In July 2022, the Italian Data Protection Authority (DPA) issued a €45,000 fine against the US company Senseonics Inc. for breach of the GDPR. More precisely, the company, which markets a glucose monitoring system for patients suffering from diabetes, sent an information email to approximately 2,000 recipients (Italian patients) mistakenly entering them in the CC field, instead of the BCC field. As a result, it decided to report the data breach to the Italian DPA under Article 33 GDPR: this report led to the opening of an investigation and the application of a sanction. The fact itself (CC’ing recipients instead of using BCC) is not particularly noteworthy (apart from the fact that it would be interesting to know exactly how much training had been given to the employee who made the mistake). What is really interesting is the development of the investigation and the many elements emerging from it with the consequent directions of the Data Protection Authority.

The Italian Competition Law stipulates that in contracting private healthcare providers to operate within the national health service, the health authority must take into account the effective, continuous and timely supply of the electronic health records (FSE). From here to the enhancement of digital health services the leap is short. The debate on the digitisation of the Italian National Health Service (SSN) and the development of home care - processes that are strongly connected and both promoted by Mission 6 of the PNRR - seems to be centred, again, around the changes that will occur in the services provided by the public sector. Let us start from the beginning.