Coronavirus FAQs of the European Data Protection Supervisor about school, work, healthcare, research and local authorities. Clarifications and indications for public administrations and private companies

Can the employer detect the body temperature of employees, suppliers, customers at the entrance of their premises? And can he disclose the identity of an infected worker to all the colleagues? Can the school inform the families on the identity of parents of students who were positive at Covid-19? Can local authorities publish data on recipients of economic benefits? Can health companies, prefectures, municipalities disseminate, through websites or other channels, the names of the cases of confirmed Covid-19 or subjects placed in isolation?
These are just some of the questions answered by the Faq developed by the Supervisor for the protection of personal data on issues related to the Coronavirus emergency in different areas: health, work, school, research, local authorities.

The documents have been prepared to clarify doubts and provide indications for proper processing of personal data by public administrations and private companies.

The Faqs, available today on the website of the Italian Data Protection Authority, contain general indications inspired by the answers given and complaints, reports, questions received by the Office in this period.

The Supervisor clarifies particularly that the role of the doctors becomes crucial in both the public and private working environment, especially during this health emergency. He also defines that the employer must not communicate names of contagious employees to the worker’s representative.

Talking about schools, every institute must inform competent institutes in order to found the people that came in contact with the infected person. After that, the health authorities must came in contact with them in order to activate prophylaxis measurements.

Talking about health facilities, they can choose the way they like most to inform families about medical conditions of Covid-19 patients that can not communicate by themselves.
For example, they can use a freephone number to offer such information, but it must provide for appropriate measures to identify the persons actually entitled to know the information on the health status of the hospitalised family member.

The Supervisor underlines that health companies, prefectures, municipalities or any other private or public subject must not disseminate, through websites or other channels, the names of the cases of confirmed Covid-19 or subjects placed in isolation, even if the aim is to contain the spread of the epidemic.

The Supervisor also gives specifics clarification in order to clarify the emergency law for data protection as part of clinical trials of drugs for the epidemiological emergency from Covid-19 and medical research carried out by the Istituti di ricovero e cura a carattere scientifico (Ircss) funded by the Ministry of Health.

FAQs – Data processing in healthcare in the context of the health emergency

May dentists collect information on the patient’s state of health in relation to COVID-19?

All health professionals may collect the information they consider necessary as part of the care of their patients, including information linked to the presence of symptoms due to COVID-19. Like any other healthcare provider, dentists are also required to comply with the constantly evolving emergency provisions concerning measures to prevent and limit contagion from COVID-19.

This is without prejudice to the detection and collection of information on Coronavirus symptoms and of the information on the recent movements of each individual, which rest with healthcare professionals and the civil protection system, respectively, being the bodies responsible for ensuring compliance with the public health rules that were recently adopted.

May a healthcare body e-mail information to persons under home confinement on the rules to be respected during the quarantine?

A healthcare body may indicate the rules to be followed by quarantined persons in the manner they consider most effective, while respecting the confidentiality of the data subjects. If emails are used to inform simultaneously all parties about the provisions they are required to comply with, the recipients’ addresses will have to be entered in the ‘Ccn’ field in order to avoid that all the recipients become aware of the e-mail addresses of the other quarantined persons.

Is it legitimate for a healthcare professional, when performing a test for COVID-19, to ask the patient about the identity of the virus-positive person with whom that patient has been in close contact?

Yes, as the public healthcare professional is required to trace back the close contacts of an individual tested positive to COVID-19 in order to determine the most appropriate containment measures.

May healthcare facilities create a call centre service to provide information to family members on the health of COVID-19 patients who are not able to communicate with their families?

Healthcare facilities may identify the arrangements they consider most appropriate and effective in accordance with the principle of accountability to provide health status information to family members of COVID-19 patients who are unable to communicate independently. In that context, the hospitalization facility may certainly provide a toll-free number in order to convey that information by also implementing appropriate measures to identify the persons who are in fact entitled to know the health status of a hospitalized family member.

In the event of the death of a COVID-19 positive patient, may healthcare facilities inform funeral services providers of the cause of death?

