On 31 May 2022, the Italian Parliament approved Law 62/2022, also known as the Sunshine Act, which entered into force on 26 June 2022. The new rules will become fully operational once the Ministry of Health sets up the public database where companies will have to disclose their data.  In practice, this means the new transparency system will not be enforceable before 2023. 

Prior to the approval of the Sunshine Act, only member companies of trade associations, such as Farmindustria or Confindustria Dispositivi Medici, were under the obligation to disclose the transfers of value made to healthcare professionals (“HCP”) and organizations (“HCO”).  While non-member companies had no corresponding obligation, many disclosed their transfers on a voluntary basis.  Under these industry codes, companies could disclose data on transfers in an aggregate form, rather than individually, in two circumstances:  (i) when collecting individual consent would not be possible or (ii) when the transfer concerns R&D expenses.  The Sunshine Act, however, does not contain these derogations and excludes the option of only publishing aggregated data entirely. 

Companies in scope of the Sunshine Act will have to disclose their transfers of value on a dedicated online database, publicly accessible, that will be set up and managed by the Ministry of Health within 6 months following the entry into force of the Sunshine Act.  The database will be called “Sanità Trasparente” and will include data such as the professional contact details and number of affiliation of the HCPs, the contact details of the HCOs, and all the other details concerning the transfer of value.  The data stored on the database could be freely searched and sorted by the public for at least 5 years following publication. 

Within 3 months from the entry into force of the Sunshine Act, the Ministry of Health in collaboration with the Agency for Digital Italy (AgID), the National Anticorruption Authority (ANAC) and the Italian Data Protection Authority (Garante Privacy), will decide on the structure of the database, including its technical features and the procedure through which companies will disclose their data online.  The system should incorporate privacy by design and by default features.

Companies are required to disclose three distinct categories of data:

  1. Transfers of money, goods, services or other benefits made to HCPs or HCOs (“ToV”).
  2. Agreements with HCP and HCO providing them with direct or indirect benefits “consisting of participation in conferences, training events, committees, commissions, advisory bodies or scientific committees or the establishment of consulting, teaching or research relationships” (“Agreements”).
  3. The details of those HCPs and HCOs that (i) holds quotas, shares or bonds in the company (“Shares”), or (ii) received fees from the company for the economic exploitation of their intellectual property licenses (“Licenses”).

As anticipated, companies must disclose those data exclusively on an individual basis (i.e., per identified HCP/HCO).  To this end, the Sunshine Act establishes that privacy consent is considered provided at the moment when the HCP or HCO accepts the ToV or signs the Agreements or acquires the Shares or the Licenses.  This raises questions on the consistency of the provision with the GDPR, and, in particular, with the freely given nature of a consent and the right to withdraw consent.  The Sunshine Act clarifies that companies are under the obligation to inform HCPs or HCOs of the disclosure on the Ministry’s database Sanità Trasparente by providing them with a privacy notice that must clarify, at a minimum, that their data will be published. The Act also provides that the publication of the transfer of value is without prejudice to the rights of data subjects under Article 15-19 and 21 of the GDPR, which raises questions on the application of certain rights, such as the right of erasure.

* * *

The Covington team will keep monitoring the implementation of the Sunshine Act and the relevant database, and is happy to provide advice or answer any questions you may have on the topic.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.