Italy: Privacy guarantor - Compendium on the processing of personal data performed through platforms linking patients and health professionals

May 2024
23 May 2024    1 minute read
Sectors Healthcare & Life Sciences

In brief

In March 2024, the Privacy Guarantor published a Compendium on the processing of personal health data through web- and app-accessible platforms that facilitate the connection of patients with healthcare professionals.

Contents

Key takeaways 

The Compendium is addressed to platform owners and aims to identify what their primary obligations are as Controllers and in compliance with the principles of accountability and data protection, so that these activities are conducted in accordance with the data protection regulations.

As such, the Compendium divides health data into two categories: data regarding a health service or health professional's decision, and data arising from a patient's interaction with a health professional. For the first type, the data subject's explicit consent is the legal basis of data processing, and the platform that provides the user with the booking service qualifies as the Controller; conversely, the second type refers to data for which no consent is required, as it falls under the scope of Article 9 para. 2 (h) and para. 3 of EU Regulation 2016/679 ("GDPR"), which provides justification for the processing of health data for treatment purposes if performed by health professionals who are subject to professional confidentiality.

In terms of security, however, the Guarantor recalls Controllers' need to comply with the principle of so-called "privacy by design," i.e., data protection starting from the design of a service, product or process, and to implement a series of measures that are appropriate to ensure effective and efficient protection, such as: encryption, verification of professional title by a healthcare professional, verification of users' contact information, and multi-factor authentication.

Contact Information
Roberto Cursano
Partner
Rome
Read my Bio
roberto.cursano@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.