EU GDPR General Data Protection Regulation - What we need to update for our QMS

Wolf.K

Involved In Discussions
#1
Hi, not really MDR stuff, but a EU regulation. Just wonder what we need to update for our QMS? In our clinical evaluation SOP we have a statement that it is not allowed for us to collect personal patient data - only the hospitals/medical doctors shall know the patients; for us they are just numbers...

Is there anything else we should consider?

(we don't use software as a medical device)

Thanks!
Wolf
 
Elsmar Forum Sponsor

mihzago

Trusted Information Resource
#2
Do you market anything directly to customers? Do you collect any information on your company website?
Do you record personal information when customer calls for support?
 

Paul Simpson

Trusted Information Resource
#3
Hi, not really MDR stuff, but a EU regulation. Just wonder what we need to update for our QMS? In our clinical evaluation SOP we have a statement that it is not allowed for us to collect personal patient data - only the hospitals/medical doctors shall know the patients; for us they are just numbers...

Is there anything else we should consider?

(we don't use software as a medical device)

Thanks!
Wolf
Hi, Wolf. This regulation applies to any organisation holding data on EU citizens. There is a lot to it, so difficult to summarize here, many of the requirements relate to citizen's rights for anonymity and to be forgotten if they wish. Your system should allow for these rights.

From your post about 'your' data being anonymized it may be you are already in the clear. If you have any specifics please come back with questions.
 

pkost

Trusted Information Resource
#4
I'm not sure the data is fully anonymised - It may be worth looking into whether there are any obligations where you may not know the patient, but if you provided the complaint reference to the hospital they would be able to link it to an individual;

Additionally depending on your products, there may be a very small subset of patients that have the specific conditions your records detail that for a particularly determined person could expose the patient id
 
#5
Hi, Wolf. This regulation applies to any organisation holding data on EU citizens. There is a lot to it, so difficult to summarize here, many of the requirements relate to citizen's rights for anonymity and to be forgotten if they wish. Your system should allow for these rights.

From your post about 'your' data being anonymized it may be you are already in the clear. If you have any specifics please come back with questions.
Dear Paul,
I just began with regulatury affairs and hence, the RGPD. Did you mean here that if the data is anonymized, then the RGPD doesn't apply ?
To be a bit more specific, our devices are meant to collect monitoring data from patients in a hospital. If we decide that our company won't ever have access to the patients identity through the data (leaving us with numbers only), and that only the hospital will actually be able to link a patient to its data, then how the RGPD would apply to us ?
Thank you in advance for your help,
Kind regards,
Laura
 

Paul Simpson

Trusted Information Resource
#6
Dear Paul,
I just began with regulatury affairs and hence, the RGPD. Did you mean here that if the data is anonymized, then the RGPD doesn't apply ?
Hi, Laura. Sorry for the delay. I have been working away and am just catching up on email. No, the GDPR / RGPD will always apply to any data processor. My response to Wolf was that it may be that s/he would not have to make any changes to their procedure.
To be a bit more specific, our devices are meant to collect monitoring data from patients in a hospital. If we decide that our company won't ever have access to the patients identity through the data (leaving us with numbers only), and that only the hospital will actually be able to link a patient to its data, then how the RGPD would apply to us ?
Thank you in advance for your help,
Kind regards,
Laura
Although the GDPR / RGPD are both based on an EU Directive I'd recommend you review local guidance and the letter of the regulation to make sure you have the details correct. Unless there is another poster on here who can provide some local advice.

If you deal with anonymized data the scope of your responsibility will be much reduced but there are still duties to look after data and prevent it from being accessed and altered and to destroy the data if required to do so.

I hope this helps.
 

Mark Meer

Trusted Information Resource
#7
Do you market anything directly to customers? Do you collect any information on your company website?
Do you record personal information when customer calls for support?
:mg: Oh man, I hadn't even considered this! ...I was focused on the device/product side, and not our internal QM systems...

So, if we employ a networked (cloud-based) customer management system (where customer contact information is maintained, and customer names are tied to order and feedback records), what do we have to do? Presumably, we don't have to ask for a customer's consent to maintain their information for the purposes of shipping, returns, and complaints....or do we?

Come to think of it, wouldn't emails be under the scope too? After all, they all include names and contact information, and are "filed" on the email server...
 

mihzago

Trusted Information Resource
#9
:mg: Oh man, I hadn't even considered this! ...I was focused on the device/product side, and not our internal QM systems...

So, if we employ a networked (cloud-based) customer management system (where customer contact information is maintained, and customer names are tied to order and feedback records), what do we have to do? Presumably, we don't have to ask for a customer's consent to maintain their information for the purposes of shipping, returns, and complaints....or do we?

Come to think of it, wouldn't emails be under the scope too? After all, they all include names and contact information, and are "filed" on the email server...
The GDPR has a number of principles, one of which is about lawful processing of the data. There are several means by which you can lawfully process personal information. Obtaining a consent is one of them. Entering a contract, or legitimate business purpose are some of the others.
So, collecting personal information as part of the order fulfillment or customer support is in essence part of the contract. If you need to share some of the personal information for example with your distributor or a third-party service center to replace or repair a device would probably fall under legitimate business purpose.
In both cases you don't have to obtain a separate consent.
 

Mark Meer

Trusted Information Resource
#10
...So, collecting personal information as part of the order fulfillment or customer support is in essence part of the contract...
I admittedly know nothing about contract law, so forgive my ignorance...but what defines a "contract"?

