Frequently Asked Questions on Data Obligations Under the Italian Sunshine Act
Table of content
- Is recipient consent required for publication?
- How long does published data remain visible?
- What specific data must be included in the reports?
- What types of data must be disclosed?
- Can published data be corrected after submission?
- Is privacy consent from HCPs/HCOs required for data publication?
- Does publication of data conflict with the GDPR?
- Can one person hold both a proxy for responsibility and proxy for data upload?
- Stay Confident With Data Compliance
Author
Mauro Teresi is a Counsel at Simmons & Simmons in the Dispute Resolution group based in Milan. He leads the firm’s Italian Product Liability, Regulation and Compliance practice and is a key member of its cross-border group.
With over a decade of experience in product liability and regulatory matters related to a wide range of medicinal products and medical devices, Mauro supports clients in domestic and cross-border commercial litigation and arbitration, early case assessment, and alternative dispute resolution procedures.
Simmons & Simmons
Cerchi supporto per la compliance al Sunshine Act?
Hai domande pratiche?
Dai un’occhiata alla nostra sezione Domande Frequenti per risposte chiare su scadenze, obblighi e strategie.
Tracking transfers of value, knowing what to be reported, and keeping a track of key exemptions is important. But mastering the details of how data is collected, reported, published, and retained is equally important for compliance with the Italian Sunshine Act (Law No. 62/2022). For compliance professionals, these obligations can feel like a maze of legal references, GDPR considerations, and technical submission rules.
To help cut through the complexity, we’ve compiled answers to the most frequently asked questions by compliance teams at life science companies on data in Italian Sunshine reporting, so you can focus on staying transparent and compliant with confidence.
Is recipient consent required for publication?
No explicit consent is required. Consent to disclose and process data is considered implicitly granted when a healthcare professional (HCP) or healthcare organization (HCO):
- Signs a contract or agreement
- Accepts a transfer of value (ToV)
- Acquires stocks, shares, or bonds
- Receives royalties from industrial or intellectual property rights
However, manufacturing companies are still obligated to provide HCPs and HCOs with a privacy notice, clearly informing them that their data will be published in the Sanità Trasparente register managed by the Ministry of Health once the Italian Sunshine Act is enacted.
How long does published data remain visible?
Published data remains accessible in the Sanità Trasparente electronic register for five years from the date of publication. After this period, it is automatically removed.
This retention window, set out in Article 5(4) of Law 62/2022, is designed to strike a balance between public transparency and GDPR’s principle of data minimization.
What specific data must be included in the reports?
Under Art. 3(4) and Art. 4 of the Italian Sunshine Act, reports must include:
- Identification data of the recipient (HCPs): name, surname, fiscal code or VAT number, and professional registration number if applicable
- Identification data of the recipient (HCOs): corporate name, registered office, fiscal code or VAT number, and professional registration number if applicable
- Identification data of any intermediary (if the transfer of value is indirect)
- Nature and purpose of the transfer, agreement, or financial interest
- Date or reference period of the transfer/agreement
- Economic value of the relationship (amount, market value, royalties, etc.)
The reporting company is identified directly via the Ministry’s Sanità Trasparente register, which manages submission and publication of all reports.
What types of data must be disclosed?
The Italian Sunshine Act requires disclosure of the following categories:
- Transfers of value (in cash or in kind)
- Contracts providing direct or indirect benefits to HCPs/HCOs, such as participation in conferences, advisory bodies, consultancy, teaching, or research activities
- Shareholdings/ownership of bonds
- Royalties for the granting of licenses for the economic exploitation of industrial or intellectual property rights
Can published data be corrected after submission?
Yes. According to Article 6(4) of Law 62/2022, if a report is incomplete, the company has 90 days to integrate missing information. Failure to do so within this timeframe results in the same sanctions that apply to omissions or inaccuracies. This provision balances transparency with the opportunity for correction.
Is privacy consent from HCPs/HCOs required for data publication?
No. For reportable data above the thresholds defined by Law 62/2022, Art. 3 and Art. 4, explicit consent is not required. Under Art. 5(6) of Law 62/2022, consent is considered implicit when the benefit, agreement, or financial interest is accepted, since the legal basis for processing is the statutory obligation (GDPR, Art. 6(1)(c)).
