance with the Regulation, the Code, the Regulations relating to the processing of genetic data (if necessary) and the Regulations relating to the processing of personal data carried out for scientific research purposes, as well as of the Deontological Rules which constitute an essential condition for the lawfulness and correctness of the processing (Article 2-quater of the Code and Article 21, paragraph 5 of Legislative Decree 10 August 2018, No. 101). With specific reference to the pursuit of scientific research purposes in the medical, biomedical and epidemiological fields, it should be noted that they are admitted after obtaining the consent of the interested party. This prerequisite is not necessary "[...] when, due to particular reasons, informing the interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the research objectives. In the latter cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is subject to a reasoned favorable opinion from the competent ethics committee at the territorial level and must be subjected to prior consultation of the Guarantor pursuant to the 'article 36 of the Regulation” (article 110 of the Code, article 9, paragraph 2, letter j) and par. 4 of the Regulation). In the latter cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is subject to a reasoned favorable opinion from the competent ethics committee at the territorial level and must be subjected to prior consultation of the Guarantor, pursuant to article 36 of the Regulation (art. 110 of the Code, art. 9, paragraph 2, letter j) and par. 4 of the Regulation). The art. 110, paragraph 1, last paragraph of the Code represents in fact a closing rule aimed at allowing the processing of personal data which should have been based on the consent of the interested parties, which it is not possible to acquire, can in any case be carried out when the purposes of the processing are otherwise they cannot be prosecuted (e.g. through the use of anonymous data or involving contactable interested parties). It falls within the regulatory space that the Regulation defers to national or EU legislation pursuant to art. 9, par. 2, lit. j). This provision admits that particular categories of data may be processed if "the processing is necessary for [...] scientific research purposes in accordance with Article 89(1), on the basis of Union or national law, which it is proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject". The art. 89, par. 1 of the Regulation establishes, in particular, that “Processing for purposes [...] of scientific research is subject to adequate guarantees for the rights and freedoms of the data subject, in accordance with this regulation. These guarantees ensure that technical and organizational measures have been put in place, in particular to ensure compliance with the data minimization principle. Such measures may include pseudonymisation, provided that the purposes in question can be achieved in this way [...]". In the processing of particular categories of data for research purposes, the identification of appropriate measures pursuant to art. 89 of the Regulation therefore constitutes an element of lawfulness of the processing, also taking into account the specific regime envisaged for this type of processing (cons. 33 and 50 and art. 5, paragraph 1, letters b) and e) of the Regulation). Continuing with the indication of the main personal data protection rules relevant to the case in question, it should be noted that pseudonymisation means "the processing of personal data in such a way that the personal data can no longer be attributed to a specific interested party without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures intended to ensure that such personal data are not attributed to an identified or identifiable natural person" (Cons. 26 and art. 4 (5)) of the Regulation) and that the legislation on the protection of personal data does not apply in reference "to anonymous information, i.e. information that does not refer to an identified or identifiable natural person or to personal data made anonymous enough to prevent or allow identification of the data subject” (cf. Cons. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymisation techniques, adopted on 10 April 2014). On the other hand, anonymised data is such only if it does not in any way allow the direct or indirect identification of a person, taking into account all the means (financial, information, technological resources, skills, time) available to whom (owner or other subject) try to use these tools to identify a data subject. Anonymisation cannot be considered achieved through the mere removal of the personal details of the interested party or their replacement with a pseudonymous code. An anonymisation process cannot effectively be defined as such if it is not suitable for preventing anyone using such data, in combination with "reasonably available" means, from: 1. isolate a person in a group (single-out); 2. link anonymised data to data referable to a person present in a separate set of data (linkability); 3. deduce new information referable to a person from anonymised data (inference) (cf. Opinion 05/2014 - WP 216 on anonymisation techniques, adopted on 10 April 2014). In relation to the information obligations, if the data are obtained from third parties, the data controller may not provide the information referred to in paragraphs 1 to 4 of the art. 14 of the Regulation, to the extent that the communication of such information is impossible or involves a disproportionate effort. This, in particular, in the context of treatments carried out for scientific research purposes, without prejudice to the conditions and guarantees referred to in article 89, par. 1 of the Regulation. In such cases, the data controller is in any case required to adopt appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including by making the information public (Article 14, paragraph 5, letter b) of the Regulation) . On this point, the art. 6, paragraph 3 of the Rules of Conduct, establishes that "When the data are collected from third parties, or the treatment carried out for statistical or scientific purposes concerns data collected for other purposes, and the information involves a disproportionate effort with respect to the protected right, the owner adopt suitable forms of advertising (…)” indicating specific methods by way of example. Another extremely important profile in the field of personal data protection is the identification of the roles of owner (articles 4, no. 7 and 24) and manager (articles 4, no. 8 and 28). From this, in fact, derives not only the distribution of the relative responsibilities but also the possibility for the interested parties to know the subject they can contact to exercise the rights referred to in articles from 15 to 22 of the Regulation, in relation to the processing of personal data. The owner is the subject who, in the light of the concrete context in which the treatment takes place, determines the basic decisions relating to the purposes and methods of a treatment carried out on the basis of one of the conditions of lawfulness referred to in articles 6 and 9 of the Regulation (see "Guidelines 07/2020 on the concepts of controller and processor in the GDPR", adopted by the European Data Protection Committee, on 7 July 2021). On the other hand, the figure of the manager remains characterized by the performance of personal data processing operations delegated by the owner who, following his own organizational choices, can identify a particularly qualified subject to carry out the same in terms of specialist knowledge, reliability and resources to implement technical and organizational measures that meet the requirements of the Regulation (see recital 81 of the Regulation), delimiting the scope of the respective powers and providing specific instructions on the treatments to be carried out. For the purpose of concretely identifying the role played, in terms of owner or manager, of the figures who process personal data, it is therefore essential to examine on a substantial and non-formal level the activities actually carried out by these subjects in relation to the activities of scientific research. 