04 July 2023


Chiara D’Elia – Stefano Tramacere 

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”)


The General Data Protection Regulation “GDPR” (Reg. EU n. 679/2016) is designed to harmonise personal data protection laws within the EU by shaping a modern and coherent framework for data protection, facilitating its free movement. The text is part of the multilevel and multisectoral regulatory strategy to establish rules for data access and data sharing. It has an extraterritorial application.

The main objective is to foster the free circulation of data, by strengthening individuals’ control over their personal information by introducing important new rights and obligations.

Starting with the adoption of the proclaimed principles of “privacy by default” and “privacy by design”, by which the necessary protection of personal data is pushed to be incorporated into the architecture and use of technologies, innervating the rule on technology, the GDPR develops a risk-based approach. This implies, for instance, that if a processing operation poses a high risk to the rights and freedoms of natural persons, data controllers must provide an impact assessment (so-called “DPIA”) and keep documentation of the processing activities performed.

All the innovations contained in the GDPR go along with an opportune and welcome change of perspective that can be summarized in the shift from a static vision to a dynamic one, i.e. from a dimension composed of defined fulfilments, to a logic of choosing the appropriate technical and organisational measures in relation to the specificity of the activity performed. An approach that tries to mitigate risks and ensure an effective and accountable system.


  1. Identify and allocate roles and responsibilities of the internal actors involved in processing. Criterion is the effectiveness of the activity performed.
  2. Premise: data sharing is crucial for the rapid acquisition of better results. This has led to the emergence of databases that provide for the exchange of information, creating a peculiar agglomeration of shared health data. In this context, the problem of the transfer of special categories of personal data, especially health data, by automated mechanisms capable of expanding and improving human understanding, innovating medical-scientific knowledge is crucial to be addressed.
  3. Critical profiles are to be found in the analytical identification of individual processing operations. On the one hand, it is necessary to identify the main processing operation(s); on the other hand, there is the dilemma of managing secondary processing, i.e., the re-use of personal data.
  4. A relevant aspect to deal with is the role of the data subject’s consent to data processing (infra) and the interplay with the other legal bases established under article 9 GDPR, especially in case of secondary use of data.


The GDPR has facilitated the development of a risk-based approach towards data processing activities, shifting the paradigm from a proprietary perspective requiring consent for all data processing activities to an approach based on establishing data governance and maintaining the data subjects’ control on their information.