It is a time of great movements in the area of private health. Foreign investment funds are purchasing healthcare facilities in Italy, and within the territory various mergers and acquisitions are under way as well.
What happens in these cases with regard to patient data?
At the time of transfer of a healthcare facility, the patient data whose originator was the initial holder, pass on to the acquirer (who then becomes the holder).
From the point of view of the data protection legislation, the question arises whether the acquirer is obliged to implement the following steps:
• send new informative material and
• obtain new consent (this being sensitive data)
As a preliminary remark, it should be noted that our legal system does not contain any specific rules regarding the processing of data in the case of acquisitions or transfers of companies or branches of business.
It is therefore necessary to make a legal reasoning starting from the general principles and analysing the measures taken on the subject by the Data Protection Authority and the recent relevant case-law.
(a) with regard to the obligation of the acquirer to provide an informative note
Regarding the obligation of the buyer (new data controller) to send a new statement in which the transfer of ownership is communicated to the interested parties (patients), the content of the provision of the Data Protection Authority n. 664 of December 17, 2015 shall be considered.
In this provision, regarding the transfer of a business line between two companies, the Authority has thus stated:
On the occurrence of the divestiture of a business branch, Art. 2558 (succession in contracts), Art. 2559 (receivables for the transferred company), Art. 2560 (debts relating to the transferred company) and Art. 2112 (protection of workers' rights in the case of transfer of company) of the Civil Code shall apply. Due to this peculiar discipline, a legal succession of the new business owner is established in all legal relationships and in all the active and passive positions held by the transferor (except in relation to contracts, relationships of a personal nature).
Hence, since the acquirer takes over the position of the transferor by law, the processing of personal data of employees, suppliers, retailers and customers […] associated with the management of the transferred business branch, does not require any further consent, since the equivalent basis referred to in art. 24, paragraph 1, lett. (b) of the Code applies, which allows to disregard it in the event that the processing is necessary for the performance of obligations arising out of a contract to which the subject is a party.
Going then into the specifics of the obligation to make a new informative note, it is stated that:
[…] the obligation of art. 13 of the Code stands in the event that - such as the one at issue- the personal data are not collected directly from the data subject, and requires the data controller to make the information available to the data subject "at the time of recording of the data or, when their communication is planned, not beyond the first communication "(Article 13, paragraph 4 of the Code).
It therefore seems that - except in cases where sending new information would require disproportionate means (Article 13, paragraph 5 (c)), the acquirer (new controller of the data processing) is required to send new information to interested parties (the patients of the purchased facility).
The same considerations may apply for the divestments that will be made after May 25, 2018, when the new Reg. 2016/679 will be fully effective.
Although the Regulation does not contain specific rules for the "transfer" of data due to the sale of a company, it expressly provides for Article 14 - in a much more detailed manner than in Directive 95/46 / EC and in the Privacy Code - the obligation to send an informative note in cases (such as this) in which the data was not collected directly from the data subject.
(b) with regard to the obligation of acquiring a new consent
The issue of acquiring additional consent from the data subjects by the buyer (new data controller) is much more delicate, since it involves sensitive data.
The Court of Cagliari has recently given its opinion on this with the judgment of 6 June 2017 no. 1569, which annulled the measure n. 389 of October 6, 2016 of the Data Protection Authority.
This complex matter involved the purchase of a bankrupt Italian company that dealt with genetic data for research purposes, by an English subject. In relation to this substitution, the Data Protection Authority adopted measure n. 389 of 6 October 2016, blocking the processing of the database containing genetic data on the assumption that consent for the processing of the sensitive data is characterized by intuitus personae and therefore, a new consent must be obtained in the case of change of ownership.
On the contrary, the Court of Cagliari stated in the above-mentioned judgment that the consent is not related to the intuitus personae and that, if the purposes of the processing have not changed, there is no need to acquire a new consent (in fact, it appears that no explicit provision is made in regard to this obligation). Furthermore, the Court notes that the legal position of the subjects to whom the genetic data belong is not affected, given the fact that the party itself may withdraw its consent to the processing of the data at any moment.
In the light of the aforementioned judgment, it is possible to say that it is not mandatory to obtain a new consent when purchasing a healthcare facility.
However, given the complexity of the matter and also the different position taken by the Data Protection Authority on the matter, it seems appropriate to acquire a new consent at the time when the new information is sent (although not mandatory according to the Court of Cagliari) or at least to inform the patient of the right to revoke their consent to the processing of health data.