MYISR
Tradurre in Italiano

GDPR and Italian Sunshine Act: How to Balance Transparency and Data Protection

by | Sep 12, 2025 | en

Table of content

Author


May Khan

May Khan
Direttore
Vector Health Compliance

 

May Khan guida il team Compliance Services di Vector Health, società SaaS specializzata nella compliance per il settore life sciences. La sua esperienza include il reporting sulla trasparenza a livello globale, la strategia legata al Sunshine Act e il monitoraggio dei rischi relativi agli HCP. In Vector coordina team interfunzionali dedicati all’integrità dei dati, al servizio clienti e all’allineamento normativo.

 

Vector Health Compliance
Il principale partner in Italia per la conformità al Sunshine Act

Recent Blogs

Cerchi supporto per la compliance al Sunshine Act?

Scopri i nostri Partner consigliati — soluzioni legali, tecnologiche e operative selezionate per accompagnarti nella rendicontazione della trasparenza.

Hai domande pratiche?

Dai un’occhiata alla nostra sezione Domande Frequenti per risposte chiare su scadenze, obblighi e strategie.

Transparency and privacy often feel like competing priorities, especially for life sciences companies operating under the newItalian Sunshine Act. On one hand, regulators and the public demand visibility into financial relationships between industry and healthcare professionals/organizations (HCP/HCOs) to prevent corruption and build trust. On the other hand, GDPR sets strict rules to protect personal data and safeguard individual rights. The challenge lies in navigating both without overstepping one side of the line.

 

The GDPR Perspective

Paragraph 6 of Article 5 in the Italian Sunshine Act states that by entering into an agreement, accepting a transfer of value, or acquiring shares or licenses, parties automatically provide implicit consent for the processing and publication of their personal data. While this provision seeks to streamline transparency obligations, it creates tension with GDPR principles.

Under GDPR, consent must be freely given, specific, informed, and unambiguous (and explicit where required). Because publication is required by Law 62/2022, processing is based on a legal obligation under Art. 6(1)(c) GDPR, even though the Sunshine Act itself refers to “consent.” In this context, certain GDPR rights (such as the right to erasure under Art. 17) may be limited where processing is necessary to comply with that obligation, while rights under Arts. 15–19 and 21 remain available and must still be respected.

GDPR also enforces six core rules that are highly relevant in the context of Italian Sunshine Act reporting:

  • Lawfulness, fairness, and transparency – HCPs must be informed clearly about what data will be disclosed, on what legal grounds, and for how long.
  • Purpose limitation – data collected and published must be used for Sunshine Act compliance, or for other purposes only where a valid legal basis exists and the use is compatible with the original purpose.
  • Data minimization – only publish what the Italian Sunshine Act strictly requires, avoiding unnecessary details.
  • Accuracy – data disclosed must be correct and up to date, since errors can harm HCP reputations and trigger GDPR non-compliance.
  • Storage limitation – data should be kept only as long as necessary for compliance, in line with the five-year publication rule and applicable statutes of limitations.
  • Integrity and confidentiality – personal data must be protected with strong technical and organizational measures to prevent unauthorized access or misuse.
  • Accountability – companies must be able to demonstrate compliance with GDPR principles through documentation, policies, and oversight.

Additionally, companies must respect the data retention period. While published data must remain accessible in the Sanità Trasparente registry for five years, internal systems should avoid indefinite storage. And before disclosure, data security measures must ensure information integrity.

 

The Italian Sunshine Act Perspective

The Italian Sunshine Act enforces mandatory public disclosure of transfers of value to a centralized public telematic register Sanità Trasparente under the Ministry of Health. This represents a decisive step toward accountability, going beyond voluntary disclosure codes like EFPIA. But it also introduces heightened privacy exposure: data will be accessible not just to regulators but to the general public.

To fulfill both transparency and data protection obligations, companies must:

  • Verify that reported data is complete and accurate before submission.
  • Limit publication strictly to the categories and fields required by law.
    Note:Any reuse of the published data must comply with public-sector information rules and remain compatible with the original purposes when personal data are involved (Art. 5(5) Law 62/2022).
  • Prepare to explain to HCPs why their data must be published, emphasizing that it derives from legal obligation rather than consent.

 

Practical Steps for Life Science Companies

Legal Basis and Consent

It is important to note that under GDPR, implied consent as described in the Italian Sunshine Act is not considered valid. Article 7 GDPR, along with opinions from the European Data Protection Board (EDPB) and national Data Protection Authorities, makes clear that consent must always be explicit, unambiguous, and withdrawable. The Italian Sunshine Act, however, does not provide a mechanism for withdrawal.

For companies, the appropriate legal basis for Sunshine-Act submissions is GDPR Art. 6(1)(c) (legal obligation); for the Ministry’s publication, Art. 6(1)(e) (public interest/official authority) generally applies.

