Italian DPA publishes FAQs on online medical reports


On 12 October 2020, the Italian DPA (“Garante”) published frequently asked questions on handling online medical reports (“FAQs”).
In essence, Garante highlighted the following aspects:

  • secure communication protocols (https) and strong authentication systems must be implemented;
  • medical reports shall be made available by online methods to the data subjects only for a maximum time frame of 45 days;
  • data subject shall be provided with the possibility to delete the medical reports concerning him/her, either overall or selectively;
  • to the extent the medical report is provided by e-mail, the report should be sent as an attachment to the e-mail and not as a text included in the e-mail’s body. The file containing the report must be protected, for example, with a password;
  • medical reports related to genetic investigations or HIV cannot be provided via online methods;
  • data subject must express his/her consent to the online medical report service.

The FAQs are available here (only in Italian).