Consider the following:
- A person obtains my product through a local distributor (i.e. I have no hand in the initial sale, or any prior contact with this person).
- They have a support request, and choose to contact me by phone, as my manufacturer information is on the labelling.
- Is the simple act of making contact in this circumstance considered a informal/unstated "contract", and I'm hence permitted to gather/store their information without explicit consent?

Don't forget the processing of your complaints, AE reporting, ...
Presumably these fall into the "processing is necessary for compliance with a legal obligation to which the controller is subject;" (Article 6(1)(c)) category, no?
 
Thread starter Similar threads Forum Replies Date
MrTetris GDPR - General Data Protection Regulation - Only applicable to EU data? Other ISO and International Standards and European Regulations 6
L GDPR scope - "Personal data" definition - General Data Protection Regulation EU Medical Device Regulations 5
S GDPR (General Data Protection Regulation) - My company is ISMS certified IEC 27001 - Information Security Management Systems (ISMS) 3
T GDPR - General Data Protection Regulation (EU and UK 2018) Other ISO and International Standards and European Regulations 7
Ed Panek GDPR in Urgent Healthcare Setting Other ISO and International Standards and European Regulations 1
M GDPR - Is anonymizing sufficient to address right to erasure? Medical Information Technology, Medical Software and Health Informatics 3
C How medical device manufacturers are implementing standards like GDPR and HIPAA Other ISO and International Standards and European Regulations 5
D HIPAA and GDPR applies? Medical therapy device ISO 13485:2016 - Medical Device Quality Management Systems 0
MrTetris GDPR - Purposes and duration of data collection Other ISO and International Standards and European Regulations 8
Marc Privacy Policy - EU GDPR Compliance - 1 December 2018 Elsmar Cove Forum ToS and Forum Policies 0
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
K GDPR - Is it really necessary for the DPO(s) to be knowledgeable to Data Privacy Law? IEC 27001 - Information Security Management Systems (ISMS) 3
F DPA 2018 & GDPR 2016 EU Medical Device Regulations 1
M GDPR - Data portability and Data Deletion EU Medical Device Regulations 6
Q GDPR consulting service for Medical device Company EU Medical Device Regulations 0
Marc GDPR - EU Directive 2016/679 and the Elsmar Cove Discussion Forum Elsmar Cove Forum ToS and Forum Policies 3
T GDPR impact on ISO 9001 and Quality ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
A Interpretation of GMP Requirements for class 1 medical device manufacturer (device GMP exempt, only General controls applicable) 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
D Importing a general wellness low risk product Other US Medical Device Regulations 3
M ISO 13485 for general purpose disinfectants? ISO 13485:2016 - Medical Device Quality Management Systems 9
M Do you need an Applicable general safety and performance requirements Checklist? EU Medical Device Regulations 2
DitchDigger UDI, Labeling Accessories, General Insanity, Etc. US Food and Drug Administration (FDA) 1
G Problem Resolution Report Monitoring - Customer complaint or PRR as general motors use Customer Complaints 12
P Is there a counterpart to the General Safety and Performance Regulations for the USA? Other US Medical Device Regulations 2
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
M Informational WHO – Report by the Director-General – Standardization of medical devices nomenclature Medical Device and FDA Regulations and Standards News 0
J General Motors SSE Launch Algorithm - SCMS's Service Industry Specific Topics 0
D Incoming (Receiving) Inspection - General form for incoming part inspection Document Control Systems, Procedures, Forms and Templates 17
M Informational 2019 Meeting Materials of the General and Plastic Surgery Devices Panel Medical Device and FDA Regulations and Standards News 0
M FDA Guidance - general wellness products - wearables Other Medical Device Related Standards 3
M Informational The USFDA Announces General and Plastic Surgery Devices Panel of the Medical Devices Advisory Committee Meeting on March 25-26, 2019 Medical Device and FDA Regulations and Standards News 0
M Oxygen enriched environment applicability - Operating table used in general surgeries in hospital IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
Marc Definition GSPR - General Safety and Performance Requirements Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 0
M Annex I - General Safety and Performance Requirements. Precise identity - how provided EU Medical Device Regulations 6
E What is the general time line to prepare for IATF Letter of Conformance? IATF 16949 - Automotive Quality Systems Standard 1
S General Awareness Training for AS9100 Rev.D AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 6
B IVD or a general product test kit (if such a thing exists) EU Medical Device Regulations 0
S Business development and support - Getting business general liability insurance Career and Occupation Discussions 5
DietCokeofEvil What is the general consensus on Caliper tolerances? General Measurement Device and Calibration Topics 1
Y Change Control - General Processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
D General questions about Medical Device MOPs and MOPPs IEC 60601 - Medical Electrical Equipment Safety Standards Series 31
Albert G. What are general examples of audit findings with ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
H ISO 9001:2015 Cl. 9.3.1 - General Director doesn't participate in Management Review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S AS9100D Transitional Audit General Question Checklist AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 5
S Dates on Labels acceptable to the USA - GS1 General Specification 3.4.4 Other US Medical Device Regulations 3
K Thoughts on the impact of the General Data Protection Regulation? Medical Information Technology, Medical Software and Health Informatics 5
Pmarszal Clarification for 21 CFR Part 11.100 - General Requirements Other US Medical Device Regulations 14
T Difference betwee General vs. Follow-up Inspections US Food and Drug Administration (FDA) 3
L Wrist Actigraph Device - IEC 60601-1 general questions IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
Chris Ford When is a device considered "sold to the general public?" Canada Medical Device Regulations 2
Similar threads


















































Top Bottom