The provisions adopted in the course of the COVID-19 epidemiological emergency envisage that in cases of suspicion or evidence of death from COVID-19, funeral service operators must take special precautions – similar to those already in place for the death of persons with infectious and contagious diseases – in order to prevent further infection. Accordingly, the healthcare facility may well inform a funeral services provider about the COVID-19 positivity of an individual who deceased at that facility.
During the COVID-19 emergency, may the doctor send a prescription to the patient in order to avoid the need for that patient to collect the prescription at the clinic?
In order to avoid that citizens should collect prescriptions at the clinics of their doctors, the Civil Protection Order of 19 March 2020 provided that doctors would email or text prescriptions to their patients, or else communicate them by telephone.
If sent by e-mail, the prescription must be attached to the message and not included as a text in the body of the message itself.
In the case of communications by telephone or SMS-texting, it will be sufficient to provide the patient with the Electronic Prescription number.

Can the prescription for the purchase of a medicine be sent directly to the pharmacist during the COVID-19 emergency?

Yes. A decree by the Ministry of Economic Affairs and Finance, issued after consulting with the Garante, provides that the patient who has received a prescription from his or her doctor by email, by SMS or by telephone may communicate it to the pharmacy in the same way.

The provisions adopted in the emergency period also enable the patient to delegate it to his/her doctor to send the prescription directly to the pharmacy, either by e-mail or through the system used to create the prescription.

Is it permitted to disseminate the identification data of persons who tested positive to COVID-19 or were placed under home confinement?

The current rules prohibit the dissemination of data concerning health. This prohibition was not lifted by the emergency legislation related to the COVID-19 epidemiological emergency.

Therefore, healthcare bodies and any other public or private entity may not disseminate, via websites or other channels, the names of individuals found to be affected by COVID-19 or placed under home confinement for the purpose of containing the spread of the epidemics.

In the emergency period, may the body temperature of passengers at airports be taken?

Yes. The provisions adopted for the COVID-19 health emergency envisage the possibility of carrying out body temperature checks on all passengers of European and international flights arriving at Italian airports in order to identify the measures possibly required for the containment of the Coronavirus epidemics.

What aspects should be considered in promoting COVID-19 serological screening for workers belonging to risk groups such as healthcare professionals and law enforcement agencies?

COVID-19 serological screening may be promoted by the Preventive Medicine departments of each Region with regard to the categories considered to be at greater risk of contagion and spread of COVID-19. These include health care professionals and law enforcement agencies. The participation of these entities in the tests can only take place on a voluntary basis.

The results may be used by the healthcare facility that has carried out the test for the purpose of diagnosis and treatment of the data subject and to provide for the epidemiological containment measures laid down in the existing emergency legislation (e.g. home confinement), as well as for public health purposes by the regional Preventive Medicine department.

Such data processing operations should be kept separate from those carried out in connection with COVID-19 serological tests for the purposes of health and safety at work.

Data processing by public authorities in the context of health emergency

How should personal data of the recipients of the municipal population support services activated for the emergency Covid-19 be processed?

The municipal welfare services for the population (e.g. delivery of basic necessities or medicines) can be offered at the request of the interested parties, advertising, with the channels they like most, the way of activation of the service (e.g. toll free number), without collecting, therefore, the lists of subjects placed in home isolation held by the competent health companies.
Firstly, not all persons in isolation could be interested in benefiting from such services, since such needs could, for example, be carried out by the family or in other ways chosen by the person concerned.

Secondly, the ‘on-demand’ mode of activation of the services referred to could ensure that they are also used by persons who, although not in isolation at home, are most at risk of contagion or do not have access to family or social networks (elderly, disabled, chronically ill).

How should the data of those subjects receiving municipal financial contributions be processed?

For the purposes of allocating economic resources to those who are in economic difficulties in the context of the emergency Covid-19, the municipalities have prepared modules with which to self-certify the fulfilment of the requirements to obtain the support measures.
These modules must provide the collection of only the necessary data to verify the conditions (e.g. income, use of other aid, family composition, etc.) but not other irrelevant informations.

Talking about cds. vouchers, some notices addressed to businesses provide for the refund of the nominal value of the vouchers with the presentation of adequate supporting documentation by merchants (e.g. original vouchers and/or receipts for which reimbursement is required).
In such a case, without presenting the receipts directly with the details of the shopping, it is better that the commercial exercise present a self-declaration on the conformity of the use of the vouchers of which it asks the refound with simultaneous commitment to keep receipts for any checks that the Municipality will consider to be carried out.
This avoids the systematic production of detailed documentation which, together with the identity of the recipient of the voucher, would involve the communication of personal data, even of a particular nature (e.g. purchases of specific foodstuffs, etc.).

