The spread of Patient Support Programs (PSP) has challenged the proper allocation of privacy-related roles and responsibilities among the pharma company, the PSP provider and the health facility.
To grasp the correct framework of privacy governance, the EDPB Guidelines n. 07/2020 on the concepts of Controller and Processor in the GDPR suggests to not consider only qualifications contractually issued by parties; rather, it is necessary to conduct a “factual assessment”. Practitioners are called upon to carefully analyze the actual functions performed, the nature of services and the purposes of data processing to verify who really determines purposes and means of processing related to the implementation of the PSPs.
In this paper, we try to carry out the substantial and factual survey to both the relationship between pharma and PSP provider, on the one hand, and between PSP provider and healthcare facility, on the other.