The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Amendments to the Italian Privacy Code

The decree-law for the implementation of the National Recovery and Resilience Plan (so-called “PNRR Decree” Decree No. 19 of March 2, 2024, converted with amendments by Law No. 56/2024), provided in Article 44.1-bis, the amendment of Articles 2-sexies and 110 of the Privacy Code.

Both amendments intervene in the context of the regulation of special categories of personal data, specifically, regarding:

  • processing necessary for reasons of substantial public interest (Article 2-sexies)
  • health-related data for medical, biomedical and epidemiological research (Art. 110).

Article 110 privacy code

The following is a comparison of the texts of Article 110 of the Privacy Code as it existed before and as amended.

Article 110 Former Privacy Code Article 110 Privacy Code amended version
1. The consent of the data subject for the processing of health-related data for the purpose of scientific research in the medical, biomedical or epidemiological field is not required when the research is carried out on the basis of provisions of law or regulation or European Union law in accordance with Article 9(2)(j) of the Regulation, including the case when the research is part of a biomedical or health research program provided for under Article 12-bis of Legislative Decree No. 502, and an impact assessment is conducted and made public pursuant to Articles 35 and 36 of the Regulation. Consent is also not necessary when, due to special reasons, informing the data subjects is impossible or involves a disproportionate effort, or risks making it impossible or seriously prejudicing the achievement of the purposes of the research. In such cases, the data controller shall take appropriate measures to protect the rights, freedoms, and legitimate interests of the data subject, the research program shall be subject to a reasoned favorable opinion of the competent ethics committee at the territorial level, and shall be subject to prior consultation with the Italian Data Protection Authority (Garante) pursuant to Article 36 of the Regulation. 1. The consent of the data subject for the processing of health-related data for the purpose of scientific research in the medical, biomedical or epidemiological field is not required when the research is carried out on the basis of provisions of law or regulation or European Union law in accordance with Article 9(2)(j) of the Regulation, including the case when the research is part of a biomedical or health research program provided for under Article 12-bis of Legislative Decree No. 502, and an impact assessment is conducted and made public pursuant to Articles 35 and 36 of the Regulation. Consent is also not necessary when, due to special reasons, informing the data subjects is impossible or involves a disproportionate effort, or risks making it impossible or seriously prejudicing the achievement of the purposes of the research. In such cases, the data controller shall take appropriate measures to protect the rights, freedoms, and legitimate interests of the data subject, the research program shall be subject to a reasoned favorable opinion of the competent ethics committee at the territorial level. In cases referred to in this paragraph, the Italian Data Protection Authority (Garante) shall identify the safeguards to be observed in accordance with Article 106(2)(d) of this Code.

The legislator’s modifying intervention, as can be seen from the highlighted text, concerned the final part of the article, which provided for the obligation to consult the Garante in advance, in the case of processing of health data without the consent of the data subject, for the purpose of scientific research in the medical, biomedical or epidemiological field.

The requirement for prior consultation of the authority – an obligation that had to be fulfilled for each processing considered, with significant operational impact for cases of this type – has now been replaced by the provision of a general provision of the Garante indicating the guarantees to be observed in these circumstances and valid for all data controllers in the conditions referred to.