The compliance with the GDPR produced amendments to the Italian Data Protection Code, also with reference to healthcare rules.
Article 75 of the Italian Data Protection Code now states that consent for the processing of data for diagnosis and treatment purposes is no longer required.
Indeed, data processing must now comply with the articles of the GDPR.
Article 9 of the GDPR generally provides that the data processing is prohibited except in the listed cases, such as processing for purposes of health treatment, diagnosis, healthcare and other medicine related activities.
The Italian Data Protection Code, therefore, has been adjusted by providing a simplified procedure regarding the mandatory information to be provided to the data subject. The doctor has only to inform the patient about the processing of personal data in a clear and precise form, whether it is a public or private medical facility.
Therefore, it will not be necessary anymore to obtain the explicit consent of the data subject. The Italian Data Protection Authority has recently clarified that the treatments for diagnosis and recovery purposes are carried out by health professionals, who are in any case subject to the obligation to keep confidentiality; hence, the GDPR adjustment in terms of simplification appear logical and adequate.
Furthermore, the Authority warns that the treatments that do not require consent are only those qualified as necessary and essential to the pursuit of specific medical actions; hence, all ancillary treatments related to the medication and not strictly necessary will always require the explicit consent of the data subject.