Home
Services
Clinical evaluation EU Authorized representative Notified bodies Post-market surveillance PRRC Quality management system Risk management Technical documentation
Devices
General devices and equipment In vitro diagnostics Medical software
Articles About Contact us

Send us an email:
info@mdrc-services.com

Or use the contact form below

 
Technical documentation EU Authorized representative Clinical evaluation PRRC services Risk management Notified bodies Quality management system Post-market surveillance
General medical devices and equipment In vitro diagnostics (IVD) Medical Device Software (MDSW)
CE-marking process for medical devices CE-marking process for in vitro diagnostics MDR technical documentation checklist IVDR technical documentation checklist Technical documentation checklist for MDSW PRRC under MDR or IVDR
CE-Certificate vs. EC-Certificate Basic UDI-DI (bUDI) EUDAMED registration - a brief guide Read more >>

Should my medical device comply with GDPR?

In today's interconnected world, where technology intersects with healthcare, regulations intersect as well. As innovative solutions emerge to enhance patient care and treatment outcomes, regulatory frameworks evolve to ensure their safety, efficacy, and compliance with data protection standards. From medical devices integrated with digital health platforms to mobile health applications collecting health data, the convergence of technology and healthcare demands a harmonized approach to regulation.

GDPR and MDR/IVDR

The General Data Protection Regulation (GDPR) stands as a cornerstone in safeguarding personal data privacy, while the Medical Device Regulation (MDR) and the In Vitro Diagnostic Medical Device Regulation (IVDR) set forth standards for the safety and performance of medical devices. However, when a product bridges both realms serving as a medical device while simultaneously collecting and handling personal data - compliance obligations become intertwined. In this context, adherence to both GDPR and MDR/IVDR is imperative, ensuring not only the efficacy and safety of the medical device but also the privacy and security of sensitive personal data.

What data is covered by GDPR?

The General Data Protection Regulation applies to the processing of personal data of individuals located within the European Union regardless of their citizenship or residency status. Additionally, GDPR also applies to the processing of personal data by organizations outside the EU if they offer goods or services to individuals in the EU or monitor the behavior of individuals within the EU.

GDPR primarily applies to the processing of personal data, which is defined as any information relating to an identified or identifiable natural person. This includes not only common identifiers such as names, addresses, and identification numbers but also other factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of individuals.

Besides, GDPR may also apply to certain special categories of data. These categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

Additionally, GDPR imposes obligations on the processing of personal data relating to criminal convictions and offenses, known as "criminal data."

What data is not covered by GDPR?

The General Data Protection Regulation generally applies to the processing of personal data, which is defined as any information relating to an identified or identifiable natural person. Other types of data are not covered by GDPR, such as:

  • Data that has been anonymized or de-identified in such a way that it cannot be used to identify individuals is not considered personal data and therefore falls outside the scope of GDPR
  • Data relating to legal entities, such as companies, partnerships, or organizations, is generally not considered personal data and is not covered by GDPR. However, data related to individuals acting in their capacity as representatives or employees of such entities may be considered personal data.
  • Information that is publicly available and easily accessible to the general public through lawful means, such as public registers, official gazettes, or publicly accessible websites, is not subject to GDPR. However, if the data subject has restricted the processing of their publicly available information, GDPR may still apply.
  • GDPR does not apply to the processing of personal data for national security or law enforcement purposes. These activities are subject to separate legal frameworks established by EU member states.
  • The processing of personal data by individuals for purely personal or household activities, such as keeping address books or family photo albums, is not covered by GDPR.

What medical devices and IVDs may be subject to GDPR?

Gererally, compliance with GDPR is necessary whenever personal data is involved in the operation, use, or processing of medical devices or IVDs to ensure the protection of individuals' privacy rights and data security.

So the simple rule to determine whether or not your device must be GDPR-compliant is: if your device collects or processes personal data of patients or users, it must be GDPR-compliant. If it does not, GDPR does not apply.