Can data be published on recipients of financial contributions or other benefits (e.g. vouchers)?

Transparency legislation requires the publication of the names of persons generally receiving economic benefits in excess of EUR 1000 during the calendar year (such as grants, contributions, subsidies or other economic benefits), without prejudice to the prohibition on the dissemination of where ”it is possible to obtain from such data information on the state of health [or] the situation of economic and social hardship of the persons concerned.” (art. 26, paragraph 4, d. lgs. n. 33/2013).
This is a functional prohibition to the protection of the dignity, fundamental rights and freedoms of the persons concerned, in order to avoid that persons in poor economical or social conditions suffer the embarrassment of the dissemination of such information, or may be subject to unintended consequences as a result of third parties’ knowledge of the particular personal situation.
In the case of economic benefits over one thousand euro in the calendar year, it is up to the local authority, the controller, to verify when the context information reveal data on health or the existence of an economic or social distress of the data subject and not proceed, as a result, the publication of data or other information that may identify it.
According to the principle of minimization of data in compliance with the purpose pursued, it is not justified to publish data such as, the address of residence or residence, the tax code, the bank details where the contributions or the economic benefits are credited (IBAN codes), the allocation of the assignees according to the bands of the equivalent-Isee, the indication of analytical income situations, conditions of need or specific housing situations, etc.

Is it possible to spread out personal data of positive COVID-19 subjects or data of who has been placed in isolation?

The law prohibits the dissemination of health data.This prohibition has not been derogated from the emergency legislation on the epidemiological Covid-19 emergency.
That is why health authorities, prefectures, municipalities and other private or public subject can not spread out, using web site or other ways, names of COVID-19 confirmed cases or names of subjects put in quarantine in order to contain the diffusion of the epidemy or to prevent fake news.

Who can process data of isolated subject in order to verify compliance with this measure?

The activity of health surveillance of subjects placed in isolation consists in a public health intervention, which must be carried out by health professionals able to assess, in relation to the health conditions of the subject, the most appropriate health interventions. The emergency measures adopted place the public health operator under an obligation to contact the person under supervision on a daily basis in order to obtain information on his health. (art. 3, paragraph 6, d.p.c.m. 8 March 2020; art. 2, paragraph 6, d.p.c.m. 4 March u.s.).

The prefectures, which have the task of checking that the measure of home isolation is effectively respected, can make use of the police forces, including the adoption of sanctions for non-compliance with the above-mentioned isolation measures.

Local police may become aware of the identification data of individuals placed in isolation, if the Prefecture delegates them the control activities. In this case, the Prefecture will be able to communicate to the local police, the data of the subjects against whom it has delegated the control activity on compliance with the measure of home isolation.

What personal data can be processed by the local police in the context of roadside checks?

The verification of the implementation of emergency measures is ensured by the Prefectures using the police department, including the local police (art. 3 and 5 l. n. 65/1986).

Local police personnel responsible for roadside checks must also ensure: restrictions on the movement of persons on the territory respected by monitoring self-declarations, the control of the detection of violations and the imposition of administrative sanctions or, in the most serious cases, the transmission of news of crime to the competent authorities.

The verifications on the veracity of the declarations – according to art. 46 and 47 of the d.p.r. 445/2000 on the ministerial model – also concern the declaration of “not to be subjected to the quarantine measure or not to have been positive to COVID-19″ and must be possible to be carried out by all police forces, the updated data kept by the competent health companies.

Due to the seriousness of the consequences that may come out for the parties concerned, the temporary nature of the isolation measures and their variability (e.g. as a result of negative buffering), these checks must necessarily be carried out in such a way as to ensure that the data are accurate and up to date. Therefore, solutions must be implemented that allow all police forces the possibility to question punctually the aforementioned lists with reference to the presence of the measure of home isolation towards the controlled subject.
There is nothing to prevent such a question being asked at each of the health facilities located on the territory or, in a coordinated manner, at an office which is a member of the Prefecture.

Which kind of personal data can be processed in the context of door to door waste collection?

If the municipalities intend to set up a door to door service for the collection of waste produced by the subjects placed in home isolation, as suggested by the Higher Institute of Health (report n. 3/2020), this service can be activated at the request of the interested parties.

This would enable the purpose of home collection to be achieved by limiting the risks associated with the circulation of lists containing data on the health of data subjects, as well as within local authorities, also among the private entities that provide municipal services, as well as those related to their failure to update.

