When carrying out public health studies, research entities may have access to personal databases, which shall be processed exclusively within the entity and strictly for the purpose of carrying out studies and research and shall be kept in a controlled and secure environment, in accordance with security practices provided in specific regulation and that include, whenever possible, anonymisation or pseudonymization of the data, as well as taking into account the proper ethical standards related to studies and research.
§1 Disclosure of the results or of any portion of the study or the research, as mentioned in the lead sentence of this article, shall under no circumstances reveal personal data.
§2 The research entity shall be liable for the security of the information provided in the lead sentence of this article, and it is forbidden, under no circumstances, to transfer the data to a third party.
§3 Access to data as provided in this article shall be the object of regulation by the national authority and of the authorities in the area of health and sanitation, within the scope of their competences.
§4 For purposes of this article, pseudonymization is the processing by means of which data can no longer be directly or indirectly associated with an individual, except by using additional information kept separately by the controller in a controlled and secure environment.