For this reason, the Sunshine Act also raises particular and important issues from a data protection standpoint and, consequently, in terms of compliance with the European Regulation 679/2018 (GDPR) and the national data protection legislation GDPR oriented analysis.
In fact, the collection, storage and disclosure of personal data relating to HCPs and HCOs with the Ministry of Health, which is requir by the Act, constitutes by definition a processing of personal data that must therefore be carri out in compliance with the obligations impos by the relevant legal framework.
Therefore, we will now analyze what data protection obligations health care companies must comply with, when they fulfill the obligations imposed by the Italian Sunshine Act.
Required steps towards GDPR compliance GDPR oriented analysis
Article 5(6) of the Sunshine Act contains the most. Relevant elements for analyzing the law from a data protection point of view. The spain business fax list paragraph in question specifies:
“With the signing of conventions or agreements […] or with the acceptance of payments [… ] by subjects operating in the health sector and health organizations, as well as with the acquisition of shares, securities and profits deriving from industrial or intellectual property rights […] the consent is understood to be given to the disclosure and processing of data by the aforementioned subjects and organizations, for the purposes set forth in this article. However, manufacturing companies are required to provide information to subjects operating in the health sector and health organizations, specifying that the communications referred to in the preceding paragraphs are subject to publication on the institutional website of the Ministry of Health […]” (Unofficial translation)
Legal basis for the processing of personal data
As mentioned in Article 5(6) of the Act, the transfer of value between the company and the HCPs and HCOs is govern by an agreement. In this agreement, what are the advantages of permission marketing? personal data of. The data subjects are collect, which will then be communicat to the Ministry of Health.
The current wording of Article 5(6) is, however, imprecise with regard to the legal basis that would legitimize such processing. In fact, an “ impli ” consent of the data subject is envisaged, consider to have been given at the time of the signing of the aforemention agreements.
However, consent does not appear to be the most correct and appropriate legal basis in this circumstance. The processing of personal data of data subjects is legitimate, inter alia, under Article 6(1)(c) of the GDPR, ie when it is carri out on the basis of a legal obligation to which the data controller is subject. Such legal obligation is provided for in the Sunshine Act itself, which obliges data controllers to disclose and publish the personal data of HCOs and HCPs.
Data retention period
According to Article 5(4) of the Act, personal data publish. On the public database are available for consultation for five years from their publication and deleted thereafter. Although this retention period concerns only the Ministry of Health, albania business directory it provides . An important insight for evaluating proportional and appropriate retention periods for companies.
Primarily, data disclosed to the Ministry should be stor by. The company to prove compliance with the Sunshine Act’s reporting obligation, and thus to defend itself. Against accusations of omission or disclosure of false data. The prescription period for a similar administrative offense is five years. Therefore, five years would be a proportional retention period for personal data of HCPs and HCOs.
Further obligations
Finally, to ensure GDPR compliance in relation to Sunshine Act-related data processing, data controllers will need to:
- Provide a privacy policy to HCPs and HCOs informing them in a complete and comprehensive manner about the processing of their personal data. Again, this requirement is unnecessarily stated in the Sunshine Act despite the fact that this obligation is already clearly established by Article 13 GDPR, and is directly applicable in this context.
- Update the Record of Processing Activities (ROPA) with the personal data processing required to comply with the Sunshine Act.