Some medical devices and in vitro diagnostic medical devices that may be required to comply with the General Data Protection Regulation include:

  • Wearable health devices that collect personal health data, including heart rate, activity levels, and sleep patterns.
  • Medical devices equipped with connectivity features, such as pacemakers, insulin pumps, and continuous glucose monitors, that transmit patient data to healthcare providers or cloud-based platforms.
  • Devices used in telemedicine or remote monitoring applications, such as telehealth platforms, remote patient monitoring systems, and video conferencing tools, which involve the processing of patient data.
  • Mobile applications or software platforms designed for health monitoring purposes, including symptom trackers, medication management apps, and chronic disease management tools.
  • In vitro diagnostic devices used for genetic testing or personalized medicine applications, such as direct-to-consumer genetic testing kits, which collect and process sensitive genetic information.
  • Laboratory equipment used for in vitro diagnostic testing, including automated analyzers, PCR machines, and next-generation sequencing platforms, which generate and process patient data
  • Integrated healthcare information systems, electronic health records (EHRs), and hospital information systems (HIS), which store and manage patient health data across healthcare facilities.
  • Remote monitoring devices used for patient surveillance or remote patient monitoring, including cardiac monitors, pulse oximeters, and respiratory monitoring devices.
  • Implantable medical devices, such as neurostimulators, cochlear implants, and orthopedic implants, which may collect and transmit patient data for diagnostic or therapeutic purposes.
  • Point-of-care testing devices used for rapid diagnostic testing, such as blood glucose meters, pregnancy tests, and infectious disease testing kits, which process patient samples and generate test results.

These examples illustrate the diverse range of medical devices and IVDs that may collect, process, or transmit personal data, thereby necessitating compliance with GDPR requirements to ensure the protection of patient privacy and data security.

Here is what you need to get your medical device software CE-marked:

Technical documentation
Learn more >>

Quality
management
system
Learn more >>

PRRC

Learn more >>

Authorized
representative
Learn more >>

UDI

Learn more >>

EUDAMED
registration
Learn more >>

Notified
body
Learn more >>

We will help you obtain all the necessary certificates.

Learn more >>

What you need to have to succeed in certification and sell your products in the EU:

Clinical
evaluation
Contact us >>

PRRC

Contact us >>

Post-market
surveillance
Contact us >>

Should my medical device comply with GDPR?

In today's interconnected world, where technology intersects with healthcare, regulations intersect as well. As innovative solutions emerge to enhance patient care and treatment outcomes, regulatory frameworks evolve to ensure their safety, efficacy, and compliance with data protection standards. From medical devices integrated with digital health platforms to mobile health applications collecting health data, the convergence of technology and healthcare demands a harmonized approach to regulation.

GDPR and MDR/IVDR

The General Data Protection Regulation (GDPR) stands as a cornerstone in safeguarding personal data privacy, while the Medical Device Regulation (MDR) and the In Vitro Diagnostic Medical Device Regulation (IVDR) set forth standards for the safety and performance of medical devices. However, when a product bridges both realms serving as a medical device while simultaneously collecting and handling personal data - compliance obligations become intertwined. In this context, adherence to both GDPR and MDR/IVDR is imperative, ensuring not only the efficacy and safety of the medical device but also the privacy and security of sensitive personal data.

What data is covered by GDPR?

The General Data Protection Regulation applies to the processing of personal data of individuals located within the European Union regardless of their citizenship or residency status. Additionally, GDPR also applies to the processing of personal data by organizations outside the EU if they offer goods or services to individuals in the EU or monitor the behavior of individuals within the EU.

GDPR primarily applies to the processing of personal data, which is defined as any information relating to an identified or identifiable natural person. This includes not only common identifiers such as names, addresses, and identification numbers but also other factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of individuals.

Besides, GDPR may also apply to certain special categories of data. These categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

Additionally, GDPR imposes obligations on the processing of personal data relating to criminal convictions and offenses, known as "criminal data."

What data is not covered by GDPR?

