On 26 May 2021 the EU Medical Device Regulation (EU) 2017/745 (MDR) came into force. The new MDR calls for stricter rules, more transparency and increased availability of quality data together with more rigorous clinical evidence for class III and implantable medical devices. It is important to know that the MDR implementation results in the need to process more personal data; it also mandates a higher level of protection for the patient personal data than previously. MDR clearly refers to the applicable data protection framework and points to the Regulation (EU) 2016/679 on the protection of natural persons regarding the processing of personal data (“GDPR”). Many device manufacturers and their vendors are not based in EU? So, how far GDPR would even apply and to which activities? GDPR applies to EU organization and non-EU organization that offer goods and services to individuals in the EU or monitor their behaviour (including patient’s health data for study or vigilance purpose).
1. Premarket Clinical Investigations
MDR (Art 61.4) states that for implantable and class III devices, a premarket clinical investigation shall be performed. The more stringent requirements to demonstrate equivalence under the MDR, will likely increase the number of premarket clinical investigations.
Clinical investigation cannot be envisaged without processing personal data. Data processed are usually coded. However, per GDPR, coded data are still personal data insofar they can be linked, included indirectly, to a person.
Therefore collecting, storing, and analyzing these data to comply with MDR requirements are processing activities. Thus, premarket clinical investigation is a form of processing of personal data.
2. Legacy Devices Reassessment
Since there is no grandfathering, legacy medical devices will need to go through the same initial MDR conformity assessment procedure as novel devices.
EU MDR may require reassessment of clinical data for devices already on the market if the data do not meet the new requirements, devices will be required to undergo additional testing to be re-certified. To avoid a potential negative impact on the healthcare industry in Europe and to provide a better understanding , the MDCG 2020-6 guidance document on sufficient clinical data for legacy devices was published. This document aims to provide guidance for manufacturers and notified bodies to prepare for the conformity assessment procedure according to the MDR. This was later complemented by further MDCG guidance (2022–2024), clarifying the clinical evidence requirements for legacy devices under MDR.
The reassessment (new study) and performance of additional analysis on existing data are considered data processing activities.
To comply with this requirement, device manufacturers frequently turn to the hospitals having used the device to acquire datasets collected in the scope of the standard case and, not primarily for research. In the sense of GDPR, this is considered as indirect data collection for the use for another purpose. The fact that data are coded does not as such release drug manufacturers, as data controllers from the need to transparently inform data subjects, unless the exception of the article 14.5.b can be applied.
3. Demonstration of Equivalence through New Investigation and Use of data from similar devices
According to article 61.5 of the MDR, the equivalence route is still feasible, but it is no longer possible to demonstrate equivalence solely on a descriptive comparison of the two devices. The MDR requires manufacturers to demonstrate a sufficient level of access to the data pertaining to the proposed equivalent device.
In cases where equivalence cannot be demonstrated under the MDR, the data from similar devices may be useful. All the clinical data, both favourable and unfavourable must be identified. This applies to clinical data from both the existing device and the device for which equivalence can be demonstrated. If the data meet the definition of clinical data as defined in the MDR, it shall be used to evaluate whether they are providing sufficient clinical evidence to confirm the conformity with the relevant general safety and performance requirements (GSPR).
These processing activities require the re-use of personal data previously collected for new purposes and, potentially by a data controller different from the first one (manufacturer of original device). Data re-used will not be considered as personal data if they are fully anonymized; meaning that it is not possible anymore to link the data to the individual, single out any individual nor infer new information out of the data.
4. Post market Clinical Follow-Up Under The MDR
The MDR now includes increased scrutiny of clinical data in the postmarket setting. Depending on the risk class, a manufacturer must provide a summary of the postmarket data and an updated benefit-risk analysis coming from a partially updated clinical evaluation annually or biannually in a Periodic Safety Update Report (PSUR). For implantable devices, these PSURs shall undergo a mandatory assessment by the Notified Body that issued the EC-Certificate.
This hightened scrutiny increases the obligations of the manufacturer to collect and process patients’ health data. Moreover, the MDR now specifically includes device registries as a source for real-world data in the postmarket setting. Per definition, a registry is a data collection that does not have a specific endpoint and includes all patients treated with a specific medical device or procedure.
With the increasing demand for more long-term data from physicians and legislators in Europe, implant registries, like some national joint registries in Europe, started collecting patient-reported outcome measures (PROMs) besides the sole implant survival rates. Even when a medical device is covered in a register, there could still be unanswered questions that might require an additional PMCF study.
