Draft Decree Harmonizing The Enforcement Of GDPR In Italy States Consent Will No Longer Be Needed For Processing Of Data In Healthcare


In line with the provisions of art. 9 of EU Reg. 2016/679, it seems that the patient's consent for the processing of their data for purposes of diagnosis and medical treatment will no longer be necessary.

This is what emerges from the draft of the legislative decree implementing the delegated law 163/2017 for the harmonizing of the Italian legal system with the EU Reg. 2016/679 (GDPR).

It must be acknowledged that the legislative procedure is still ongoing (the decree has yet to be approved by the parliamentary committees and by the Data Protection Authority). However, the approach of the decree seems to be quite brave, faithfully reflecting the line of thinking of the new European Regulation.

The first element that should be highlighted is the fundamental choice to repeal in full the Legislative Decree 196/2006, the so-called Privacy Code (Article 102 of the draft decree).

That is to say that after the approval of the aforementioned decree, the matter will be regulated by only two measures: the GDPR and the decree itself. Therefore as the EU Reg. 2016/679 will repeal the Directive 95/46/EEC on 25 May 2018, the new decree will repeal (if the choice is confirmed) the Legislative Decree 196/2006 (Privacy Code). This will ensure greater clarity and ease of implementation of the GDPR, which will have a revolutionary impact on culture as well.

The choices regarding the processing of health data are also moving in this direction.

With regard to the processing of special categories of data (including genetic, biometric and data concerning health), Article 9 of the GDPR provides that consent is not required for "the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional". In paragraph 4 however it allows Member States to "maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health".

Before the draft decree it was unclear if the Italian legislator intended to keep written consent mandatory for sensitive data, as is currently envisaged in the Privacy Code.

However the legislator's choice appears different.

Article 8 of the draft decree, entitled "Guarantee measures for the...

To continue reading