This solution leaves to the interested parties the right to decide whether to use this service, or to continue to provide for the personal delivery of waste (through family) in compliance with the recommendations provided by the Higher Institute of Health.

Data processing by public and private employers in the context of the health emergency

May an employer take the body temperature of employees, users, suppliers, visitors and customers at the entrance of their premises?

In the current situation linked to the epidemiological emergency, a number of regulatory measures and subsequent guidance documents were adopted at a fast pace by the competent authorities in order to set out urgent measures for the containment and management of the epidemiological emergency. Accordingly, it was determined that an employer whose activities were not suspended was required to comply with the measures for the containment and management of the epidemiological emergency laid down in the MoU to combat and control the spread of COVID-19 in working environments that was adopted jointly by the Government and workers’ representatives on 14 March 2020. (1)

In particular, the said MoU envisages the taking of the body temperature of employees for access to the premises of the organisation as part of the measures to combat the spread of the virus, which also apply to users, visitors and customers as well as to suppliers – where a separate access mode has not been envisaged for the latter.

Similar security protocols applying to non-deferrable public activities or to essential public services were concluded by the Minister for Public Administration with the most representative trade unions in the public administration (such as the MoU on Preventive Measures and for the Safety of Public Employees in connection with the COVID-19 Health Emergency of 3 and 8 April 2020), on the grounds that the safety measures laid down for the private sector were deemed to be consistent with the guidance already provided by the Minister.

Since the taking of the body temperature in real time, when associated with the data subject’s identity, is an instance of processing of personal data (Article 4(1), No (2), of Regulation (EU) 2016/679), it is not permitted to record the data relating to the body temperature found; conversely, it is permitted to record the fact that the threshold set out in the law is exceeded, and recording is also permitted whenever it is necessary to document the reasons for refusing access to the workplace – in compliance with the principle of ‘data minimisation’ (Article 5(1)(c) of the Regulation).

By contrast, where the body temperature is checked in customers (for example, in large department stores) or occasional visitors, it is not, as a rule, necessary to record the information on the reason for refusing access even if the temperature is above the threshold indicated in the emergency legislation.

May an administrative body or a company require their employees to provide information, including through a self-declaration, on their possible exposure to the contagion from COVID-19 as a condition for access to the workplace?

Under the legislation on the protection of health and safety at work, the employee has a specific obligation to inform the employer of any situation of danger to health and safety at the workplace (Section 20 of Legislative Decree No 81 of 9 April 2008). In this connection, Directive No 1/2020 of the Minister for the Public Administration specifies that a civil servant and persons who work in whatever capacity in the public administration are bound to report that they come from or have been in contact with persons coming from a risk area. Within this framework, the employer may invite employees to do so, where necessary, through dedicated channels.

Among the measures to prevent and contain contagion employers are required to take based on the existing regulatory framework, there is the prohibition to access the workplace applying to those who have been in contact with COVID-19-positive individuals over the past 14 days or come from risk areas according to WHO indications. To this end, also in the light of the provisions adopted subsequently for the containment of contagion (see the MoU referred to above as concluded on 14 March 2020 between the Government and workers’ representatives), a declaration regarding the above circumstances may also be requested from third parties such as visitors and users.

In any case, only the necessary, adequate and relevant data will have to be collected in relation to the prevention of the contagion from COVID-19 without requesting additional information about the COVID-19-positive person, the specific places visited or other details relating to that person’s private sphere.

Is it possible to publish, on the official website, the contact details of the competent officials in order to enable the public to book services or visits at the given administrative body in the current epidemiological emergency?

The regulatory provisions for the containment and management of the epidemiological emergency and the operational guidelines provided by the competent bodies require that the presence of staff in the offices be limited, mainly through smart working arrangements. As regards the tasks which require attendance at the workplace, administrative bodies are to carry out activities that are strictly functional to the management of the emergency and those that are ‘non-deferrable’, also with regard to ‘external users’. Therefore, the reception of visitors or the direct provision of services to the public should take place by electronic means or in any case in such a way as to exclude or limit physical presence in the offices (e.g. via telephone or virtual assistance), or else by arranging timed accesses including by way of the booking of visits.

In compliance with data protection principles (Article 5 of Regulation (EU) 2016/679), the purpose of providing users with contact details for assistance or for reception at the offices can be pursued by publishing only the contact details of the relevant organisational units (telephone number and certified email address), and not those of the individual officials in charge. This is also in line with the publication requirements concerning the organisation of public administrations.