3. The assessments of the Authority 3.1. The legal bases of data processing The Company, as Promoter of the Study and data controller, as required by art. 110 of the Code and 36 of the Regulation, presented a request for prior consultation to the Guarantor providing the study protocol and the impact assessment on the protection of personal data connected to the processing necessary for the realization of the same. From the documentation examined, as finally integrated in the light of the observations made by the Office during the preliminary investigation, the Guarantor believes that the Company has correctly identified the legal bases of the processing, adequately specifying the reasons justifying the impossibility of being able to inform the interested parties and acquire a valid consent, according to the provisions of point 5.3 of the Prescriptions. Reference is made, in particular, to the "reasons of organizational impossibility attributable to the fact that failure to consider the data referring to the estimated number of interested parties who cannot be contacted to inform them, compared to the total number of subjects who intend to be involved in the research, would produce significant consequences for the study in terms of alteration of the related results" of point 5.3, number 2, of the Prescriptions. In fact, the Guarantor believes that the Company has correctly documented how the attempt to contact every single patient of the population enrolled in the study would imply a disproportionate effort, specifying that it would require "a full-time employment of healthcare personnel for a minimum of 437 days, with a downward estimate that does not take into account the fact that the parents probably would not come together in a single appointment”, also taking into account that it is a "non-profit study without any form of funding" and that the need to summon even minors, for whom it is also necessary to obtain written consent, would have an impact on school attendance and would make it necessary "to schedule the appointments dedicated to signing the consents only in the afternoon, therefore doubling the time necessary to obtain all the consents" up to to "2.3 years to obtain, in theory, all the consents". Conversely, the Guarantor does not believe that it can consider as a valid justification for the impossibility of acquiring valid consent the reference to the "selection bias due to the fact that it would be easier for individuals sensitive to the research and/or clinical issues to express consent to express consent of the same, belonging to an average higher socio-economic status and who have the opportunity to invest about an hour of their time and come to the hospital to sign informed consents", as it is a question of a motivation which, evoking a risk that is always potentially existing where the treatment is based on the consent of the interested parties, regardless of the specifics of the case in question and is not included among those indicated in point 5.3 of the Prescriptions. From another point of view, in compliance with the provision of art. 110, paragraph 1, second sentence of the Code, according to which the research program must first be subject to a reasoned favorable opinion from the competent ethics committees at a territorial level, it remains understood that the participating Centers will be able to initiate the processing of the necessary personal data for the realization of the Study only after obtaining the favorable opinions of the respective ethics committees, as the presence of this element is configured as a condition of lawfulness of the processing of personal data for the purposes in question, where it is not possible to acquire the consent of the concerned (see provision no. 202 of 29 October 2020, web doc. 9517401 and provision no. 406 of 1 November 2021, web doc. 9731827). 3.2. Measures pursuant to art. 89 of the Regulation The Guarantor takes note of how the Company, in the study presented, has correctly applied art. 89 of the Regulation, providing that the data are subject to robust minimization techniques throughout the processing phase. In particular, taking into account the epidemiological nature of the Study and the size of the sample, the Company, also in compliance with the principles of accountability and privacy by design, has verified the possibility of pursuing the research aim through the collection and analysis of aggregated data (articles 5, paragraph 2, 24 and 25 of the Regulation). On the other hand, it is deemed necessary to provide specific indications and clarifications regarding the anonymisation of the data also in order to allow, as envisaged by the data controller, the sharing of the same with the scientific community and to be able to keep them beyond the deadline set for carrying out the Study (5 years). In the Study Protocol, the Company stated that "the data will be transmitted by the participating centers in an anonymous and aggregated form" to the Promoter. Indeed, the data collected by the data controller cannot be considered anonymous. In this respect, as underlined by the European Supervisor and the European Data Protection Board, the distinction between categories of personal and non-personal data is difficult to apply in practice, since from a combination of aggregated data it is possible to infer or generate personal data, i.e. data relating to an identified or identifiable individual, even more so in the context of the processing of health data (cf. EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space, point 4.2. ( 40)). In particular, in the present case it must be taken into account that the alleged anonymisation process (actually aggregation and generalization of data), carried out at the individual participating Centres, represents only one phase of a much wider series of processing operations. The data thus processed at the Centers are in fact destined to flow to the Promoter. Any anonymisation technique that involves the participation of several subjects suffers from an inevitable loss of effectiveness of the measures implemented by each of them to bring the risk of re-identification of the interested parties to an acceptable level. In fact, the amount of information available from the centralized subject (in the present case the Promoter) - precisely due to its role as collector of information from the various subjects involved (in the present case the participating Centres) - is higher than that available with the conferring subjects, with a consequent significant increase in the risk of re-identification of the data subjects. To ensure the effective anonymization of the collected data, the collector must therefore implement further measures. In particular, with regard to generalization operations, it is deemed necessary for the data controller to redefine the equivalence classes, i.e. the sets of data subjects characterized by the same combinations of attributes (so-called "quasi-identifiers", for example location indicators, of age, belonging to specific social categories), in such a way as to guarantee a minimum number for each equivalence class in the dataset to be published. With reference instead to aggregation techniques, it is necessary to consider that the availability of a large number of aggregate statistics increases the identifying power of each of them, up to the possible complete reconstruction of a dataset (so-called "reconstruction attack"). To avoid this, the number of statistics to be disseminated must be significantly less than the number of variables to be disclosed. In other words, by ensuring the dissemination of a limited number of statistics, it is avoided that through mathematical calculations, it is possible to arrive at the identification of the single subjects belonging to the sample. Having said that, it is deemed necessary that the Company, at the end of the data retention period for carrying out the Study, indicated at 5 years, and in any case in the event of data sharing with third parties, with regard to generalization techniques, redefine the equivalence classes in order to guarantee a minimum number for each of them in the dataset to be published, or shared. In the present case, a threshold of at least 20 units is considered appropriate for this purpose. In relation to the aggregation techniques, it is also deemed necessary that the Company, at the end of the data retention period for carrying out the Study, indicated as 5 years, and in any case in the event of data sharing with third parties, in consideration of the number of variables subject to aggregation, ensure that the number of aggregate statistics to be disclosed is significantly lower than the number of variables considered; this, in order to avoid the risk of reconstructing data referable to single individuals. Furthermore, as part of the periodic checks that the data controller is required to carry out also with reference to the persistence of the effectiveness of the data anonymization measures and technological evolution, it is deemed necessary for the Company to undertake to remove any singularity , if, by any means, it becomes aware of them in a phase following the application of the aforementioned anonymisation techniques and to keep track of these events in order to repeat the re-identification risk assessment upon reaching 1% of singularities identified on the total number of records included in the dataset (see, on this point, the Opinion of 30 June 2022, available at www.gpdp.it doc. web 9791886). 