In June 2022, Italy enacted Law 62/2022, commonly known as the Italian Sunshine Act, which requires transparency concerning transfers of value between companies operating in the life sciences and healthcare sector and healthcare professionals (HCPs) as well as healthcare organizations (HCOs). Italy’s Sunshine Law strengthens the right to access information about financial relationships within the healthcare sector. According to Article 1 of the Act, the law’s objectives are to enhance transparency and to prevent and combat corruption.

The Italian Sunshine Act will become fully operational once the Ministry of Health activates access to the public register called “Sanità Trasparente,” which will be managed directly by the Ministry. This public database will include information and details about transfers of value between healthcare companies, HCPs, and HCOs, along with personal data of the latter, such as name, surname, professional contact details, and membership numbers.

As a result, the Italian Sunshine Act raises significant concerns from a data protection perspective, particularly concerning compliance with European Regulation 679/2018 (GDPR) and the Italian Privacy Code. The collection, storage, and disclosure of personal data related to HCPs and HCOs by the Ministry of Health, as mandated by the Act, constitute personal data processing. This processing must comply with the obligations established by the applicable legal framework.

Accordingly, this analysis will focus on the data protection obligations that healthcare companies must ensure when fulfilling the requirements of the Italian Sunshine Act.

The Implied Consent Clause in the Italian Sunshine Act May Conflict with GDPR Requirements

Paragraph 6 of Article 5 in the Italian Sunshine Act provides that entering into an agreement, accepting a transfer of value, or acquiring shares or licenses constitutes implicit consent by the parties for the processing and publication of their personal data. However, this implied consent mechanism may be at odds with certain privacy rights guaranteed under the General Data Protection Regulation (EU) 2016/679 (“GDPR”). While Article 5 of the Sunshine Act explicitly preserves the rights established in GDPR Articles 15, 16, 17, 18, 19, and 21, the implied consent provision in Paragraph 6 may not fully comply with these protections. For instance, the requirement for implied consent and mandatory publication could infringe upon the right to erasure outlined in Article 17 of the GDPR.

Required steps towards GDPR compliance

Article 5(6) of the Sunshine Act contains the most relevant provisions for assessing the law from a data protection viewpoint. The paragraph states:

“With the signing of conventions or agreements […] or with the acceptance of payments [… ] by subjects operating in the health sector and health organizations, as well as with the acquisition of shares, securities and profits deriving from industrial or intellectual property rights […] the consent is understood to be given to the disclosure and processing of data by the aforementioned subjects and organizations, for the purposes set forth in this article. However, manufacturing companies are required to provide information to subjects operating in the health sector and health organizations, specifying that the communications referred to in the preceding paragraphs are subject to publication on the institutional website of the Ministry of Health […]” (Unofficial translation)

Legal basis for processing personal data

As outlined in Article 5(6), the transfer of value between companies and HCPs/HCOs is governed by an agreement through which personal data of the data subjects is collected and subsequently communicated to the Ministry of Health.

However, the current wording of Article 5(6) is vague regarding the legal basis legitimizing such processing. It implies “consent” from the data subject at the time of signing the agreement.

Nonetheless, consent does not appear to be the most appropriate legal basis in this context. Under Article 6(1)(c) of the GDPR, processing personal data is lawful when it is necessary for compliance with a legal obligation to which the data controller is subject. This legal obligation is established by the Sunshine Act itself, which requires data controllers to disclose and publish personal data of HCPs and HCOs.

Therefore, according to the GDPR, the implied consent described in the Act is unnecessary and, more importantly, not valid. Article 7 GDPR, along with guidelines and rulings from the European Data Protection Board (EDPB) and national Data Protection Authorities (DPAs), clarifies that consent must never be implied but must be a clear, unambiguous, and explicit act by the data subject. Moreover, consent must be withdrawable at any time by the data subject; however, the current Act does not provide a mechanism for withdrawing consent.

Consequently, the reference to consent as the legal basis in the Italian Sunshine Act appears inappropriate. It is expected that the Italian DPA (Garante per la protezione dei dati personali) or forthcoming implementing decrees will clarify this issue.

Data retention period

Article 5(4) of the Italian Sunshine Act specifies that personal data published on the public database will be accessible for consultation for five years from the date of publication and then deleted. While this retention period applies to the Ministry of Health, it offers guidance for companies regarding proportional and appropriate retention periods.

Primarily, life sciences companies should retain data disclosed to the Ministry to demonstrate compliance with the Sunshine Act’s reporting obligations and to defend against potential accusations of omission or false disclosure. The statute of limitations for such administrative offenses is five years, making this a reasonable retention period.

However, longer retention may be necessary in cases such as defending against corruption-related claims, where retention should align with the statute of limitations for such offenses under national law.

Data protection obligations for healthcare companies to comply with

Conduct data mapping and gap analysis

Companies should thoroughly map all data flows related to transfers of value, clearly identifying which personal data of healthcare professionals (HCPs) and healthcare organizations (HCOs) they collect, process, and disclose. They must then evaluate their current data management practices against the requirements of the Sunshine Act and GDPR principles such as data minimization, purpose limitation, and accuracy. This process includes identifying any gaps in privacy notices, consent procedures, and data security measures that need to be addressed before reporting to the Sanità Trasparente database begins.

Plan for data retention and deletion

According to the Italian Sunshine Act, personal data published on Sanità Trasparente will remain publicly accessible for five years before deletion. Hence, companies should align their retention policies accordingly, retaining data long enough to demonstrate compliance and defend against potential legal claims, but no longer than necessary.

Provide privacy policies to HCPs and HCOs

Data controllers should update their privacy policies to provide healthcare professionals (HCPs) and healthcare organizations (HCOs) with clear, detailed information about the nature, scope, and purpose of personal data processing related to Sunshine Act reporting, ensuring full transparency in line with the requirements already established by Article 13 of the GDPR.

Updating documentation and assigning responsibilities

To comply with the Sunshine Act and GDPR requirements, companies must update their Record of Processing Activities (ROPA) to accurately reflect all personal data processing activities related to the Act’s reporting obligations. Additionally, in line with Article 29 of the GDPR and Article 30 of the Italian Privacy Code, organizations should designate specific employees responsible for the collection, management, and transmission of personal data to the Ministry of Health. This clear assignment of roles ensures accountability and supports adherence to the legal obligations imposed by the Sunshine Act.

Prepare data protection impact assessments (DPIAs)

Given the scale and sensitivity of the data involved, conducting a Data Protection Impact Assessment (DPIA) is important to identify and mitigate privacy risks related to the collection, transmission, and publication of personal data on Sanità Trasparente. DPIAs should assess risks such as unauthorized access, data accuracy, and potential impacts on data subjects’ rights, while recommending appropriate technical and organizational safeguards to ensure GDPR compliance and protect individuals’ privacy.

Conclusion

Under the Sunshine Act, the processing and protection of personal data published on the Sanità Trasparente database will be the exclusive responsibility of the Ministry of Health, which will act as an independent data controller.

Before the database is launched, the Italian DPA, together with the Italian Digital Agency (AgID) and the National Anti-Corruption Authority (ANAC), will review its compliance, focusing especially on the adequacy of technical and organizational security measures. It is anticipated that the Italian DPA will also provide guidance on the appropriate legal basis for data processing and clarify the suitable retention periods.

Hence, as the activation of the telematic register comes closer, companies subject to the Act should consult their Data Protection Officers or legal advisors to ensure compliance with all legal requirements, particularly those related to data protection as discussed in this analysis.