Opinion of the European Data Protection Supervisor on the Commission proposals for a regulation on medical devices (MD) and amending Directive 2001/83/EC, Regulation (EC)
No 178/2002 and regulation (EC) No 1223/2009 and a regulation on in vitro diagnostic medical devices (IVD).
The proposed regulations will affect the rights of individuals in relation to the processing of their personal data. Amongst other issues, they deal with the processing of sensitive data (health data), a central EU-level database which includes personal data, market surveillance and record keeping.
The EDPS sees a need for some clarifications with particular regard to sensitive data, especially in relation to processing and storage in the database.
The EDPS recommends:
· that the draft MD Regulation and IVD Regulation specify that the provisions will apply in accordance with the national rules which implement Directive 95/46/EC;
· inserting in the IVD regulation, paragraphs regarding purposes for data processing, data subject rights and data retention periods similar to the MD regulation;
· inserting a definition of the term ‘subject’ in the proposed regulations;
· unambiguously prohibiting the inclusion of all patients' health data in the clinical investigations module of the Eudamed database;
· inserting provisions in the proposed MD regulation and the proposed IVD regulation that clearly define the situations and safeguards under which information containing patient health data will be processed and stored in the Eudamed database concerning vigilance and post-market surveillance. In particular, the proposed regulation should require that a risk assessment be carried out by the Commission before the processing and storage of any patient health data in the Eudamed database;
· explicitly mentioning that periodic reports should only be using anonymous data;
· adding in both proposed regulations that before any processing of data concerning health of patients takes place, manufacturers shall obtain explicit consent from the data subject;
· inserting provisions regulating how personal data should be managed as regards surveillance by competent authorities in the proposed regulations;
· inserting a maximum retention period for personal data under the proposed regulations.
Lastly, the EDPS should be consulted in relation to any delegated or implementing act adopted pursuant to the proposed regulations which might have an impact on the processing of personal data.