What processing of personal data in the workplace involves the appointed doctor?

The appointed doctor continues to be prohibited from informing the employer about the specific diseases affecting employees, including under emergency circumstances.

In the context of the emergency, the tasks related to the health surveillance of workers by the appointed doctor, including the possibility of subjecting workers to special visits on account of the increased exposure to the risk of infection, are considered to be a general preventive measure and must be discharged in compliance with data protection principles and by respecting the hygiene measures set out in the guidance by the Ministry of Health (see also the MoU of 14 March 2020) (1).

In the context of the emergency, the appointed doctor cooperates with the employer and the workers’ representatives in order to propose COVID-19 governance measures and alerts the employer to ‘situations of particular fragility and current or past medical conditions of the employees’ as part of the relevant health surveillance tasks (see paragraph 12 of the said MoU).

In compliance with the provisions in the field of health surveillance and on personal data protection, the appointed doctor notifies the employer of those specific cases where an employee’s particular condition of fragility as also related to that employee’s health makes it advisable to assign him or her to tasks in areas less exposed to the risk of infection. To that end, it is not, however, necessary to inform the employer of the specific pathology affecting that employee.

In this context, the employer may, in compliance with data protection principles (see Article 5 of Regulation (EU) 2016/679), process the employees’ personal data only if it is legally prescribed or ordered by the competent bodies or else on specific notification by the appointed doctor in the performance of his or her health surveillance tasks.

May an employer inform the workers’ representative for safety on the identity of the affected employees?

Employers may not, in the context of the adoption of protective measures and of their duties relating to the safety of workplaces, communicate the name(s) of the employee(s) infected by the virus, unless national law so permits.

Under the national legal framework, the employer has to inform the competent health authorities of the names of the personnel infected and to cooperate with them in identifying ‘close contacts’ in order to allow timely implementation of disease prevention measures.
On the other hand, such an information requirement is not provided for with regard to the workers’ representative for safety, nor do the tasks described above fall within that representative’s specific remit based on sector-specific legislation.

In the current epidemiological emergency, the workers’ representative for safety will have to continue to carry out his/her consultative, control and coordination tasks and cooperate with the appointed doctor and the employer – for example, by helping in the identification of the most appropriate prevention measures to protect workers’ health in the specific working environment; updating the risk assessment document; and verifying compliance with internal protocols.

Where the workers’ representative for safety becomes aware of information in discharging the relevant duties — which information the representative usually processes in aggregate form, e.g., the information included in the risk assessment document — , he or she complies with data protection provisions if it is possible, even indirectly, to identify certain data subjects.

May an employer disclose the identity of an employee affected by COVID-19 to other workers?

No. With a view to the protection of the health of other workers, it is for the competent health authorities to inform the ‘close contacts’ of the deceased employee in order to implement the required prevention measures.

Conversely, the employer is required to provide the competent institutions and health authorities with the necessary information so that they can carry out the tasks and duties set out also in the emergency legislation adopted in connection with the current outbreak (see paragraph 12 of the MoU mentioned above).

Data concerning health may only be disclosed, whether externally or within the organization an employee or collaborator pertains to, if this is provided for in the law or ordered by the competent authorities on the basis of statutory powers – for example: solely for the prevention of contagion from COVID-19 and upon a request by the health authority for tracing back the ‘close contacts’ of a worker who tested positive for COVID-19.

In all cases the employer must take specific measures if persons affected by COVID-19 are present within the premises of the organization, relating to the cleaning and sanitising of the premises in accordance with the instructions given by the Ministry of Health (see point 4 of the MoU mentioned above).

Data processing by schools in the context of the health emergency

Are schools required to obtain the consent of pupils/students, parents and teachers in order to implement distance learning?

No. Schools may process data, including special categories of data (1), relating to teachers, pupils/students (including minors), and parents as part of their institutional tasks and do not have to request the data subjects’ consent to the processing of such data, including in relation to distance learning as implemented following the suspension of face-to-face teaching in all schools. Moreover, consent as a rule is not an appropriate legal basis for the processing of data in the public domain and in the employment context.

Do schools have to inform data subjects about the processing of personal data in distance learning?