For manufacturers, even if they had a transition period to adapt, there remain grey zones regarding how to practically implement post-market surveillance in a way that fully complies with GDPR, as this collection and use are also types of processing of personal data. Recent MDCG guidance (2022–2024) continues to stress the alignment between PMS/PMCF obligations and GDPR compliance.
Do GDPR requirements apply to processing of personal data mandated by Medical Device Regulation?
Where in the scope of premarket clinical investigation, reassessment of legacy data, demonstration of equivalence or post marketing clinical follow-up, GDPR would apply to the EEA based organization responsible for these assessment without any doubt.
What about the application to non-EEA organizations? From our point of view, the example 25 of the EDPB guideline 3/2018 on the applicability of GDPR to the sponsor of the drug clinical trial can be fully transposed to the investigations with medical devices. Indeed, the EDPB considers clinical trials and other investigations as a form of monitoring of health and therefore a form of monitoring of behaviour. wearable and smart devices are the most obvious examples that EDPB used to clarify the notion of monitoring of data subjects’ behaviour.
In 2022–2025, the EDPB has reiterated that clinical investigations with medical devices (including wearables and connected devices) fall under the scope of GDPR when involving EU data subjects, even if the manufacturer is located outside the EEA.
Outside the interpretations of the art 3 of GDPR, the MDR emphasizes the principle of confidentiality in its Art 72 stating that all clinical investigation information shall be processed, by the sponsor or investigator, in such a way that the confidentiality of records and the personal data of the subjects remain protected in accordance with the applicable law on personal data protection. Art 109 and Art 110 specifies that all parties must respect confidentiality of personal data. This statement does not restrict the application of GDPR to the confidentiality and should be considered as emphasis of one of GDPR principles.
What about online shops located outside EEA?
MDR and GDPR apply to all devices (used for diagnostic or therapeutic services) “offered by means of information society services to a natural or legal person established in the Union” as per MDR Article 6.
This includes:
- Online shop
- Any other media for which buyer and seller are not physically present
What if the medical device processes personal data?
Connectivity of some medical devices over IT-Networks, like cloud solutions and use of software applications (standalone or integrated), leads to several mandatory requirements with regards to the data protection to enable to preserve patient confidentiality. A security breach can have a serious impact on patient integrity either in the control of the device itself or in-patient data. As an organization developing medical device Software or Connected Health Devices you should:
- Know the main principles of the GDPR
- Map and categorize the data processing of your software
- Manage the risks to the rights and freedom of the subject
- Ensure that you are GDPR compliant at each stage (development, Test, production)
- Document your conformity
- Implement cybersecurity measures in line with MDR Annex I, MDCG guidance on cybersecurity (2019-16), and prepare for alignment with the EU AI Act (expected to apply gradually from 2026).
Who can help you to face the wave?
Some CROs developed QA, RA and Clinical operation Solution allowing the sponsor to be compliant, yet some challenges remain in terms of data protection:
- Understand and map the flow of the data in cooperation with all Departments
- IT, QA, RA and ClinOps dept. Need to be properly trained
- Assess and document the risks on a data flow
- Be able to answer data subject access requests
- Recognize data breaches and notify the Data protection authority if needed
- Document and open CAPA for each Data Breach
- Perform Data Protection Impact Assessments (DPIAs) and Transfer Impact Assessments (TIAs) systematically, especially for connected devices and data transfers outside the EEA (reinforced expectation from DPAs in 2023–2025).
To conclude, now that you understand that protecting data and compliance with privacy laws are important. consider these next steps.Certainly, the risk of fines is a big concern, but even more critical is to give the patient and the health care providers the opportunities to exercise their rights.
In 2025, MDR data protection obligations are closely scrutinized in combination with GDPR, cybersecurity regulations, and the upcoming EU AI Act. Manufacturers must adopt a holistic compliance approach that covers data protection, safety, transparency, and digital security.
Here we provide you the non-exhaustive list of questions to ask yourself before you start:
- Do I need a DPR (EU? UK?) and are they in place?
- Did I inform and involve my DPO?
- Do I know which countries are involved in order to check national
- requirements?
- Is the outcome of compatibility test positive (for re-use of data only)?
- What are the applicable legal bases?
- What are the roles of all actors (my organisation, vendors, sites)?
- Do I have a clear idea about potential futher/other uses of data?
- Are all relevant notices (patients/partners/staff) GDPR compliant?
- Is the data flow complete and indicates data transfer points?
- Is there a need to perform a transfer impact assessment?
- Is the DPIA well advanced/completed?
- Do I have the full list of processors/systems involved?
- Are processors/systems assessed?
- Are all contracts GDPR compliant, including transfer documentation?
- Are the records of processing activities completed?
- Are all the elements above consistent with each other?
