Annex 2
General information on the retrospective post-marketing safety study of Drugs, so-called pass, regarding the off-label use of Misoprostol (alone or in combination with Diclofenac)
The Hospital Presidio Ospedaliero Frosinone, UOC Obstetrics and Gynecology (“Center”) participates in the retrospective study on the post-authorization safety of the marketing of drugs, so-called PASS (Post Authorization Safety Study) (hereinafter the “Study”) involving subjects who have gone to the gynecological emergency room and/or the Emergency Department of the Center following complications resulting from the use, outside the conditions authorized by the bodies prepared for pathology, population or posology (off-label), of misoprostol (alone or in combination with diclofenac). The Study requested by the Italian Medicines Agency (“AIFA”) will collect information on how many patients in the 2017-2019 period went to the Centre.
The aim is to obtain further information to improve knowledge of the off-label use of the drug misoprostol (alone or in combination with diclofenac). The Study is defined as “non-interventional” because it is limited only to collecting information on patients and is “retrospective” as it will be limited to collecting information regarding the complications that occurred following off-label use in the obstetric-gynecological field in the period indicated above. No further information will be collected.
There are no physical risks or possible discomforts associated with participating in the Study.
Below is the information on the processing of personal data addressed to the patients enrolled in the Study.
Information on the Processing of Personal Data pursuant to Article 14 of Regulation (EU) 2016/679
The information is prepared in compliance with the provisions of Article 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, as well as on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“Regulation” or “ GDPR”), in order to provide the subjects involved in the Study (the “Data Subjects”) with information relating to the processing of personal data, in particular those belonging to the particular categories of data indicated in Article 9 of the Regulation (such as, for example, health data).
The processing is necessary for the conduct of the Study carried out with the data of the Data Subjects previously collected and present in the medical records of hospital emergency rooms and/or emergency departments (“Emergency Departments”) and to observe, within the totality of hospital accesses for complications due to the off-label use of the drug misoprostol in a period of time between 2017-2019 and any further complications.
In line with the provisions of current legislation and the provisions of the protocol governing the conduct of the Study (the “Protocol”), personal data, including special categories of data, will be processed in accordance with the principles established by Article 5 of the GDPR (lawfulness, correctness, transparency, adequacy, relevance, accuracy, minimisation of processing, limitation of storage, etc.).
Data Controllers
As part of the activities of the Firm, Pfizer Inc., a company incorporated under the laws of the State of Delaware and with registered office in New York City, 235 East 42nd Street, United States of America and Pfizer S.r.l., with registered office in Latina, Via Isonzo n. 71 and administrative headquarters in Rome, Via Valbondione n. 113 are joint data controllers (hereinafter jointly “Pfizer” or the “Data Controllers”).
Pfizer Inc. has appointed, as its representative, the company Pfizer S.r.l., which can be contacted at the aforementioned addresses and/or at the following email address: gdpritaly@pfizer.com.
Pfizer has appointed a Data Protection Officer (“DPO ”) who can be contacted at the following email address: privacy.officer@pfizer.com.
The hospital centres involved in the Study are identified as autonomous data controllers with reference to the treatment activities carried out by them.
Type of personal data processed and purposes of processing
The Study will provide for the collection of information on the health status and the therapy that the Data Subject has taken before going to the Emergency Departments. The following data will be collected from the records or medical records of the reference hospital facility: demographic information (for example, age, gender, other), information on the state of health upon admission to the hospital, information relating to the treatment taken.
In particular, the following will be processed:
- information that directly identifies the Data Subject such as name and date of birth;
- sensitive personal information such as medical history, demographic data (e.g., age and gender), and other sensitive information necessary for the Study such as diagnosis and treatment.
For the conduct of the Study, the data will be processed in pseudonymised form. Pseudonymisation is a technique that involves processing personal data in such a way that it can no longer be attributed to a specific Data Subject without the use of additional information.
The Emergency Departments participating in the Study are responsible for identifying the Data Subjects and recording the data in the files.
The results of the analysis will then be reported in aggregate form.
The personal information of Data Subjects may be used for the following purposes:
- Conduct the Study, including: assessing the extent of off-label use and consequent complications;
- Comply with legal and regulatory duties, including: ensuring that the Study is conducted in accordance with Good Clinical Practice; fulfilling requests for disclosure of information received from the independent Ethics Committee (s) or governmental or regulatory authorities; and sharing Study data with other investigators not affiliated with the sponsor or Study staff (including through publication on the Internet or otherwise). However, information that could identify Data Subjects directly will not be made available to other researchers);
- Publish summaries of the results of the Study in medical journals, on the Internet or during training meetings with other researchers. Data Subjects will not be identified or identifiable (directly or indirectly) in any publication or report on the Study.
