With regulations such as GDPR and the Right to Be Forgotten frequently in the news, data privacy has become a hot-button issue over the past few years. Medical device companies operating within the European Union are subject to additional regulations through the Medical Device Regulation (MDR), which further outlines requirements for data privacy as it relates to the production and distribution of medical devices.
If you are a manufacturer, distributor, importer, or other entity involved with medical devices, here’s a brief overview of the data privacy provisions involved in MDR and what your organization can do to ensure compliance.
What is mdr?
The EU Medical Device Regulation (MDR) went into effect on May 25, 2017 with the intention of improving the safety and quality of medical devices. MDR also expects to foster more transparency and better communication in the medical device production process. The regulation includes requirements for labeling medical devices appropriately, creating unique device identifiers (UDIs), registering device information in the central Eudamed database, and taking “necessary corrective action” for nonconforming devices that are currently on the market. Although MDR was passed in 2017, it will not take full effect until 2020.
what type of data is collected under mdr?
With the new MDR scope expanding the definition of medical devices, mandating additional post-market follow-up from economic operators such as manufacturers and distributors, and requiring data entry into the Eudamed database, the amount of data being collected and used in medical device manufacture and distribution has increased. Collected data would include technical documentation for each device, information collected from clinical trials, patient data based on consumer complaints or clinical investigations, and more.
how are data privacy provisions under mdr?
Chapter IX, Articles 109 and 110 of MDR outline data privacy and data protection provisions. Article 109 is a confidentiality clause which states that all parties subject to MDR (mostly medical device manufacturers, importers, distributors, and authorized representatives) must “respect the confidentiality of information and data obtained in carrying out their tasks,” including personal data, trade secrets, and intellectual property rights.
MDR further states that “information exchanged on a confidential basis between competent authorities and the [European] Commission shall not be disclosed without the prior agreement of the originating authority.” This means that confidential information cannot be more widely shared without express permission of the patient, healthcare provider, or other relevant party who “owns” the data. The exception is if the data is required for the proceedings of criminal law. In addition, MDR allows the European Commission and Member States to exchange confidential data with regulatory authorities of “third countries” (those outside of the EU) with which they have bilateral or multilateral confidentiality arrangements in place.
Moreover, MDR draws upon other EU regulations for compliance in data privacy and protection. Article 110 of MDR specifies that Directive 95/46/EC, a predecessor to GDPR and a fundamental component of EU privacy law, must be followed in the processing of personal data. The Commission must also adhere to Regulation (EC) No 45/2001, which is specific to “Community institutions and bodies,” when processing personal data.
Not sure if your organization is on the right track?
Ensuring compliance with all these regulations can be complicated, which is why having a trusted partner is essential to getting it right. If you are still finalizing compliance with MDR or you want to learn more about how other EU regulations affect MDR, browse our What You Need to Know About the EU’s New Medical Device Regulation: MDR and IVDR ebook for more information or reach out to a ULG specialist today.