However, companies must still comply with GDPR transparency requirements. In particular, Art. 13 GDPR obliges companies to provide HCPs and HCOs with a privacy notice, informing them that their personal data will be processed and published in the Sanità Trasparente register managed by the Ministry of Health.
Important note: If a company voluntarily discloses below-threshold transfers, these fall outside the statutory obligation of Law 62/2022. In such cases, the only valid legal basis under GDPR would be explicit consent from the HCP/HCO.
Does publication of data conflict with the GDPR?
No. Data publication under the Sunshine Act is not in conflict with GDPR, as long as the safeguards established by GDPR itself are respected. The law incorrectly refers to implied consent to publication in cases where the benefit is accepted; in reality, it is a legal obligation.
Nevertheless, the safeguards provided by the GDPR remain applicable, such as the right to rectification (Art. 5, paragraph 6). GDPR safeguards still apply, including rights of data subjects under Regulation (EU) 2016/679:
- Art. 15: Right of access
- Art. 16: Right to rectification
- Art. 17: Right to erasure
- Art. 18: Right to restriction of processing
- Art. 19: Obligation to notify changes
- Art. 21: Right to object
Can one person hold both a proxy for responsibility and proxy for data upload?
Yes. One person can act as both the responsibility proxy (internal accountability) and the upload proxy (technical submission role).
- The upload proxy must always be registered with the Chamber of Commerce, otherwise the system won’t allow data submission.
- The responsibility proxy is not strictly required to be registered, but doing so is strongly recommended for compliance clarity and business continuity (e.g., in case the upload proxy is unavailable).
Best practice: align the two roles whenever possible, ensuring clarity of responsibility and smoother reporting.
Stay Confident With Data Compliance
The Italian Sunshine Act places strict demands on what data is collected, disclosed, and retained, but it also provides a clear framework to balance public transparency with data protection principles.
To learn about reporting under the Italian Sunshine Act, dive into our FAQs where leading legal and compliance specialists regularly address the most relevant and timely questions. If you don’t see the answer you need, simply submit your query, and our experts will get back to you with a tailored response.
Table of content
- Is recipient consent required for publication?
- How long does published data remain visible?
- What specific data must be included in the reports?
- What types of data must be disclosed?
- Can published data be corrected after submission?
- Is privacy consent from HCPs/HCOs required for data publication?
- Does publication of data conflict with the GDPR?
- Can one person hold both a proxy for responsibility and proxy for data upload?
- Stay Confident With Data Compliance
Tracking transfers of value, knowing what to be reported, and keeping a track of key exemptions is important. But mastering the details of how data is collected, reported, published, and retained is equally important for compliance with the Italian Sunshine Act (Law No. 62/2022). For compliance professionals, these obligations can feel like a maze of legal references, GDPR considerations, and technical submission rules.
To help cut through the complexity, we’ve compiled answers to the most frequently asked questions by compliance teams at life science companies on data in Italian Sunshine reporting, so you can focus on staying transparent and compliant with confidence.
Is recipient consent required for publication?
No explicit consent is required. Consent to disclose and process data is considered implicitly granted when a healthcare professional (HCP) or healthcare organization (HCO):
- Signs a contract or agreement
- Accepts a transfer of value (ToV)
- Acquires stocks, shares, or bonds
- Receives royalties from industrial or intellectual property rights
However, manufacturing companies are still obligated to provide HCPs and HCOs with a privacy notice, clearly informing them that their data will be published in the Sanità Trasparente register managed by the Ministry of Health once the Italian Sunshine Act is enacted.
How long does published data remain visible?
Published data remains accessible in the Sanità Trasparente electronic register for five years from the date of publication. After this period, it is automatically removed.
This retention window, set out in Article 5(4) of Law 62/2022, is designed to strike a balance between public transparency and GDPR’s principle of data minimization.
What specific data must be included in the reports?
Under Art. 3(4) and Art. 4 of the Italian Sunshine Act, reports must include:
- Identification data of the recipient (HCPs): name, surname, fiscal code or VAT number, and professional registration number if applicable
- Identification data of the recipient (HCOs): corporate name, registered office, fiscal code or VAT number, and professional registration number if applicable
- Identification data of any intermediary (if the transfer of value is indirect)
- Nature and purpose of the transfer, agreement, or financial interest
- Date or reference period of the transfer/agreement
- Economic value of the relationship (amount, market value, royalties, etc.)