Legal basis for processing
In light of article 110 of Legislative Decree no. 196 of 30 June 2003, containing the “Code regarding the protection of personal data” (“Privacy Code”), in order to be able to process the health data contained in the medical records of the Data Subjects who have gone to the Emergency Departments that have decided to join the Study, the Data Controllers have previously acquired the reasoned favourable opinion of the competent ethical committees at the territorial level and, attaching this documentation, have submitted to the prior consultation of the Guarantor for the protection of personal data, pursuant to art. 36 of the Regulation, the impact assessment on data protection.
In addition, it should be noted that the Study was requested by AIFA.
Data recipients and data retention period
The data of the Data Subjects involved in the Study will only be processed by the medical personnel in charge and by personnel in charge of verifying the correctness of the data used in the Study.
The Data Controllers have appointed a data processor, CROS NT S.r.l. (“Data Processor”). The same will only carry out the processing operations necessary for the performance of the Study, following the written instructions given by the Data Controllers and under the supervision of the same.
The data may be disclosed to public entities entitled to request the data, such as the judicial and/or public security authorities, if this is necessary to comply with obligations prescribed by current legislation.
The expected date for the start of the Study is April 2022, the expected date for the end is December 2022. The Study, therefore, will have a duration of six months from its inception.
The pseudonymised data will be kept by Pfizer S.r.l. for a further 15 years from the termination or interruption of the Study, as required by the applicable legislation on clinical trials, after which they will be definitively anonymised.
The Data Controllers have adopted adequate security measures also with reference to the conservation of the documentation relating to the Study. In particular, as specified in the Protocol, to allow assessments and/or inspections/controls by public authorities, Pfizer S.r.l. will keep all documentation relating to the Study, according to the applicable regulations on the protection of personal data or as specified in the research agreement, in a secure manner, as required by current legislation.
All personal information collected during the Study will also be kept by the staff of the hospital centers participating in the Study.
Personal information may be accessed by:
- the doctor in charge of the Study and other staff members of the hospital centers participating in the Study;
- the Data Controllers and the Manager and the personnel appointed by them;
- natural persons or organizations that provide services for or collaborate with the Data Controllers;
- any organization that obtains in whole or in part the activities or rights of the sponsor in the study product;
- any public or regulatory authorities (including those in other countries);
- the independent Ethics Committee (“EC”) that supervises and/or has approved the Study. The individuals and groups listed above will use Data Subjects’ personal information to conduct the Study and to comply with legal or regulatory requirements, including:
- determine the suitability of the interested parties for the Study;
- verify that the Study is conducted correctly and that the Study data are accurate;
- answer the questions of the EC (s), or of public or regulatory authorities;
- contact Data Subjects during and after the Study (if necessary);
- respond to data protection requests from Data Subjects (where present).
Transfer of data to a third country
The results of the Study will be transferred in aggregate form to the United States of America, where Pfizer Inc is based. It is represented that only the final report of the Study will be transmitted to the latter company and that it will contain the total number of patients who reported having taken off-label misoprostol and any complications associated with the intake, such as number and type (for example, bleeding or shock) and the total number of accesses to the emergency room of the hospital centers involved in the Study, collected over the reference period, for abortion events. There will be no transfer of personal data.
Rights OF the data subjects
The Data Subject may exercise, in relation to the processing of the data described therein and compatible with the processing needs indicated in this policy in relation to the conduct of the Study, where applicable, the right of access, rectification, cancellation (when the personal data are no longer necessary with respect to the purposes for which they were collected and to the other purposes provided for by law), limitation of processing and opposition to processing. Furthermore, with reference to the processing of personal data, the Data Subject has the right to lodge a complaint with the competent Supervisory Authority.
To ensure the integrity of the Study, it will not be possible to review some data until the Study is completed.
Some or all of the Data Subjects’ personal information may be retained and used where deletion would seriously compromise the Study (for example, where deletion would affect the consistency of the Study results) or the Data Subjects’ personal information is necessary to meet legal requirements, for the retention period set out above. At the end of the indicated storage period, the data in pseudonymised form will be made completely anonymous. Data Subjects may exercise the rights described above or request further information by contacting the Data Controllers at the following email addresses gdpritaly@pfizer.com and privacy.officer@pfizer.com or by contacting the Centre at the addresses indicated in the information on the processing of personal data provided by the same.