Silvia Stefanelli

Silvia Stefanelli is a lawyer, founder and co-owner of the Studio legale Stefanelli&Stefanelli. She is an expert in healthcare law, with extensive expertise in digital health, medical devices, healthcare advertising, PA contracts, and data protection.
In 2016 she obtained the qualification of "Privacy Officer and Privacy Consultant" and in 2017 she received the certificate "Course on European Data Protection Law" issued by the Academy of European Law in Brussels.

In 2022, she has joined the team of Individual Experts to implement a pool to support the EDPB - European Data Protection Board in the groups "Technical expertise in new technology and information security" and "Legal expertise in new technologies."

She participates in several innovative projects related to the use of technology in healthcare. Some examples are her collaboration with the Smith Kline Foundation on national projects in the field of Digital Therapeutics, her contribution as Team Leader in Clusit Artificial Intelligence projects and as a member of the Scientific Committee of the Telemedicine Observatory of Altems-Unicatt.

She teaches at the Master in DPO held by the University of Roma Tre and at the Master in Healthcare at Il Sole 24 Ore Sanità. She gives courses at national level for several training institutions, including IQVIA, and collaborates with the CIRSFID Interdisciplinary Center of the University of Bologna.

Since 2005 she is a registered publicist at the Association of Journalists of Bologna. She collaborates with several magazines, including AboutPharma, Il Sole 24 Ore Sanità and Quotidiano Sanità. She is co-author of several publications and contributions, most recently "La Privacy in sanità" - Giuffrè 2020.

Recent Publications


Medical apps: the Data Protection Authority’s instructions for GDPR compliance

In July 2022, the Italian Data Protection Authority (DPA) issued a €45,000 fine against the US company Senseonics Inc. for breach of the GDPR. More precisely, the company, which markets a glucose monitoring system for patients suffering from diabetes, sent an information email to approximately 2,000 recipients (Italian patients) mistakenly entering them in the CC field, instead of the BCC field. As a result, it decided to report the data breach to the Italian DPA under Article 33 GDPR: this report led to the opening of an investigation and the application of a sanction. The fact itself (CC’ing recipients instead of using BCC) is not particularly noteworthy (apart from the fact that it would be interesting to know exactly how much training had been given to the employee who made the mistake). What is really interesting is the development of the investigation and the many elements emerging from it with the consequent directions of the Data Protection Authority.