3.3. The personal data protection roles of the individuals involved in the Study In the documentation sent by the Company, in representing the multi-centre nature of the Study, it is declared that the healthcare facilities indicated in the documentation in the documents participate in it, as participating Centres, and it is clarified that they operate as independent data controllers. The Company has consequently modified the information on the processing of personal data prepared for the interested parties, specifying the roles of independent data controllers both of the Company as promoter of the Study and of the participating Centres. The Company also represented that for the conduct of the Study it makes use of an "information system supplier, with which the clinical activity is carried out daily for all company specialties, [...], HIS Trakcare, InterSystem, [...] , appointed External Data Processor" and that "The transfer of data outside the European Union is not envisaged; the data will be communicated outside the members of the Research Group only and exclusively in aggregate form for scientific purposes (sending of articles to scientific journals, presentations at medical congresses, etc.). Publication in scientific journals will be carried out after data analysis and further aggregation in a form that does not allow for singularization or inference on individualities”. In this regard, it is believed that the organizational structure implemented for the implementation of the Study is such as to exclude that unauthorized third parties may be involved in the processing of health data from patients enrolled in the aforementioned Study and complies with the principle of correctness and transparency (Article 5, paragraph 1 letter a) of the Regulation). 3.4. Further measures aimed at guaranteeing the effectiveness of the principle of transparency towards the patients enrolled in the Study In general, we favorably acknowledge the measures undertaken by the Company to guarantee the effectiveness of the principle of correctness and transparency towards the interested parties. With specific regard to the methods for providing information to interested parties who cannot be contacted, the Company, given the findings made by the Office during the preliminary investigation, sent a new information document, drawn up pursuant to art. 14 of the Regulation, which correctly indicated the role of the participating Centers as independent data controllers and declared that it will be "published on the company website". That said, taking into account that the Study involves n. 7 participating Centers in addition to the Promoter, in order to ensure the effective application of the aforementioned principles of correctness and transparency, it is deemed necessary, in the case in question, for the Company to make public the information to be provided to interested parties, pursuant to art. . 14 of the Regulation, also through a specific advertisement on the institutional websites of the trial centers involved in the Study. 3.5. The security measures implemented The Company, as data controller, as mentioned above and as required by the procedure pursuant to articles 110 of the Code and 36 of the Regulation, presented to the Guarantor the impact assessment on the protection of personal data connected to the processing necessary for the realization of the Study, as integrated during the preliminary procedure, in which the technical and organizational measures are identified in particular briefly described in paragraph 1, provided for the security of the data processed. In fact, it should be noted that the implementation of the measures pursuant to art. 89 of the Regulation, aimed, in particular, at the effective application of the minimization principle, does not exempt the data controller from also introducing suitable technical and organizational measures pursuant to art. 32 of the Regulation, for effective application of the principle of data integrity and confidentiality (Article 5, paragraph 1, letter f) of the Regulation). From this document, in addition to what is highlighted in paragraph 1 above, it emerges that the Company, in order to guarantee compliance with the principle of integrity and confidentiality, has prepared appropriate and suitable measures to protect the rights and freedoms of the cohort of interested parties involved in the Studio. An exhaustive analysis of the risks associated with the processing of personal data necessary for the pursuit of the purpose of the research in question was also carried out, in order to determine in particular the origin, nature and seriousness of these risks and the measures implemented to mitigate them (articles 5, paragraph 2 letter f), and 32 of the Regulation). ALL THIS CONSIDERING THE GUARANTEE pursuant to art. 110 of the Code and art. 36 of the Regulations, expresses to the University Hospital A.O.U. City of Health and Science of Turin, with registered office in Corso Bramante, 88 - 10126 Turin, Fiscal code - VAT number: 10771180014, favorable opinion regarding the processing of personal data for medical, biomedical and epidemiological research purposes, referring to the cohort of patients enrolled in the multicenter, retrospective non-profit study, called "Analisi emergency-urgency accesses for NPI pathology", under the following conditions: 1. the Company, at the end of the data retention period for carrying out the Study, indicated as 5 years, and in any case in the event of data sharing with third parties, with regard to generalization techniques, redefines the equivalence classes to the in order to guarantee a minimum number for each of them, in the dataset to be published or shared. In this case, a threshold of at least 20 units is deemed appropriate for this purpose (par. 3.2): 2. at the end of the data retention period for carrying out the Study, indicated at 5 years, and in any case in the event of data sharing with third parties, in consideration of the number of variables subject to aggregation, the Company ensures that the number of aggregate statistics to be disclosed in order to avoid the risk of reconstructing data referable to individuals is significantly lower than the number of variables considered (par. 3.2); 3. the Company undertakes to remove any singularity, if, by any means, it becomes aware of them in a phase following the application of the aforementioned anonymization techniques and to keep track of these events in order to repeat the risk assessment of - identification upon reaching 1% of singularities identified out of the total number of records included in the dataset; 4. the Company makes the information to be provided to the interested parties public, pursuant to art. 14, par. 5, letter. b) of the Regulation and 6.3. of the Ethical rules for treatments for statistical or scientific research purposes, Annex A5 to the Code, through a specific advertisement also on the institutional websites of the experimentation centers involved in the Study (par. 3.4). Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, March 2, 2023 PRESIDENT station THE SPEAKER Zest THE SECRETARY GENERAL Matthew [doc. web no. 9875254] Provision of 2 March 2023 Register of measures no. 73 of 2 March 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE-General Data Protection Regulation (hereinafter "Regulation"); CONSIDERING, in particular, the articles 35 and 36 of the Regulation relating, respectively, to the impact assessment on data protection and to the prior consultation of the Authority; HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data (hereinafter the "Code"); CONSIDERING the art. 110 paragraph 1, second sentence of the Code which, in relation to the processing of personal data for medical, biomedical and epidemiological research, provides in particular that "consent is also not necessary when, due to particular reasons, informing the interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the research objectives. In such cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is subject to a reasoned favorable opinion from the competent ethics committee at the territorial level and must be subjected to prior consultation of the Guarantor pursuant to article 36 of the Regulation”; HAVING REGARD to the ethical rules for processing for statistical or scientific research purposes adopted by the Guarantor, pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, n. 101, with provision n. 515, of 19 December 2018 (web doc. n. 9069637, hereinafter "Ethical rules"); HAVING REGARD to the provisions relating to the processing of personal data carried out for scientific research purposes, attachment no. 5 to the Provision which identifies the provisions contained in the general Authorizations which are compatible with the Regulation and with Legislative Decree no. 101/2018 adapting the Code, of 5 June 2019 (web doc. 9124510, hereinafter "Prescriptions"); HAVING REGARD to the request for prior consultation presented, pursuant to articles 110 of the Code and 36 of the Regulations, by the Città della Salute e della Scienza University Hospital of Turin, with registered office in Corso Bramante 88/90 – 10126 Turin, for the realization of a multicentre, retrospective, observational and epidemiological study (note of 2 February 2022, prot. no. 0011711/A.4.2.2., subsequently integrated with a note of 8 June 2022, prot. no. 0064367/A.4.2.2.); HAVING REGARD to the documentation in the deeds; GIVEN the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801; Speaker the lawyer Guido Scorza; WHEREAS 1. The application for prior consultation and the preliminary investigation carried out With a note dated 2 February 2022, the Città della Salute e della Scienza University Hospital of Turin (hereinafter the "Company") presented a request for prior consultation, pursuant to art. 110, paragraph 1, last paragraph of the Code and art. 36 of the Regulation, as promoter of the non-profit, multicentre, retrospective, observational, epidemiological and non-pharmacological study, called "Analysis of emergency accesses for neurological and psychiatric pathology in childhood and adolescence" (hereinafter "Study"), as , due to particular reasons (described below), it is not possible to inform patients who intend to enroll in the Study. In this regard, the Company has sent the impact assessment, carried out pursuant to art. 35 of the Regulation. Following the observations made by the Office in the context of the preliminary investigation (note of 18 February 2022, prot. n. 11372) - which highlighted certain critical issues in relation to the protection profiles of personal data in the processing object of the Study and the failure to transmit the research project in the deeds - the Company has transmitted the supplementary documentation and in particular the protocol of the Study and the opinions, obtained up to that moment, of the territorially competent ethics committees (note of 8 June 2022). The Study is aimed at "evaluating the impact of the Covid pandemic and related institutional social distancing measures on emergency access for infantile neuropsychiatric pathology (NPI) and placing this impact in the context of the trend prior to the pandemic itself". It also aims to "describe the change in psychopathology (expressed as a reason for accessing the emergency room), identify more vulnerable populations (in relation to age, sex, socio-economic status), correlate the trend of accesses with the measures institutional social distancing (and therefore school closures), as the weeks progress since the start of the pandemic; evaluate any changes in the hospitalization rate and analyze the revolving door phenomenon, i.e. the return after a short period of time to the hospital of a patient recently discharged from hospitalization. The hypotheses under study are in fact that there has been an increase in emergency accesses for NPI pathology after the pandemic and in particular, that there has been an increase for pathologies that involve a life risk (suicide attempt, extreme anorexia) ”. The Study provides for "the collection of emergency accesses that required NPI specialist consultation in the emergency rooms of the participating centers [...] between 1 January 2018 and 31 December 2021 (...)". In particular, "all patients who have requested an NPI consultation in the emergency room, for neurological or psychiatric reasons" will be included. The Study provides for the collection of the following personal data: “name and surname of the subject, then converted into a randomly generated unique code (UUID); age, expressed in years and months; gender in numerical categorical form; Complete residence zip code; PS access date; episode in numerical categorical form (neurological/psychiatric); episode description; relapsed access (categorical); previous therapy; any previous diagnosis; any previous NPI taking charge; subsequent hospitalization (yes/no), in numerical categorical form. The total number of accesses for a single pediatric emergency department per week will also be collected (aggregate data). The Company also represented that the Study envisages the enrollment of a number of patients between 6,000 and 10,000 and indicated all the participating Centers where the collection of personal data is envisaged. In particular, the methods for collecting, storing and sending data are described in the protocol. In this regard, it was specified that “The data will be collected from the corporate information systems; that the identification data of the enrolled subject (name, surname) will be subjected to pseudonymisation with a randomly generated unique code (UUID); the study data will be collected in a database (spreadsheet) protected by a password and stored on a (non-company) PC located outside the network and will contain only the UUID code and not the identification data; at the same time, another personal data spreadsheet will be created which will contain the correspondence between the unique code and the identification data of the subjects; this personal data database, protected by a password, will be encrypted and stored on an external hard drive. The external hard drive will be stored in a lockable cabinet and placed in a room protected by a lockable door. The protection passwords of the 2 databases and the encryption password will be strictly separate. The personal data database will be kept for the time necessary to conclude the data analysis (12 months), after which it will be eliminated. After 12 months, the data is treated completely anonymously. The database containing the pseudonymized data will be kept for the time necessary to complete the analysis and ensure the replicability control of the results obtained (5 years), subsequently it will be eliminated. In this regard, the Company has also stated that: “Pseudonymised data will be aggregated by week and then anonymised (…) and will be analyzed in that form”. This process is confirmed in the impact assessment which also describes the security measures implemented by the controller to limit the risks to the fundamental rights and freedoms of the data subjects. With particular reference to the transmission of data from the participating Centres, the Company declared that “The data will be transmitted by the participating centers in anonymous and aggregated form according to the following models: week cardinal number; year; week as date; total number of neurological (or psychiatric) accesses; patients who discontinued therapy in the previous three months (total number); total number of hospitalized patients; average deprivation index (calculated by CAP); number of single issue accesses; number of patients who had already accessed in the previous three months; number of subjects with previous drug or other therapy; number of subjects with previous diagnosis; number of subjects with previous NPI taking charge week cardinal number; year; week as date; number of male subjects; average age in years”. The Company, taking into account the observations made by the Office during the preliminary investigation, has better explained the reasons why it is not possible to acquire the consent of the interested parties, specifying in this regard that "this would imply first of all seriously jeopardizing the achievement of the purpose of the research, with alteration of the results and, to a lesser extent, would imply a disproportionate effort, given the existence of ethical reasons and reasons of organizational impossibility [...]