Yes. Schools are required to ensure the transparency of processing by informing data subjects (pupils, students, parents and teachers), in a language easily understood by minors, in particular about the types of data and the way in which they are processed, the storage periods and any other processing operations. They must also specify that the objectives pursued are limited exclusively to the provision of distance learning, on the basis of the same conditions as and with guarantees similar to those in place for traditional teaching.

May a school disclose to pupils’ families the identities of relatives of pupils who tested positive to COVID-19?

It is the responsibility of the competent health authorities to inform the close contacts of the infected individuals in order to implement the required preventive measures. A school is required to provide the competent institutions with the necessary information, so that they can trace back the chain of contacts for the infected individuals; in other respects, schools are expected to implement the sanitation measures that were recently provided for.

May schools hold meetings of teaching staff via video conference?

As a result of the suspension of face-to-face teaching activities and meetings of collegiate bodies, arrangements have been made for distance learning and smart working with regard to administrative services. For the same reasons linked to the emergency situation, and taking account of the guidance provided by the Minister for Public Administration and the Ministry of Education, any meeting within the scope of non-deferrable activities must take place by using electronic means.

The Board has already provided some guidance to schools to make informed choices about the platforms to be used, on the basis of the safeguards offered by the providers, in view of the specific risks also to teachers’ personal data.

(1) I.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, data concerning health or a person’s sex life or sexual orientation.

FAQs – Data processing in clinical trials and medical research in the context of the COVID-19 health emergency

What is the legal basis for the processing of personal data also concerning health in the field of clinical trials of medicinal products for the epidemiological emergency from COVID-19?

Sponsors and testing centres may process personal data, also concerning the health of COVID-19 patients, to carry out clinical trials of medicinal products (such as investigational clinical studies on medicinal products, phase I, II, III and IV, observational studies on medicinal products and compassionate therapeutic use programmes), insofar as they are strictly necessary to combat and study the ongoing pandemic, on the basis of the data subjects’ consent or by relying on another legal basis pursuant to Article 9 (2) of the Regulation, in accordance with Union or national law, for reasons of significant public interest, for reasons of public interest in the area of public health and for the purposes of scientific research (Article 9 (2), letters (a), (g), (i) and (j) of the Regulation).

What should be done by sponsors and testing centres if it is impossible to inform data subjects?

When, on account of particular and substantiated reasons, informing the data subjects proves impossible or involves a disproportionate effort or is likely to seriously impair the achievement of the objectives of the research, and it is therefore not possible to acquire the data subjects’ consent for the processing of their personal data, the controllers are required, where possible, to obtain such consent, after providing the appropriate information, from the persons who have legal authority over those data subjects, or from a close relative, a member of their family, a cohabitee or, in the absence thereof, the manager of the facility where the data subject is staying. This is based on an analogy with the provisions of point 4.11.2 of the requirements relating to the processing of genetic data as contained in Annex 4 to the Garante’s order laying down the requirements for the processing of special categories of data, Web Doc No 9124510.

Where, for specific and substantiated reasons, it is not possible to obtain informed consent for the processing of personal data, also from third parties, or where doing so risks seriously undermining the successful outcome of the research – e.g. when processing data relating to deceased patients or patients in intensive care units -, the data controllers intending to process personal data exclusively in connection with clinical trials and the compassionate use of medicinal products for human use with a view to the treatment and prevention of COVID-19 are not required, under the legislation relating to the current emergency situation, to submit their research project and the associated impact assessment for the prior consultation of the Garante as referred to in Section 110 of the Italian data protection Code.

Should IRCCS (i.e., hospitalization and research institutes) obtain the data subjects’ consent for the processing of personal data also concerning health within the framework of their medical research relating to COVID-19 that is funded by the Ministry of Health?

On the basis of the legislation enacted in the emergency situation, the Ministry of Health issued a call for tenders, on 1 April 2020, addressed to IRCCS regarding medical research projects aimed at better understanding the COVID-19 epidemics, contributing to more efficient clinical management of infected patients, and improving the capabilities and effectiveness of the treatments available to the National Health Service.

Personal data also concerning health may be processed by the IRCCS that are awarded the funds of the above call, in the context of research aimed at combating the pandemics, without the data subjects’ consent as they are inherent in the significant public interest functions committed, inter alia, to the entities belonging to the National Health Service. Accordingly, those IRCSS that process personal data in the context of medical research funded by the Ministry do not have to comply with the requirements laid down in Section 110 of the Italian data protection Code.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELL’ITALIA – GPDP