EU GDPR General Data Protection Regulation - What we need to update for our QMS

[Wolf.K]

Hi, not really MDR stuff, but a EU regulation. Just wonder what we need to update for our QMS? In our clinical evaluation SOP we have a statement that it is not allowed for us to collect personal patient data - only the hospitals/medical doctors shall know the patients; for us they are just numbers...

Is there anything else we should consider?

(we don't use software as a medical device)

Thanks!
Wolf

 

[mihzago]

Do you market anything directly to customers? Do you collect any information on your company website?
Do you record personal information when customer calls for support?

 

[Paul Simpson]

Hi, not really MDR stuff, but a EU regulation. Just wonder what we need to update for our QMS? In our clinical evaluation SOP we have a statement that it is not allowed for us to collect personal patient data - only the hospitals/medical doctors shall know the patients; for us they are just numbers...

Is there anything else we should consider?

(we don't use software as a medical device)

Thanks!
Wolf

Hi, Wolf. This regulation applies to any organisation holding data on EU citizens. There is a lot to it, so difficult to summarize here, many of the requirements relate to citizen's rights for anonymity and to be forgotten if they wish. Your system should allow for these rights.

From your post about 'your' data being anonymized it may be you are already in the clear. If you have any specifics please come back with questions.

 

[pkost]

I'm not sure the data is fully anonymised - It may be worth looking into whether there are any obligations where you may not know the patient, but if you provided the complaint reference to the hospital they would be able to link it to an individual;

Additionally depending on your products, there may be a very small subset of patients that have the specific conditions your records detail that for a particularly determined person could expose the patient id

 

[lzanini]

Hi, Wolf. This regulation applies to any organisation holding data on EU citizens. There is a lot to it, so difficult to summarize here, many of the requirements relate to citizen's rights for anonymity and to be forgotten if they wish. Your system should allow for these rights.

From your post about 'your' data being anonymized it may be you are already in the clear. If you have any specifics please come back with questions.

Dear Paul,
I just began with regulatury affairs and hence, the RGPD. Did you mean here that if the data is anonymized, then the RGPD doesn't apply ?
To be a bit more specific, our devices are meant to collect monitoring data from patients in a hospital. If we decide that our company won't ever have access to the patients identity through the data (leaving us with numbers only), and that only the hospital will actually be able to link a patient to its data, then how the RGPD would apply to us ?
Thank you in advance for your help,
Kind regards,
Laura

 

[Paul Simpson]

Dear Paul,
I just began with regulatury affairs and hence, the RGPD. Did you mean here that if the data is anonymized, then the RGPD doesn't apply ?

Hi, Laura. Sorry for the delay. I have been working away and am just catching up on email. No, the GDPR / RGPD will always apply to any data processor. My response to Wolf was that it may be that s/he would not have to make any changes to their procedure.

To be a bit more specific, our devices are meant to collect monitoring data from patients in a hospital. If we decide that our company won't ever have access to the patients identity through the data (leaving us with numbers only), and that only the hospital will actually be able to link a patient to its data, then how the RGPD would apply to us ?
Thank you in advance for your help,
Kind regards,
Laura

Although the GDPR / RGPD are both based on an EU Directive I'd recommend you review local guidance and the letter of the regulation to make sure you have the details correct. Unless there is another poster on here who can provide some local advice.

If you deal with anonymized data the scope of your responsibility will be much reduced but there are still duties to look after data and prevent it from being accessed and altered and to destroy the data if required to do so.

I hope this helps.

 

[Mark Meer]

Do you market anything directly to customers? Do you collect any information on your company website?
Do you record personal information when customer calls for support?

:mg: Oh man, I hadn't even considered this! ...I was focused on the device/product side, and not our internal QM systems...

So, if we employ a networked (cloud-based) customer management system (where customer contact information is maintained, and customer names are tied to order and feedback records), what do we have to do? Presumably, we don't have to ask for a customer's consent to maintain their information for the purposes of shipping, returns, and complaints....or do we?

Come to think of it, wouldn't emails be under the scope too? After all, they all include names and contact information, and are "filed" on the email server...

 

[FoGia]

Don't forget the processing of your complaints, AE reporting, ...

 

[mihzago]

:mg: Oh man, I hadn't even considered this! ...I was focused on the device/product side, and not our internal QM systems...

So, if we employ a networked (cloud-based) customer management system (where customer contact information is maintained, and customer names are tied to order and feedback records), what do we have to do? Presumably, we don't have to ask for a customer's consent to maintain their information for the purposes of shipping, returns, and complaints....or do we?

Come to think of it, wouldn't emails be under the scope too? After all, they all include names and contact information, and are "filed" on the email server...

The GDPR has a number of principles, one of which is about lawful processing of the data. There are several means by which you can lawfully process personal information. Obtaining a consent is one of them. Entering a contract, or legitimate business purpose are some of the others.
So, collecting personal information as part of the order fulfillment or customer support is in essence part of the contract. If you need to share some of the personal information for example with your distributor or a third-party service center to replace or repair a device would probably fall under legitimate business purpose.
In both cases you don't have to obtain a separate consent.

 

[Mark Meer]

...So, collecting personal information as part of the order fulfillment or customer support is in essence part of the contract...

I admittedly know nothing about contract law, so forgive my ignorance...but what defines a "contract"?

Consider the following:
- A person obtains my product through a local distributor (i.e. I have no hand in the initial sale, or any prior contact with this person).
- They have a support request, and choose to contact me by phone, as my manufacturer information is on the labelling.
- Is the simple act of making contact in this circumstance considered a informal/unstated "contract", and I'm hence permitted to gather/store their information without explicit consent?

Don't forget the processing of your complaints, AE reporting, ...

Presumably these fall into the "processing is necessary for compliance with a legal obligation to which the controller is subject;" (Article 6(1)(c)) category, no?