. More specifically [...], it is reiterated that the present study, epidemiological observational, aims to obtain an accurate and complete analysis of the trend of all emergency neuropsychiatric emergency accesses in recent years in the main Italian pediatric hospitals. In fact, a selection bias would be introduced due to the fact that subjects sensitive to the research and/or the clinical issues covered by it would more easily express consent, belonging to a higher average socio-economic status and having the possibility of investing approximately one time of their time and come to the hospital to sign informed consents (Enzenbach, 2019; Vose, 2021; Knudsen, 2010; Coughlin, 2006). In the alternative, since it concerns a very high hypothesized sample size (between 6,000 and 10,000 subjects), the economic and personnel resources necessary to obtain the consents, which however would probably only be very partial, would be disproportionate, in the face of a persistent bias of selection that would in any case nullify the scientific significance of the study". On this point it was also represented that "the present study has an epidemiological nature and the evaluations carried out on the data may have a scientific value if they include the total number of actual patients who have accessed the emergency room for infantile neuropsychiatric reasons [...] ”. In relation to the impossibility of informing the interested parties and therefore of acquiring their consent, in response to a specific preliminary investigation by the Guarantor, the Company has better represented that "The population under study is made up of minors (from 0 to 17 years and 11 months) who went to one of the pediatric emergency departments involved in this study and received a specialist pediatric neuropsychiatric consultation. It should therefore be noted that the patients involved in this study are not, in the vast majority of cases, patients taken in charge or followed up on an ongoing basis by Child Neuropsychiatry (NPI) structures” [...] “It is not the parent [but the emergency pediatrician] who requested a specialist visit and this visit could only minimally have been followed by an ongoing therapeutic relationship with the Child Neuropsychiatry facilities". It was also highlighted that "Since this study has an epidemiological objective, retrospectively requesting written informed consent would introduce selection bias [to be understood as] a condition in which the study population is not representative of the target population (i.e. evaluate) that would completely distort the work". The owner then listed various reasons related to the cultural, social, economic and demographic condition of the families of the interested parties involved in the Study, which, also on the basis of a copious scientific literature, lead the latter not to participate in epidemiological medical research that they have not " a personal return (…) from the research in which they are involved” and therefore with direct effects on their health. The owner then reiterated that "Due to the nature of the study it is essential to be able to collect information about all the subjects who have accessed the emergency room for neuropsychiatric emergencies in order to be able to support, thanks to evidence-based medicine data, specific intervention projects for any more vulnerable subjects”. The Company has also documented that attempting to contact every single patient in the study population would involve a disproportionate effort. Following a specific assessment, the Company has in fact calculated that this "would correspond to a full-time employment of healthcare personnel for a minimum of 437 days, with a downward estimate that does not take into account the fact that the parents probably would not come together in one appointment". The owner also declared that "in studies involving minors, it is necessary to obtain the written consent of the minor, who would therefore also be summoned to the hospital, with an impact on school attendance or with the need to schedule appointments dedicated to signing the consents only in the afternoon, thus doubling the time needed to obtain all the consents. It would take 2.3 years to obtain, in theory, all the consensus". These circumstances are aggravated by the fact that "there are no funding foreseen for this research which is carried out by university medical personnel, in parallel with the clinical and welfare activity" (note of 1 February 2023). With specific reference to the ways in which it is intended to provide information to enrolled patients who cannot be contacted, pursuant to art. 14, par. 5, letter. b) of the Regulation and of the art. 6 of the Code of Conduct, the Company has declared that it will be "published on the company website". The Company has also transmitted the favorable opinions of the Intercompany Ethics Committee of the City of Health and Science of Turin AO Ordine Mauriziano di Torino- ASL city of Turin, of 09 July 2020 and those of 16 September and 10 November 2021 and 24 March 2022 , adopted following the presentation of certain amendments. The remaining opinions would have been requested but not yet released when the request for prior consultation was presented. Lastly, the Company, with a note dated July 25, 2022, in response to the preliminary investigation formulated by the Office (note dated June 20, 2022, prot. no. 32869), confirming that it is a "non-profit study without any form of financing”, further clarified that: the participating centers act as autonomous data controllers; each participating Center "holds its own [databases], while the Città della Salute AOU, as promoter, also holds the databases with the aggregated and anonymous data transmitted by the [...] Centres"; “As regards the conservation and the life cycle of the treatment, the personal data base is kept for 12 months and then eliminated as a further security measure, the pseudo-anonymous information database is kept for 5 years and then eliminated. After 5 years, only the database is kept with the data in aggregate form and with the application of the security measures indicated in the DPIA"; “As regards the anonymization techniques that will be employed, they will consist of masking, aggregation and addition of statistical noise”. The Company has therefore sent a new version of the impact assessment and of the information updated in the light of the clarifications recently provided. In relation to data aggregation and anonymization techniques, the Company has represented that the "aggregate database (anonymous)" consists of the "table with which the data of the single center are stored [...] which is sent by the centers to the Promoter" . "The anonymization of the data will be obtained through multiple methodologies aimed at minimizing the risk of re-identification of the subjects involved in the study". In particular, the Company described that: "on the aggregate database: [the] removal of the column relating to the week to which the data refers (suppression) is envisaged; addition of 3 databases with summary data to the database containing real data. The synthesis databases will be obtained with the variational autoencoders technique, will have identical dimensions to the original database and will be concatenated along the horizontal axis to the original database. In this way a potential attacker who obtains the data, with greater difficulty, will be able to acquire new reliable information on the subjects involved, having 4 possible choices for each variable. Only the investigators of the data owner center and of the sponsoring center will be aware of which columns contain the real data to allow denoising of the database; the name of the columns will be deleted; a random integer between 2 and 4 will be added to each column (noise addition). Only the investigators of the data owner center and of the sponsoring center will know the sequence of integers added to the database (to allow denoising)”. 