What’s new for Data Privacy under Medical Device Regulation?

Article

What’s new under Medical Device Regulation in terms of Data Privacy?

December 14, 2021

The regulatory wave hit the world of Medical Devices on May 26, 2021 with the application of the new MDR 2017/745 regulation. You probably didn’t have the opportunity to assess the impact of The GDPR 2016/679 on your clinical research or materiovigilance activities. This article summarize the problematics and challenges, to help you to become compliant.

On 26 May 2021 the EU Medical Device Regulation (EU) 2017/745 (MDR) came into force. The new MDR calls for stricter rules, more transparency and increased availability of quality data together with more rigorous clinical evidence for class III and implantable medical devices.

It is important to know that the MDR implementation results in the need to process more personal data; it also mandates a higher level of protection for the patient personal data than previously. MDR clearly refers to the applicable data protection framework and points to the Regulation (EU) 2016/679 on the protection of natural persons regarding the processing of personal data (“GDPR”).

Many device manufacturers and their vendors are not based in EU? So, how far GDPR would even apply and to which activities?

GDPR applies to EU organization and non-EU organization that offer goods and services to individuals in the EU or monitor their behaviour (including patient’s health data for study or vigilance purpose).

Download the full article: Click here

Specific types of processing activities mandated by MDR:

Since there is no grandfathering, legacy medical devices will need to go through the same initial MDR conformity assessment procedure as novel devices.

EU MDR may require reassessment of clinical data for devices already on the market if the data do not meet the new requirements, devices will be required to undergo additional testing to be recertified.

to avoid a potential negative impact on the healthcare industry in Europe and to provide a better understanding , the MDCG 2020-6 guidance document on sufficient clinical data for legacy devices was published. This document aims to provide guidance for manufacturers and notified bodies to prepare for the conformity assessment procedure according to the MDR

The reassessment (new study) and performance of additional analysis on existing data are considered data processing activities.

To comply with this requirement, device manufacturers frequently turn to the hospitals having used the device to acquire datasets collected in the scope of the standard case and, not primarily for research. In the sense of GDPR, this is considered as indirect data collection for the use for another purpose. The fact that data are coded does not as such release drug manufacturers, as data controllers from the need to transparently inform data subjects, unless the exception of the article 14.5.b can be applied.

According to article 61.5 of the MDR, the equivalence route is still feasible, but it is no longer possible to demonstrate equivalence solely on a descriptive comparison of the two devices. The MDR requires manufacturers to demonstrate a sufficient level of access to the data pertaining to the proposed equivalent device.

In cases where equivalence cannot be demonstrated under the MDR, the data from similar devices may be useful. All the clinical data, both favourable and unfavourable must be identified. This applies to clinical data from both the existing device and the device for which equivalence can be demonstrated. If the data meet the definition of clinical data as defined in the MDR, it shall be used to evaluate whether they are providing sufficient clinical evidence to confirm the conformity with the relevant general safety and performance requirements (GSPR).

These processing activities require the re-use of personal data previously collected for new purposes and, potentially by a data controller different from the first one (manufacturer of original device). Data re-used will not be considered as personal data if they are fully anonymized; meaning that it is not possible anymore to link the data to the individual, single out any individual nor infer new information out of the data.

The MDR now includes increased scrutiny of clinical data in the postmarket setting. Depending on the risk class, a manufacturer must provide a summary of the postmarket data and an updated benefit-risk analysis coming from a partially updated clinical evaluation annually or biannually in a Periodic Safety Update Report (PSUR). For implantable devices, these PSURs shall undergo a mandatory assessment by the Notified Body that issued the EC-Certificate. This hightened scrutiny increases the obligations of the manufacturer to collect and process patients’ health data. Moreover, the MDR now specifically includes device registries as a source for real-world data in the postmarket setting. Per definition, a registry is a data collection that does not have a specific endpoint and includes all patients treated with a specific medical device or procedure.

