The medical devices data protection compliance: EU Regulation 745/2017, GDPR and ISO 27001

02 Jul 2024 10:09 AM By itSMF Staff

Reading time: ~ 2 min.

direttiva sulla responsabilità da intelligenza artificiale itsmf blog

The data protection compliance on medical devices

In our previous post on «Software as a Medical Device», we took a look in particular at the main related ISO management standards. In this new article, we are going to consider the data protection compliance on medical devices.

The first regulation that grab our attention is the «EU Regulation 2017/745 on Medical Devices» of the European Parliament and of the Council, of 5 April 2017 that came into force on 27 May 2017. It is known also as «MDR».

The Regulation (EU) 2017/745:
  • amends the Directive 2001/83/ECon the Community code relating to medicinal products for human use;
  • amends the Regulation (EC) no. 178/2002laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety;
  • amends the Regulation (EC) no. 1223/2009on cosmetic products;
  • repeals the Council Directive 90/385/EEC  on the approximation of the laws of the Member States relating to active implantable medical devices;
  • repeals the Council Directive 93/42/EEC concerning medical devices.

In its Article 110, the regulation on medical devices establishes that the medical devices that process personal data must comply with the applicable EU requirements. So we must take into consideration the General Data Protection Regulation (GDPR).

Medical devices and the data protection compliance according to the European GDPR

Medical Devices software that process personal data must therefore comply with European General Data Protection Regulation (GDPR) 2016/679 requirements and in particular with:

🔖 Article 25, on «Data protection by design and by default»;

🔖 Article 32, on «Security of processing».

Swiss companies aiming to launch Software as a Medical Device (SWas a MD) into the EU market must manage the compliance with the aforementioned GDPR articles as well as with the LPD/DSG, in particular with:

📘 Article 7, on «Protection of personal data by design and by default»;

📘 Article 8, on «Security of Data».

These companies can take advantage of an integrated compliance model between the two regulations, adopting the most relevant ISO standard.

The ISO 27001:2022 standard for the medical devices data protection compliance integration between EU and Switzerland

The medical data protection compliance integration can be managed with the help of the ISO/IEC 27001:2022 standard on «information security, cybersecurity and privacy protection – information security management systems – requirements».

To better figure out the «big picture», take a look at our infographic on medical devices data protection compliance integration according to the ISO 27001:2022 standard.

By Andrea Leonardi (VP @ Minerva Group Service, MP @ Alpemi Consulting & itSMF Swizerland board member).
If you want to keep you up-to-date with the most recent news on this topic, don't forget to follow our social media or subscribe on our newsletter.


Need to know more about it?

Click on one of the options below to enter in the itSMF Enviroment and for being updated the way which is best for you.

Subscribe to itSMF Newsletter
Get the benefits of Membership Program

Our sponsors

A special thanks to our Advanced Sponsors:

itSMF Staff