2. Applicable legislation The processing of personal data for scientific research purposes must be carried out in compliance with the Regulation, the Code, the Regulations relating to the processing of genetic data (if necessary) and the Regulations relating to the processing of personal data carried out for scientific research purposes, as well as of the Deontological Rules which constitute an essential condition for the lawfulness and correctness of the processing (Article 2-quater of the Code and Article 21, paragraph 5 of Legislative Decree 10 August 2018, No. 101). With specific reference to the pursuit of scientific research purposes in the medical, biomedical and epidemiological fields, it should be noted that they are admitted after obtaining the consent of the interested party. This prerequisite is not necessary "[...] when, due to particular reasons, informing the interested parties is impossible or involves a disproportionate effort, or risks making it impossible or seriously jeopardizing the achievement of the research objectives. In the latter cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is subject to a reasoned favorable opinion from the competent ethics committee at the territorial level and must be subjected to prior consultation of the Guarantor pursuant to the 'article 36 of the Regulation” (article 110 of the Code, article 9, paragraph 2, letter j) and par. 4 of the Regulation). In the latter cases, the data controller adopts appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, the research program is subject to a reasoned favorable opinion from the competent ethics committee at the territorial level and must be subjected to prior consultation of the Guarantor, pursuant to article 36 of the Regulation (art. 110 of the Code, art. 9, paragraph 2, letter j) and par. 4 of the Regulation). The art. 110, paragraph 1, last paragraph of the Code represents in fact a closing rule aimed at allowing the processing of personal data which should have been based on the consent of the interested parties, which it is not possible to acquire, can in any case be carried out when the purposes of the processing are otherwise they cannot be prosecuted (e.g. through the use of anonymous data or involving contactable interested parties). It falls within the regulatory space that the Regulation defers to national or EU legislation pursuant to art. 9, par. 2, lit. j). This provision admits that particular categories of data may be processed if "the processing is necessary for [...] scientific research purposes in accordance with Article 89(1), on the basis of Union or national law, which it is proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject". The art. 89, par. 1 of the Regulation establishes, in particular, that “Processing for purposes [...] of scientific research is subject to adequate guarantees for the rights and freedoms of the data subject, in accordance with this regulation. These guarantees ensure that technical and organizational measures have been put in place, in particular to ensure compliance with the data minimization principle. Such measures may include pseudonymisation, provided that the purposes in question can be achieved in this way [...]”. In the processing of particular categories of data for research purposes, the identification of appropriate measures pursuant to art. 89 of the Regulation therefore constitutes an element of lawfulness of the processing, also taking into account the specific regime envisaged for this type of processing (cons. 33 and 50 and art. 5, paragraph 1, letters b) and e) of the Regulation). Continuing with the indication of the main personal data protection rules relevant to the case in question, it should be noted that pseudonymisation means "the processing of personal data in such a way that the personal data can no longer be attributed to a specific interested party without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures intended to ensure that such personal data are not attributed to an identified or identifiable natural person" (Cons. 26 and art. 4 (5)) of the Regulation) and that the legislation on the protection of personal data does not apply in reference "to anonymous information, i.e. information that does not refer to an identified or identifiable natural person or to personal data made anonymous enough to prevent or allow identification of the data subject” (cf. Cons. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymisation techniques, adopted on 10 April 2014). On the other hand, anonymised data is such only if it does not in any way allow the direct or indirect identification of a person, taking into account all the means (financial, information, technological resources, skills, time) available to whom (owner or other subject) try to use these tools to identify a data subject. Anonymisation cannot be considered achieved through the mere removal of the personal details of the interested party or their replacement with a pseudonymous code. An anonymisation process cannot effectively be defined as such if it is not suitable for preventing anyone using such data, in combination with "reasonably available" means, from: 1. isolate a person in a group (single-out); 2. link anonymised data to data referable to a person present in a separate set of data (linkability); 3. deduce new information referable to a person from anonymised data (inference) (cf. Opinion 05/2014 - WP 216 on anonymisation techniques, adopted on 10 April 2014). In relation to the information obligations, if the data are obtained from third parties, the data controller may not provide the information referred to in paragraphs 1 to 4 of the art. 14 of the Regulation, to the extent that the communication of such information is impossible or involves a disproportionate effort. This, in particular, in the context of treatments carried out for scientific research purposes, without prejudice to the conditions and guarantees referred to in article 89, par. 1 of the Regulation. In such cases, the data controller is in any case required to adopt appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including by making the information public (Article 14, paragraph 5, letter b) of the Regulation) . On this point, the art. 6, paragraph 3 of the Rules of Conduct, establishes that "When the data are collected from third parties, or the treatment carried out for statistical or scientific purposes concerns data collected for other purposes, and the information involves a disproportionate effort with respect to the protected right, the owner adopt suitable forms of advertising (…)” indicating specific methods by way of example. Another extremely important profile in the field of personal data protection is the identification of the roles of owner (articles 4, no. 7 and 24) and manager (articles 4, no. 8 and 28). From this, in fact, derives not only the distribution of the relative responsibilities but also the possibility for the interested parties to know the subject they can contact to exercise the rights referred to in articles from 15 to 22 of the Regulation, in relation to the processing of personal data. The owner is the subject who, in the light of the concrete context in which the treatment takes place, determines the basic decisions relating to the purposes and methods of a treatment carried out on the basis of one of the conditions of lawfulness referred to in articles 6 and 9 of the Regulation (see "Guidelines 07/2020 on the concepts of controller and processor in the GDPR", adopted by the European Data Protection Committee, on 7 July 2021). On the other hand, the figure of the manager remains characterized by the performance of personal data processing operations delegated by the owner who, following his own organizational choices, can identify a particularly qualified subject to carry out the same in terms of specialist knowledge, reliability and resources to implement technical and organizational measures that meet the requirements of the Regulation (see recital 81 of the Regulation), delimiting the scope of the respective powers and providing specific instructions on the treatments to be carried out. For the purpose of concretely identifying the role played, in terms of owner or manager, of the figures who process personal data, it is therefore essential to examine on a substantial and non-formal level the activities actually carried out by these subjects in relation to the activities of scientific research. 