Garante per la protezione dei dati personali (Italy) - 9936136

From GDPRhub
Garante per la protezione dei dati personali - 9936136
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(e) GDPR
Article 6(1)(f) GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 32 GDPR
Article 35 GDPR
Article 35 GDPR
Article 36 GDPR
Article 46 GDPR
Article 110 Codice Privacy
Type: Advisory Opinion
Outcome: n/a
Fine: n/a
Parties: Daiichi Sankyo
National Case Number/Name: 9936136
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: ar

Following a request for prior consultation under Article 36 GDPR, the Italian DPA authorised the company Daiichi Sankyo to process the health data of around 200 patients for a study promoting treatment improvements on breast cancer.

English Summary


The company Daiichi Sankyo (the company) submitted a request for prior consultation, pursuant to Article 36 GDPR, in relation to a study aimed to evaluate and improve the treatment outcomes of the drug Trastuzumab Deruxtecan or T-DXd for future patients. The study was to be carried out in several European Union countries, including Italy, Spain and Ireland. And in Italy, it involved seven trial centres around the country.

The request for prior consultation was deemed necessary as the study required the processing of health data of about 200 Italian patients, some of them deceased or unreachable, which was necessary for the study's objectives and a complete evaluation of the drug.

As the company has its establishment in the United States, it assigned as its representative in the European Union Daiichi Sankyo Europe GmbH, established in Munich, Germany, under Article 27 GDPR. Additionally, under Article 28 GDPR, it engaged the company Bionical Emas, established in the UK, as its data processor.

In the request to the Italian DPA, the company also enclosed the data protection impact assessment carried out pursuant to Article 35 GDPR.


Following the information provided, the Italian DPA assessed that the company had correctly identified Article 9(2) GDPR as the legal basis of the processing of personal data of the patients who are alive and reachable, as well as the specific and residual procedure in Article 110 of the Italian Privacy Code for patients who may be deceased or unreachable.

It also positively acknowledged that the data would be transferred in pseudonymised form to the data controller established in the US on the basis of Standard Contractual Clauses under Article 46 GDPR. However, it requested the company to remove the reference to data processing related to legitimate interest, set out in Article 6(1)(f) GDPR, given that it is not an exemption for the processing of particular categories of data, as set out in Article 9(2) GDPR.

Thirdly, on the information to be provided to the data subjects, the DPA positively noted that the company stated that the information pursuant to Article 14(5)(b) GDPR would be published on the websites of the company and the participating trial centres. It also reminded that the information should be provided in accordance with Article 12 GDPR and contain all the elements set out in Article 13 GDPR and Article 14 GDPR.

Fourthly, on the data storage, the DPA acknowledged that the company indicated that the retention period would be at least ten years. It found that the company justified the proportionality with regard to the period of data retention necessary to pursue the purpose of the collection, under Article 5(1)(e) GDPR.

Next, on data anonymisation, it emerged that the company intended to aggregate the data collected or convert them into statistics so the data subjects could no longer be identified. However, the DPA stressed that the availability of a large number of aggregated statistics increases the possibility of identification. To avoid this risk, it stated that the number of statistics to be disseminated must be significantly lower to avoid the identification of the data subjects.

Lastly, pursuant to Article 32 GDPR and Article 35 GDPR, the Italian DPA noted that in the case of remote monitoring of the study, the company should define the data protection roles of all entities involved in this activity and also identify appropriate technical and organisational measures to protect the fundamental rights and freedoms of the data subjects.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.