About Us
Global Advisory Experts Logo
Global Advisory Experts Logo

Find a Global Law Expert

Practice Area


Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.

MDR and GDPR: an inseparable marriage

posted 2 years ago

On the date 26th May 2021 the new Regulation (EU) 2017/745 (the so-called MDR), dealing with medical devices, came fully into effect. It constitutes a new regulation of significance for the whole sector.

Medical devices originate- from a strictly juridical point of view- with the Directive 93/42/EEC. The regulation’s juridical architecture established that manufacturers could commercialise medical devices only if they affixed the marking “CE” to them, which they could only do if they demonstrably fulfilled the Essential Requirements for Safety (Annex 1 of directive 93/42/EEC). This would need to be certified (for the majority of devices) by an accredited entity, called the Notified Body, that would release a document called the CE Certification.

With the Regulation (EU) 2017/745 the juridical architecture changed. To be released on the market, devices would need to be granted CE marking and approval by a Notified Body in relation to the new Requirements determined by the MDR.

What changed substantially, however, is that the new Requirements to be followed did not regard “safety” alone, but also “performance” (Annex 1- Essential Safety and Performance Requirements), and, moreover, the “way” in which to demonstrate fulfilment of the requirements.

Today, indeed, medical devices, further to being safe, must also produce a clinical benefit for the patient and, moreover, present a benefit-risk-ratio considered acceptable (Annex 1). This must be demonstrated through the drafting of a specific document called a Clinical Evaluation.

And here the MDR noticeably crosses paths with the GDPR.

Art. 61, paragraph 1 of the MDR, entitled Clinical Evaluation, establishes that “Confirmation of conformity with relevant general safety and performance requirements set out in Annex I under the normal conditions of the intended use of the device, and the evaluation of the undesirable side-effects and of the acceptability of the benefit-risk- ratio referred to in Sections 1 and 8 of Annex I, shall be based on clinical data providing sufficient clinical evidence, including where applicable relevant data as referred to in Annex III.”

In other words: manufacturers of medical devices are urged to respect the Essential Safety and Performance Requirements and demonstration this through a Clinical Evaluation, which must be based on “clinical data” when drawn up. But what is meant by “clinical data”? The “clinical data” according to the MDR does not entirely correspond to the “personal data” or “relevant health data” according to the GDPR. However, we cannot doubt that the fullest notion of clinical data can comprise many particular cases of treatment of personal data or data related to health. Art. 2, paragraph 48 establishes that clinical data’ means information concerning safety or performance that is generated from the use of a device and is sourced from the following:

— clinical investigation(s) of the device concerned,

— clinical investigation(s) or other studies reported in scientific literature, of a device for which equivalence to the device in question can be demonstrated,

— reports published in peer reviewed scientific literature on other clinical experience of either the device in question or a device for which equivalence to the device in question can be demonstrated,

 clinically relevant information coming from post-market surveillance, in particular the post-market clinical follow-up

Leaving aside points b) and c), which do not concern us here, letter a), regarding “clinical investigations”, and letter d), regarding “clinically relevant information” constitute without a doubt the treatment of relevant health-related data according to the GDPR.

We will analyse the two cases separately

Clinical investigations

A clinical investigation, according to the MDR, is “any systematic investigation involving one or more human subjects, undertaken to assess the safety or performance of a device” (Art. 2, lett. 45); the specific regulation can be found in articles 62 to 81 and in the Annex XV of the MDR. Without entering a detailed analysis of the institution, it will be sufficient to signal that it is a “close cousin” of drug experimentation. Therefore, insofar as it appertains to the treatment of data the same problems will be encountered as in drug experimentation- particularly the well-known theme of which legal basis to use.

Although art. 110 of our Privacy Code and applied practice lean towards (no matter what) the direction of “consent” (Art. 9, lett. a) GDPR) as the legal basis for treatment of data in experimentation, doubts have been raised from many perspectives about the suitability of using this legal basis. Refer especially in regards to this subject Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b))

Furthermore, exactly as occurs for clinical experimentation, the manufacturer (or the sponsor) that promotes a clinical investigation will have to implement and manage the entire process of treatment of data, also defining the method and roles of privacy.

Clinically relevant information

The clinical evaluation can be based- as outlined above- also on clinically relevant information “coming from post-market surveillance, in particular the post-market clinical follow-up”. We refer to two institutions of the medical device sector that, although not new to the table in general, certainly are in their regulation and their scope.

More precisely, post-marketing surveillance includes “all activities carried out by manufacturers in cooperation with other economic operators to institute and keep up to date a systematic procedure to proactively collect and review experience gained from devices they place on the market, make available on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions” (Art. 2 lett. 60), whereas Post-Marketing Clinical Follow Up (PMCF) “shall be understood to be a continuous process that updates the clinical evaluation referred to in Article 61…. When conducting PMCF, the manufacturer shall proactively collect and evaluate clinical data from the use in or on humans of a device which bears the CE marking and is placed on the market” (Annex XV part B MDR).

In essence, we refer to all the information acquired on the market after the release onto the market of medical devices already marked with CE, with the difference that post-marketing surveillance evaluates the technical and clinical performances of medical devices by collecting data principally on effective risks, while PMCF is specifically targeted at evaluating and/or confirming the clinical benefits.

In both cases they are activities that- almost always- involve the implementation on the part of manufacturers of processes for the most part new within companies, that further to being analysed for the purposes of a correct Clinical Evaluation will have to also examined (or rather constructed) in terms of correct treatment of personal data that they incorporate (such as those of doctors, of patients, of suppliers, and so on). The result is that the manufacturer will have to evaluate all the aspects of treatment of data of such processes, evaluating all the profiles of privacy by design and by default ex Art. 25 GDPR.

One final consideration.

Today medical devices of Class I are already released onto the market according to the MDR, because they do not utilise any transitory period.

On the other hand, the medical devices of Classes IIa, IIb and III can, ex Art. 120 MDR, continue to be released on the market by virtue of a CE Certificate released ex directive 93/42/EEC until the expiration of said Certificate (at the maximum, until May 2024). These are the so-called “legacy” and remain the bulk of medical devices.

Said transitory period, however, does not alter the considerations expounded above on post-marketing surveillance and PMCF: indeed, these activities must be put into place at this point for all medical devices, even for legacy medical devices (Art. 120, paragraph 3). In fact, on closer inspection, the manufacturers of legacy medical devices have an “extreme need” for clinical data, precisely because they must pass from a CE Certificate ex directive 93/427EEC to a CE Certificate ex MDR.

Therefore, they have an extreme need to recognise the GDPR and know how to correctly implement the new processes of collecting data to reinforce their technical files and obtain the new CE Certificate that will lead them fully into the MDR world.

Keeping mind that, in the senses of art. 2 decies of the Italian Privacy Code, “personal data treated in violation of the relevant regulation in terms of treatment of personal data cannot be used”.


posted 5 days ago


who are already getting the benefits

Sign up for the latest advisory briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

Newsletter Sign Up

About Us

Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Contact Us

Stay Informed

Join Mailing List