3. The assessments of the Authority 3.1. The legal bases of data processing The Company, as Promoter of the Study and data controller, as required by art. 110 of the Code and 36 of the Regulation, presented a request for prior consultation to the Guarantor providing the study protocol and the impact assessment on the protection of personal data connected to the processing necessary for the realization of the same. From the documentation examined, as finally integrated in the light of the observations made by the Office during the preliminary investigation, the Guarantor believes that the Company has correctly identified the legal bases of the processing, adequately specifying the reasons justifying the impossibility of being able to inform the interested parties and acquire a valid consent, according to the provisions of point 5.3 of the Prescriptions. Reference is made, in particular, to the "reasons of organizational impossibility attributable to the fact that failure to consider the data referring to the estimated number of interested parties who cannot be contacted to inform them, compared to the total number of subjects who intend to be involved in the research, would produce significant consequences for the study in terms of alteration of the related results" of point 5.3, number 2, of the Prescriptions. In fact, the Guarantor believes that the Company has correctly documented how the attempt to contact every single patient of the population enrolled in the study would imply a disproportionate effort, specifying that it would require "a full-time employment of healthcare personnel for a minimum of 437 days, with a downward estimate that does not take into account the fact that the parents probably would not come together in a single appointment”, also taking into account that it is a "non-profit study without any form of funding" and that the need to summon even minors, for whom it is also necessary to obtain written consent, would have an impact on school attendance and would make it necessary "to schedule the appointments dedicated to signing the consents only in the afternoon, therefore doubling the time necessary to obtain all the consents" up to to "2.3 years to obtain, in theory, all the consents". Conversely, the Guarantor does not believe that it can consider as a valid justification for the impossibility of acquiring valid consent the reference to the "selection bias due to the fact that it would be easier for individuals sensitive to the research and/or clinical issues to express consent to express consent of the same, belonging to an average higher socio-economic status and who have the opportunity to invest about an hour of their time and come to the hospital to sign informed consents", as it is a question of a motivation which, evoking a risk that is always potentially existing where the treatment is based on the consent of the interested parties, regardless of the specifics of the case in question and is not included among those indicated in point 5.3 of the Prescriptions. From another point of view, in compliance with the provision of art. 110, paragraph 1, second sentence of the Code, according to which the research program must first be subject to a reasoned favorable opinion from the competent ethics committees at a territorial level, it remains understood that the participating Centers will be able to initiate the processing of the necessary personal data for the realization of the Study only after obtaining the favorable opinions of the respective ethics committees, as the presence of this element is configured as a condition of lawfulness of the processing of personal data for the purposes in question, where it is not possible to acquire the consent of the concerned (see provision no. 202 of 29 October 2020, web doc. 9517401 and provision no. 406 of 1 November 2021, web doc. 9731827). 3.2. Measures pursuant to art. 89 of the Regulation The Guarantor takes note of how the Company, in the study presented, has correctly applied art. 89 of the Regulation, providing that the data are subject to robust minimization techniques throughout the processing phase. In particular, taking into account the epidemiological nature of the Study and the size of the sample, the Company, also in compliance with the principles of accountability and privacy by design, has verified the possibility of pursuing the research aim through the collection and analysis of aggregated data (articles 5, paragraph 2, 24 and 25 of the Regulation). On the other hand, it is deemed necessary to provide specific indications and clarifications regarding the anonymisation of the data also in order to allow, as envisaged by the data controller, the sharing of the same with the scientific community and to be able to keep them beyond the deadline set for carrying out the Study (5 years). In the Study Protocol, the Company stated that "the data will be transmitted by the participating centers in an anonymous and aggregated form" to the Promoter. Indeed, the data collected by the data controller cannot be considered anonymous. In this respect, as underlined by the European Supervisor and the European Data Protection Board, the distinction between categories of personal and non-personal data is difficult to apply in practice, since from a combination of aggregated data it is possible to infer or generate personal data, i.e. data relating to an identified or identifiable individual, even more so in the context of the processing of health data (cf. EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space, point 4.2. ( 40)). In particular, in the present case it must be taken into account that the alleged anonymisation process (actually aggregation and generalization of data), carried out at the individual participating Centres, represents only one phase of a much wider series of processing operations. The data thus processed at the Centers are in fact destined to flow to the Promoter. Any anonymisation technique that involves the participation of several subjects suffers from an inevitable loss of effectiveness of the measures implemented by each of them to bring the risk of re-identification of the interested parties to an acceptable level. In fact, the amount of information available from the centralized subject (in the present case the Promoter) - precisely due to its role as collector of information from the various subjects involved (in the present case the participating Centres) - is higher than that available with the conferring subjects, with a consequent significant increase in the risk of re-identification of the data subjects. To ensure the effective anonymization of the collected data, the collector must therefore implement further measures. In particular, with regard to generalization operations, it is deemed necessary for the data controller to redefine the equivalence classes, i.e. the sets of data subjects characterized by the same combinations of attributes (so-called "quasi-identifiers", for example location indicators, of age, belonging to specific social categories), in such a way as to guarantee a minimum number for each equivalence class in the dataset to be published. With reference instead to aggregation techniques, it is necessary to consider that the availability of a large number of aggregate statistics increases the identifying power of each of them, up to the possible complete reconstruction of a dataset (so-called "reconstruction attack"). To avoid this, the number of statistics to be disseminated must be significantly less than the number of variables to be disclosed. In other words, by ensuring the dissemination of a limited number of statistics, it is avoided that through mathematical calculations, it is possible to arrive at the identification of the single subjects belonging to the sample. Having said that, it is deemed necessary that the Company, at the end of the data retention period for carrying out the Study, indicated at 5 years, and in any case in the event of data sharing with third parties, with regard to generalization techniques, redefine the equivalence classes in order to guarantee a minimum number for each of them in the dataset to be published, or shared. In the present case, a threshold of at least 20 units