This reinforces why reliance on legal obligation rather than consent remains the more appropriate legal basis for Italian Sunshine reporting. The Italian DPA (Garante) or forthcoming implementing decrees are expected to provide clarity on this point.

 

Data Retention

Article 5(4) of the Sunshine Act specifies that published data will remain accessible on the public database for five years before deletion. For companies, this five-year public availability serves as a benchmark, but internal retention must follow GDPR’s storage-limitation principle.

Records should be kept long enough to demonstrate compliance and defend against omissions or misreporting, and in some cases aligned with national statutes of limitation, but not retained indefinitely. In certain cases, such as defending against corruption-related claims, longer retention may be justified in line with the national statute of limitations.

 

Strengthening Compliance Controls

To align GDPR with Italian Sunshine reporting obligations, companies should:

  • Conduct data mapping and gap analysis: clearly trace all flows of transfers of value data and evaluate practices against GDPR principles of data minimization, purpose limitation, and accuracy.
  • Update privacy policies for HCPs and HCOs: ensure disclosures explain the scope and purpose of data use, as required under Article 13 GDPR.
  • Update documentation and assign responsibilities: revise Records of Processing Activities (ROPA) to reflect Italian Sunshine Act reporting and designate accountable employees to manage and transmit personal data to the Ministry of Health.

To move from theory to practice, life sciences companies should adopt a dual-compliance approach:

  1. Update privacy notices for HCPs and HCOs to explain disclosure obligations under the Sunshine Act.
  2. Map data flows across finance, medical, and compliance systems to ensure accuracy before reporting.
  3. Conduct a DPIA (Data Protection Impact Assessment) to demonstrate accountability and assess potential risks.
  4. Establish retention schedules that align GDPR requirements with Sunshine reporting timelines.
  5. Train internal teams so everyone—from compliance to IT—understands how GDPR and transparency reporting intersect.

Looking Ahead

For the registry publication under the Sunshine Act, the Ministry of Health acts as controller. Companies remain controllers for the collection, preparation, and transmission of the data they report.

The Ministerial decree that defines the registry’s technical requirements will be issued after consultation with the Italian Data Protection Authority (Garante), the Italian Digital Agency (AgID), and the National Anti-Corruption Authority (ANAC), with a focus on ensuring robust technical and organizational safeguards. It is also expected that the Garante will issue guidance on the lawful basis for processing and provide clarity around appropriate retention periods.

As the launch of the telematic register approaches, companies subject to the Act should work closely with their Data Protection Officers or legal advisors to confirm that internal processes fully align with both GDPR and Sunshine Act requirements, particularly those concerning data protection and transparency.

Table of content

Transparency and privacy often feel like competing priorities, especially for life sciences companies operating under the newItalian Sunshine Act. On one hand, regulators and the public demand visibility into financial relationships between industry and healthcare professionals/organizations (HCP/HCOs) to prevent corruption and build trust. On the other hand, GDPR sets strict rules to protect personal data and safeguard individual rights. The challenge lies in navigating both without overstepping one side of the line.

 

The GDPR Perspective

Paragraph 6 of Article 5 in the Italian Sunshine Act states that by entering into an agreement, accepting a transfer of value, or acquiring shares or licenses, parties automatically provide implicit consent for the processing and publication of their personal data. While this provision seeks to streamline transparency obligations, it creates tension with GDPR principles.

Under GDPR, consent must be freely given, specific, informed, and unambiguous (and explicit where required). Because publication is required by Law 62/2022, processing is based on a legal obligation under Art. 6(1)(c) GDPR, even though the Sunshine Act itself refers to “consent.” In this context, certain GDPR rights (such as the right to erasure under Art. 17) may be limited where processing is necessary to comply with that obligation, while rights under Arts. 15–19 and 21 remain available and must still be respected.

GDPR also enforces six core rules that are highly relevant in the context of Italian Sunshine Act reporting:

  • Lawfulness, fairness, and transparency – HCPs must be informed clearly about what data will be disclosed, on what legal grounds, and for how long.
  • Purpose limitation – data collected and published must be used for Sunshine Act compliance, or for other purposes only where a valid legal basis exists and the use is compatible with the original purpose.
  • Data minimization – only publish what the Italian Sunshine Act strictly requires, avoiding unnecessary details.
  • Accuracy – data disclosed must be correct and up to date, since errors can harm HCP reputations and trigger GDPR non-compliance.
  • Storage limitation – data should be kept only as long as necessary for compliance, in line with the five-year publication rule and applicable statutes of limitations.
  • Integrity and confidentiality – personal data must be protected with strong technical and organizational measures to prevent unauthorized access or misuse.
  • Accountability – companies must be able to demonstrate compliance with GDPR principles through documentation, policies, and oversight.

Additionally, companies must respect the data retention period. While published data must remain accessible in the Sanità Trasparente registry for five years, internal systems should avoid indefinite storage. And before disclosure, data security measures must ensure information integrity.

