Scientific research: Italian DPA identifies safeguards under Article 110 of the Privacy Code and promotes adoption of new rules of professional conduct

The Italian Data Protection Authority (the “Garante”) recently adopted a resolution to identify safeguards for the processing of personal data for medical, biomedical, and epidemiological research purposes in cases where obtaining the data subject’s consent is impossible. This resolution also promotes the adoption of new ethical rules pursuant to Articles 2-quater and 106 of the Privacy Code (the ‘‘Resolution’’).

The Resolution follows the recent reform introduced by Article 44, paragraph 1-bis of Italian Legislative Decree 19/2024, which amended Article 110 of Italian Legislative Decree 196/2003, as amended by Italian Legislative Decree 101/2008 (the “Privacy Code”). This reform, therefore, is now beginning to take effect.

But what are the safeguards that trial centers need to comply with in order to perform a so-called retrospective clinical trial?

The legal framework

The legal framework established by the reform of article 110 of the Privacy Code represents a significant advancement for retrospective clinical trials. These trials involve the use of pre-existing health data at trial centers and often involve data subjects from whom obtaining consent is now impossible. This reform replaces the previous consent-centered approach, moving from a pre-authorization system to one that works without the need for authorization (for further details on the reform of Article 110 of the Privacy Code, see our previous contribution, available here, in Italian).

Researchers – if they prove that it would be impossible to inform the data subjects or that such informational obligation would result in an unreasonable effort, or that it risks affecting the results of the retrospective study – are no longer required to submit their research project and impact assessment for prior consultation with the Garante as per Article 36 of Regulation (EU) 679/2016 (the “GDPR”). Instead, it is only necessary to obtain a positive opinion on the research project from the relevant ethics committee and comply with the safeguards set forth by the Garante in the rules of professional conduct for processing of personal data for research purposes.

Currently, the applicable rules of professional conduct are provided in the Garante’s provision 515/2018 and form Annex A5 to the Privacy Code (the “Annex A5”). However, considering the significant changes in the research framework, especially with the increasing use of new technologies, the Garante emphasized the urgent need to adopt new rules of professional conduct for processing for statistical or scientific research purposes.

Safeguards under Article 110 of the Privacy Code

While the new rules of professional conduct are pending approval, and notwithstanding the applicability of Annex A5 of the Privacy Code, the Garante has identified specific safeguards for processing personal data concerning health, referred to in Article 9 of the GDPR, for medical, biomedical and epidemiological research without the data subjects’ consent.

These safeguards apply particularly when the data subjects are either deceased or otherwise not contactable due to:

  • ethical reasons. This refers to situations where individuals are not aware of their condition. This category includes medical, biomedical, and epidemiological research where providing the privacy notice to the data subject would disclose information about the study’s operation. Such disclosure could lead to material or psychological harm to the data subjects;
  • reasons of organizational impossibility.

Organizational impossibility arises when, considering the study’s intended inclusion criteria, the enrollment methods, the size of the selected statistical sample, and the period of time that has already passed since the data were originally collected, the exclusion of data from non-contactable individuals would significantly compromise the quality of the research results.

The Garante identifies two specific scenarios within this category. Firstly, situations where contacting the data subjects would require a disproportionate effort due to the large number of individuals in the sample, which is to be regarded as a residual circumstance. Secondly, situations where the data subjects are deceased or non-contactable despite the data controller’s reasonable efforts to reach them. These efforts include verifying the life status of the data subjects, accessing clinical records, utilizing any available telephone numbers, as well as acquiring publicly accessible contact information.

The Garante further points out that, in such cases, the data controller must not only comply with the regulatory requirements set forth in Article 110 of the Privacy Code and take appropriate measures to protect the rights, freedoms, and legitimate interests of the data subjects, but also carefully provide justifications within the research project. These justifications should document the presence of ethical or organizational reasons that make obtaining consent impossible, entail disproportionate effort, or risk making it impossible or seriously compromising the research’s purposes.

Finally, in accordance with the principle of accountability, the Garante recommends that the data controller record all reasonable efforts made to contact the data subjects.

The development of new ethics rules

The Garante finally emphasizes in the Resolution that the new ethical professional rules must adhere to the principle of representativeness (Article 2-quater of the Privacy Code). This principle is considered satisfied based on the legal nature of the proposing entities that are institutionally or statutorily required to conduct medical research. This category includes universities, research bodies or institutes, scientific companies, researchers in these fields, scientific hospitalization and care institutions, moral research foundations, as well as public bodies that are institutionally responsible for carrying out these tasks.

Additionally, any parties interested in the application of the rules of professional conduct, such as patients’ associations, may also propose their participation in the adoption of these rules, although they cannot sign them. These parties should notify the Garante of their intent and provide the necessary information and documentation to prove their qualified interest in the matter.

All proposing parties will have to send their submissions to the Garante (to the PEC address protocollo@pec.gpdp.it) within 60 days from the date of publication of the Resolution in the Official Gazette.