is considered appropriate for this purpose. In relation to the aggregation techniques, it is also deemed necessary that the Company, at the end of the data retention period for carrying out the Study, indicated as 5 years, and in any case in the event of data sharing with third parties, in consideration of the number of variables subject to aggregation, ensure that the number of aggregate statistics to be disclosed is significantly lower than the number of variables considered; this, in order to avoid the risk of reconstructing data referable to single individuals. Furthermore, as part of the periodic checks that the data controller is required to carry out also with reference to the persistence of the effectiveness of the data anonymization measures and technological evolution, it is deemed necessary for the Company to undertake to remove any singularity , if, by any means, it becomes aware of them in a phase following the application of the aforementioned anonymisation techniques and to keep track of these events in order to repeat the re-identification risk assessment upon reaching 1% of singularities identified on the total number of records included in the dataset (see, on this point, the Opinion of 30 June 2022, available at www.gpdp.it doc. web 9791886). 3.3. The personal data protection roles of the individuals involved in the Study In the documentation sent by the Company, in representing the multi-centre nature of the Study, it is declared that the healthcare facilities indicated in the documentation in the documents participate in it, as participating Centres, and it is clarified that they operate as independent data controllers. The Company has consequently modified the information on the processing of personal data prepared for the interested parties, specifying the roles of independent data controllers both of the Company as promoter of the Study and of the participating Centres. The Company also represented that for the conduct of the Study it makes use of an "information system supplier, with which the clinical activity is carried out daily for all company specialties, [...], HIS Trakcare, InterSystem, [...] , appointed External Data Processor" and that "The transfer of data outside the European Union is not envisaged; the data will be communicated outside the members of the Research Group only and exclusively in aggregate form for scientific purposes (sending of articles to scientific journals, presentations at medical congresses, etc.). Publication in scientific journals will be carried out after data analysis and further aggregation in a form that does not allow for singularization or inference on individualities”. In this regard, it is believed that the organizational structure implemented for the implementation of the Study is such as to exclude that unauthorized third parties may be involved in the processing of health data from patients enrolled in the aforementioned Study and complies with the principle of correctness and transparency (Article 5, paragraph 1 letter a) of the Regulation). 3.4. Further measures aimed at guaranteeing the effectiveness of the principle of transparency towards the patients enrolled in the Study In general, we favorably acknowledge the measures undertaken by the Company to guarantee the effectiveness of the principle of correctness and transparency towards the interested parties. With specific regard to the methods for providing information to interested parties who cannot be contacted, the Company, given the findings made by the Office during the preliminary investigation, sent a new information document, drawn up pursuant to art. 14 of the Regulation, which correctly indicated the role of the participating Centers as independent data controllers and declared that it will be "published on the company website". That said, taking into account that the Study involves n. 7 participating Centers in addition to the Promoter, in order to ensure the effective application of the aforementioned principles of correctness and transparency, it is deemed necessary, in the case in question, for the Company to make public the information to be provided to interested parties, pursuant to art. . 14 of the Regulation, also through a specific advertisement on the institutional websites of the trial centers involved in the Study. 3.5. The security measures implemented The Company, as data controller, as mentioned above and as required by the procedure pursuant to articles 110 of the Code and 36 of the Regulation, presented to the Guarantor the impact assessment on the protection of personal data connected to the processing necessary for the realization of the Study, as integrated during the preliminary procedure, in which in particular the technical and organizational measures are identified briefly described in paragraph 1, provided for the security of the data processed. In fact, it should be noted that the implementation of the measures pursuant to art. 89 of the Regulation, aimed, in particular, at the effective application of the minimization principle, does not exempt the data controller from also introducing suitable technical and organizational measures pursuant to art. 32 of the Regulation, for effective application of the principle of data integrity and confidentiality (Article 5, paragraph 1, letter f) of the Regulation). From this document, in addition to what is highlighted in paragraph 1 above, it emerges that the Company, in order to guarantee compliance with the principle of integrity and confidentiality, has prepared appropriate and suitable measures to protect the rights and freedoms of the cohort of interested parties involved in the Studio. An exhaustive analysis of the risks associated with the processing of personal data necessary for the pursuit of the purpose of the research in question was also carried out, in order to determine in particular the origin, nature and seriousness of these risks and the measures implemented to mitigate them (articles 5, paragraph 2 letter f), and 32 of the Regulation). ALL THIS CONSIDERING THE GUARANTEE pursuant to art. 110 of the Code and art. 36 of the Regulations, expresses to the University Hospital A.O.U. City of Health and Science of Turin, with registered office in Corso Bramante, 88 - 10126 Turin, Fiscal code - VAT number: 10771180014, favorable opinion regarding the processing of personal data for medical, biomedical and epidemiological research purposes, referring to the cohort of patients enrolled in the multicenter, retrospective non-profit study, called "Analisi emergency-urgency accesses for NPI pathology", under the following conditions: 1. the Company, at the end of the data retention period for carrying out the Study, indicated as 5 years, and in any case in the event of data sharing with third parties, with regard to generalization techniques, redefines the equivalence classes to the in order to guarantee a minimum number for each of them, in the dataset to be published or shared. In this case, a threshold of at least 20 units is deemed appropriate for this purpose (par. 3.2): 2. at the end of the data retention period for carrying out the Study, indicated at 5 years, and in any case in the event of data sharing with third parties, in consideration of the number of variables subject to aggregation, the Company ensures that the number of aggregate statistics to be disclosed in order to avoid the risk of reconstructing data referable to individuals is significantly lower than the number of variables considered (par. 3.2); 3. the Company undertakes to remove any singularity, if, by any means, it becomes aware of them in a phase following the application of the aforementioned anonymization techniques and to keep track of these events in order to repeat the risk assessment of - identification upon reaching 1% of singularities identified out of the total number of records included in the dataset; 4. the Company makes the information to be provided to the interested parties public, pursuant to art. 14, par. 5, letter. b) of the Regulation and 6.3. of the Ethical rules for treatments for statistical or scientific research purposes, Annex A5 to the Code, through a specific advertisement also on the institutional websites of the experimentation centers involved in the Study (par. 3.4). Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, March 2, 2023 PRESIDENT station THE SPEAKER Zest THE SECRETARY GENERAL Matthew