The reporting company is identified directly via the Ministry’s Sanità Trasparente register, which manages submission and publication of all reports.
What types of data must be disclosed?
The Italian Sunshine Act requires disclosure of the following categories:
- Transfers of value (in cash or in kind)
- Contracts providing direct or indirect benefits to HCPs/HCOs, such as participation in conferences, advisory bodies, consultancy, teaching, or research activities
- Shareholdings/ownership of bonds
- Royalties for the granting of licenses for the economic exploitation of industrial or intellectual property rights
Can published data be corrected after submission?
Yes. According to Article 6(4) of Law 62/2022, if a report is incomplete, the company has 90 days to integrate missing information. Failure to do so within this timeframe results in the same sanctions that apply to omissions or inaccuracies. This provision balances transparency with the opportunity for correction.
Is privacy consent from HCPs/HCOs required for data publication?
No. For reportable data above the thresholds defined by Law 62/2022, Art. 3 and Art. 4, explicit consent is not required. Under Art. 5(6) of Law 62/2022, consent is considered implicit when the benefit, agreement, or financial interest is accepted, since the legal basis for processing is the statutory obligation (GDPR, Art. 6(1)(c)).
However, companies must still comply with GDPR transparency requirements. In particular, Art. 13 GDPR obliges companies to provide HCPs and HCOs with a privacy notice, informing them that their personal data will be processed and published in the Sanità Trasparente register managed by the Ministry of Health.
Important note: If a company voluntarily discloses below-threshold transfers, these fall outside the statutory obligation of Law 62/2022. In such cases, the only valid legal basis under GDPR would be explicit consent from the HCP/HCO.
Does publication of data conflict with the GDPR?
No. Data publication under the Sunshine Act is not in conflict with GDPR, as long as the safeguards established by GDPR itself are respected. The law incorrectly refers to implied consent to publication in cases where the benefit is accepted; in reality, it is a legal obligation.
Nevertheless, the safeguards provided by the GDPR remain applicable, such as the right to rectification (Art. 5, paragraph 6). GDPR safeguards still apply, including rights of data subjects under Regulation (EU) 2016/679:
- Art. 15: Right of access
- Art. 16: Right to rectification
- Art. 17: Right to erasure
- Art. 18: Right to restriction of processing
- Art. 19: Obligation to notify changes
- Art. 21: Right to object
Can one person hold both a proxy for responsibility and proxy for data upload?
Yes. One person can act as both the responsibility proxy (internal accountability) and the upload proxy (technical submission role).
- The upload proxy must always be registered with the Chamber of Commerce, otherwise the system won’t allow data submission.
- The responsibility proxy is not strictly required to be registered, but doing so is strongly recommended for compliance clarity and business continuity (e.g., in case the upload proxy is unavailable).
Best practice: align the two roles whenever possible, ensuring clarity of responsibility and smoother reporting.
Stay Confident With Data Compliance
The Italian Sunshine Act places strict demands on what data is collected, disclosed, and retained, but it also provides a clear framework to balance public transparency with data protection principles.
To learn about reporting under the Italian Sunshine Act, dive into our FAQs where leading legal and compliance specialists regularly address the most relevant and timely questions. If you don’t see the answer you need, simply submit your query, and our experts will get back to you with a tailored response.
Author
Mauro Teresi is a Counsel at Simmons & Simmons in the Dispute Resolution group based in Milan. He leads the firm’s Italian Product Liability, Regulation and Compliance practice and is a key member of its cross-border group.
With over a decade of experience in product liability and regulatory matters related to a wide range of medicinal products and medical devices, Mauro supports clients in domestic and cross-border commercial litigation and arbitration, early case assessment, and alternative dispute resolution procedures.
Simmons & Simmons
Cerchi supporto per la compliance al Sunshine Act?
Hai domande pratiche?
Dai un’occhiata alla nostra sezione Domande Frequenti per risposte chiare su scadenze, obblighi e strategie.