 

The Italian Sunshine Act Perspective

The Italian Sunshine Act enforces mandatory public disclosure of transfers of value to a centralized public telematic register Sanità Trasparente under the Ministry of Health. This represents a decisive step toward accountability, going beyond voluntary disclosure codes like EFPIA. But it also introduces heightened privacy exposure: data will be accessible not just to regulators but to the general public.

To fulfill both transparency and data protection obligations, companies must:

  • Verify that reported data is complete and accurate before submission.
  • Limit publication strictly to the categories and fields required by law.
    Note:Any reuse of the published data must comply with public-sector information rules and remain compatible with the original purposes when personal data are involved (Art. 5(5) Law 62/2022).
  • Prepare to explain to HCPs why their data must be published, emphasizing that it derives from legal obligation rather than consent.

 

Practical Steps for Life Science Companies

Legal Basis and Consent

It is important to note that under GDPR, implied consent as described in the Italian Sunshine Act is not considered valid. Article 7 GDPR, along with opinions from the European Data Protection Board (EDPB) and national Data Protection Authorities, makes clear that consent must always be explicit, unambiguous, and withdrawable. The Italian Sunshine Act, however, does not provide a mechanism for withdrawal.

For companies, the appropriate legal basis for Sunshine-Act submissions is GDPR Art. 6(1)(c) (legal obligation); for the Ministry’s publication, Art. 6(1)(e) (public interest/official authority) generally applies.

This reinforces why reliance on legal obligation rather than consent remains the more appropriate legal basis for Italian Sunshine reporting. The Italian DPA (Garante) or forthcoming implementing decrees are expected to provide clarity on this point.

 

Data Retention

Article 5(4) of the Sunshine Act specifies that published data will remain accessible on the public database for five years before deletion. For companies, this five-year public availability serves as a benchmark, but internal retention must follow GDPR’s storage-limitation principle.

Records should be kept long enough to demonstrate compliance and defend against omissions or misreporting, and in some cases aligned with national statutes of limitation, but not retained indefinitely. In certain cases, such as defending against corruption-related claims, longer retention may be justified in line with the national statute of limitations.

 

Strengthening Compliance Controls

To align GDPR with Italian Sunshine reporting obligations, companies should:

  • Conduct data mapping and gap analysis: clearly trace all flows of transfers of value data and evaluate practices against GDPR principles of data minimization, purpose limitation, and accuracy.
  • Update privacy policies for HCPs and HCOs: ensure disclosures explain the scope and purpose of data use, as required under Article 13 GDPR.
  • Update documentation and assign responsibilities: revise Records of Processing Activities (ROPA) to reflect Italian Sunshine Act reporting and designate accountable employees to manage and transmit personal data to the Ministry of Health.

To move from theory to practice, life sciences companies should adopt a dual-compliance approach:

  1. Update privacy notices for HCPs and HCOs to explain disclosure obligations under the Sunshine Act.
  2. Map data flows across finance, medical, and compliance systems to ensure accuracy before reporting.
  3. Conduct a DPIA (Data Protection Impact Assessment) to demonstrate accountability and assess potential risks.
  4. Establish retention schedules that align GDPR requirements with Sunshine reporting timelines.
  5. Train internal teams so everyone—from compliance to IT—understands how GDPR and transparency reporting intersect.

Looking Ahead

For the registry publication under the Sunshine Act, the Ministry of Health acts as controller. Companies remain controllers for the collection, preparation, and transmission of the data they report.

The Ministerial decree that defines the registry’s technical requirements will be issued after consultation with the Italian Data Protection Authority (Garante), the Italian Digital Agency (AgID), and the National Anti-Corruption Authority (ANAC), with a focus on ensuring robust technical and organizational safeguards. It is also expected that the Garante will issue guidance on the lawful basis for processing and provide clarity around appropriate retention periods.

As the launch of the telematic register approaches, companies subject to the Act should work closely with their Data Protection Officers or legal advisors to confirm that internal processes fully align with both GDPR and Sunshine Act requirements, particularly those concerning data protection and transparency.

Author


May Khan

May Khan
Direttore
Vector Health Compliance

 

May Khan guida il team Compliance Services di Vector Health, società SaaS specializzata nella compliance per il settore life sciences. La sua esperienza include il reporting sulla trasparenza a livello globale, la strategia legata al Sunshine Act e il monitoraggio dei rischi relativi agli HCP. In Vector coordina team interfunzionali dedicati all’integrità dei dati, al servizio clienti e all’allineamento normativo.

 

Vector Health Compliance
Il principale partner in Italia per la conformità al Sunshine Act

Recent Blogs

Cerchi supporto per la compliance al Sunshine Act?

Scopri i nostri Partner consigliati — soluzioni legali, tecnologiche e operative selezionate per accompagnarti nella rendicontazione della trasparenza.

Hai domande pratiche?

Dai un’occhiata alla nostra sezione Domande Frequenti per risposte chiare su scadenze, obblighi e strategie.

error: Content is protected !!