The General Data Protection Regulation generally applies to the processing of personal data, which is defined as any information relating to an identified or identifiable natural person. Other types of data are not covered by GDPR, such as:

  • Data that has been anonymized or de-identified in such a way that it cannot be used to identify individuals is not considered personal data and therefore falls outside the scope of GDPR
  • Data relating to legal entities, such as companies, partnerships, or organizations, is generally not considered personal data and is not covered by GDPR. However, data related to individuals acting in their capacity as representatives or employees of such entities may be considered personal data.
  • Information that is publicly available and easily accessible to the general public through lawful means, such as public registers, official gazettes, or publicly accessible websites, is not subject to GDPR. However, if the data subject has restricted the processing of their publicly available information, GDPR may still apply.
  • GDPR does not apply to the processing of personal data for national security or law enforcement purposes. These activities are subject to separate legal frameworks established by EU member states.
  • The processing of personal data by individuals for purely personal or household activities, such as keeping address books or family photo albums, is not covered by GDPR.

What medical devices and IVDs may be subject to GDPR?

Gererally, compliance with GDPR is necessary whenever personal data is involved in the operation, use, or processing of medical devices or IVDs to ensure the protection of individuals' privacy rights and data security.

So the simple rule to determine whether or not your device must be GDPR-compliant is: if your device collects or processes personal data of patients or users, it must be GDPR-compliant. If it does not, GDPR does not apply.

Some medical devices and in vitro diagnostic medical devices that may be required to comply with the General Data Protection Regulation include:

  • Wearable health devices that collect personal health data, including heart rate, activity levels, and sleep patterns.
  • Medical devices equipped with connectivity features, such as pacemakers, insulin pumps, and continuous glucose monitors, that transmit patient data to healthcare providers or cloud-based platforms.
  • Devices used in telemedicine or remote monitoring applications, such as telehealth platforms, remote patient monitoring systems, and video conferencing tools, which involve the processing of patient data.
  • Mobile applications or software platforms designed for health monitoring purposes, including symptom trackers, medication management apps, and chronic disease management tools.
  • In vitro diagnostic devices used for genetic testing or personalized medicine applications, such as direct-to-consumer genetic testing kits, which collect and process sensitive genetic information.
  • Laboratory equipment used for in vitro diagnostic testing, including automated analyzers, PCR machines, and next-generation sequencing platforms, which generate and process patient data
  • Integrated healthcare information systems, electronic health records (EHRs), and hospital information systems (HIS), which store and manage patient health data across healthcare facilities.
  • Remote monitoring devices used for patient surveillance or remote patient monitoring, including cardiac monitors, pulse oximeters, and respiratory monitoring devices.
  • Implantable medical devices, such as neurostimulators, cochlear implants, and orthopedic implants, which may collect and transmit patient data for diagnostic or therapeutic purposes.
  • Point-of-care testing devices used for rapid diagnostic testing, such as blood glucose meters, pregnancy tests, and infectious disease testing kits, which process patient samples and generate test results.

These examples illustrate the diverse range of medical devices and IVDs that may collect, process, or transmit personal data, thereby necessitating compliance with GDPR requirements to ensure the protection of patient privacy and data security.

Further reading

CE-Certificate vs. EC-Certificate

Basic UDI-DI (bUDI) - what is it, where to obtain it, and what to do with it

EUDAMED registration - a brief guide

Contract with the Authorised Representative in the European Union (Authorised Representative Mandate)

GSPR – General Safety and Performance Requirements for medical devices in the European Union

How to obtain CE marking for medical software under the EU MDR or IVDR?

Technical documentation for Medical Device Software in the EU

IEC 62304 - the pivotal standard for software medical devices

Medical Device Regulation (MDR) - basics

ISO and IEC standards for medical device software

Clinical Evaluation, PMCF, and PMS in Medical Device Lifecycle

Notified Bodies and their role in certification of medical devices

What is NANDO and why medical device companies should know about it?

Labeling and UDI requirements for medical devices in the EU

Understanding the roles of Authorised Representatives and Importers under MDR/IVDR

MDR implementation - challenges and solutions

Post-market surveillance under MDR and IVDR - requirements and best practices

Notified Body audit - a manufacturer's guide

Risk management plan - guide for medical device companies

Should my medical device comply with GDPR?

EC-certificate for a medical device - Q&A

How long does it take to CE-mark a medical device?

What is a PRRC?

All articles >>

Send us an email:
info@mdrc-services.com

Or use the contact form below