With the increasing demand for more long-term data from physicians and legislators in Europe, implant registries, like some national joint registries in Europe, started collecting patient-reported outcome measures (PROMs) besides the sole implant survival rates. Even when a medical device is covered in a register, there could still be unanswered questions that might require an additional PMCF study.

For manufacturers, even if they had a transition period to adapt, there remain grey zones regarding how to practically implement post-market surveillance in a way that fully complies with GDPR, as this collection and use are also types of processing of personal data.

MDR (Art 61.4) states that for implantable and class III devices, a premarket clinical investigation shall be performed. The more stringent requirements to demonstrate equivalence under the MDR,-will likely increase the number of premarket clinical investigations.

Clinical investigation cannot be envisaged without processing personal data. Data processed are usually coded. However, per GDPR, coded data are still personal data insofar they can be linked, included indirectly, to a person. Therefore collecting, storing, and analyzing these data to comply with MDR requirements are processing activities. Thus, premarket clinical investigation is a form of processing of personal data.

Do GDPR requirements apply to processing of personal data mandated by Medical Device Regulation?

Where in the scope of premarket clinical investigation, reassessment of legacy data, demonstration of equivalence or post marketing clinical follow-up, GDPR would apply to the EEA based organization responsible for these assessment without any doubt.

What about the application to non-EEA organizations? From our point of view, the example 25 of the EDPB guideline 3/2018 on the applicability of GDPR to the sponsor of the drug clinical trial can be fully transposed to the investigations with medical devices. Indeed, the EDPB considers clinical trials and other investigations as a form of monitoring of health and therefore a form of monitoring of behavior. wearable and smart devices are the most obvious examples that EDPB used to clarify the notion of monitoring of data subjects’ behaviour.

Outside the interpretations of the art 3 of GDPR, the MDR emphasizes the principle of confidentiality in its Art 72 stating that all clinical investigation information shall be processed, by the sponsor or investigator, in such a way that the confidentiality of records and the personal data of the subjects remain protected in accordance with the applicable law on personal data protection. Art 109 and Art 110 specifies that all parties must respect confidentiality of personal data. This statement does not restrict the application of GDPR to the confidentiality and should be considered as emphasis of one of GDPR principles.

What about online shops located outside EEA?
MDR and GDPR apply to all devices (used for diagnostic or therapeutic services) “offered by means of information society services to a natural or legal person established in the Union” as per MDR Article 6.

This includes:

Online shop
any other media for which buyer and seller are not physically present

To read more, download the full article: Click here

Full Article

Anne-Laurence Pirart

Data Protection Manager at MyData-TRUST

If you want to contact us

> Back to all news

Cookie	Duration	Description
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non-necessary".
CookieLawInfoConsent	1 year	The cookie is used to store the summary of the consent given for cookie usage. It does not store any personal data
wp-wpml_current_language	1 day	No description

Cookie	Duration	Description
APISID	1 years	Set by YouTube on pages with embedded YouTube video
CONSENT	20 years	To store cookie consent preferences
HSID	2 years	Set by YouTube on pages with embedded YouTube video
hustle_module_show_count-embedded-3	Session	To allow the display of a pop-up
LOGIN_INFO	2 years	Set by YouTube on pages with embedded YouTube video
PREF	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SAPISID	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SID	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SIDCC	1 year	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SSID	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
VISITOR_INFO1_LIVE	8 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_135556958_1	1 minute	Google uses this cookie to distinguish users.
_gat_gtag_UA_135556958_2	1 minute	Google uses this cookie to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Cookie	Duration	Description
hustle_module_show_count-embedded-3
inc_optin_popup_long_hidden-1

Cookie	Duration	Description
__Secure-3PAPISID	2 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting
__Secure-3PSID	2 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting
__Secure-3PSIDCC	1 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting
DSID	12 days	To serve targeted advertisements that are relevant across the web
IDE	1 year	To serve targeted advertisements that are relevant across the web
RUL	1 year	Used to determine whether website advertisement has been properly displayed
YSC	session	Set by YouTube on pages with embedded YouTube video

What’s new for Data Privacy under Medical Device Regulation?