Digital health apps are increasingly used in practice. They raise various questions under regulatory and data protection and data security laws. On November 6, 2023, the German Conference of the Independent Data Protection Supervisory Authorities (Datenschutzkonferenz, DSK), a national body which brings together Germany’s federal and regional data protection authorities, issued a paper about the GDPR’s application to cloud-based digital health applications (“health apps”) that are not subject to the German Digital Health Applications Ordinance (Digitale Gesundheitsanwendungen-Verordnung, the “DiGA Regulation”).

Germany was the first country in the world that offered reimbursement for digital health apps under the statutory health system. Reimbursable health apps are medical devices and must meet specific requirements set out in the DiGA Regulation and be approved by the German Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte, BfArM).  The DiGA Regulation imposes specific data protection and data security requirements on health apps (in addition to safety, functionality, quality and interoperability requirements).  The DSK’s paper does not discuss the specific obligations imposed by the DiGA Regulation. The DSK paper also refers to digital health apps that are not subject to reimbursement under the DiGA Regulation.

*                      *                      *

In brief, the paper discusses the following topics:

  • GDPR roles are fact specific.  The determination of the controllership is very complex. A health app manufacturer’s role as a GDPR controller, processor or neither is fact-specific and depends on whether they process personal data and whether they take decisions on the purpose and the means of data processing.  The paper also briefly acknowledges that other entities may process personal data in connection with the health app (e.g., doctors and cloud providers), which may be either (separate or joint) controllers or processors subject to a case-by-case assessment. In this context, the DSK further refers to the European Data Protection Board “Guidelines 07/2020 on the concepts of controller and processor in the GDPR”.
  • Cloud functionality should be optional.  The GDPR’s principle of data protection by design and by default according to Art. 25 Abs. 1 GDPR requires health app manufacturers to configure their health app in such a way that it can be used without creating an account and without activating cloud functionality, unless the cloud function is absolutely necessary to achieve a therapeutic benefit and the function is expressly requested by the data subject.  If a user decides not to activate the cloud function, then the data should be stored locally on the device.  The paper also states that data subjects should be informed of the potential benefits and risks related to the health app’s use.
  • Consent is the preferred GDPR legal basis for research processing.  The use of health data for research purposes and the appropriate legal basis is always a hot topic. The paper mentions that explicit consent is usually the legal basis relied on for processing special categories of personal data for health research purposes. In this context, the paper also discusses the use of anonymized data. Anonymous data is not subject to the GDPR. As to whether or not data may be classified as anonymized data, the paper refers to Recital No. 26 of the GDPR. If personal data is anonymized, then the anonymization process should be set out in a data protection impact assessment (“DPIA”).
  • The Medical Devices Regulation provides legal basis for processing for quality assurance and risk management purposes.  The paper states that manufacturers may rely on their legal obligation to process personal data for the purposes of quality assurance and risk management as required by the Medical Devices Regulation.  However, manufacturers must only process as much data as they need to achieve these purposes and they should implement measures to safeguard users’ privacy interests (e.g., deleting data once the data is no longer needed).
  • The GDPR requires a separate legal basis for processing personal data for audience measurement and software error tracking.  The paper states that this processing is generally not compatible (in the sense of Article 6(4) GDPR) with the data processing required to provide the health app.  Although the paper does not say so expressly, this suggests that the processing of personal data for audience measurement and software error tracking require a separate legal basis from that relied on to provide the health app.
  • Other GDPR obligations still apply.  Although not providing specific guidance, the paper also provides a timely reminder that the full range of GDPR obligations apply to health apps.  These include obligations to (i) respond to data subject requests in an effective and prompt manner while ensuring the safety of data subjects’ personal data (e.g., secure authentication mechanism for requestors), (ii) ensure an appropriate level of protection by the effective implementation of technical and organisational measures and the preparation of data protection impact assessments (“DPIAs”) (e.g., following the guidance issued by the German Federal Office for Information Security), and (iii) implement appropriate safeguards for international data transfers (in accordance with EDPB’s recommendations).

***

Covington regularly advises international companies on cloud-based applications and digital health and will keep monitoring developments at the EU and Member State level.  We are happy to assist you if you have any questions about the DSK’s paper or, more generally, digital health and the use of cloud-based products in different sectors.

(This blog post was written with the contributions of Diane Valat.)

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law.

Photo of Dr. Dr. Adem Koyuncu Dr. Dr. Adem Koyuncu

Adem is a life sciences industry advisor with more than 25 years of professional experience. He has a broad practice that cuts across regulatory, compliance, IP, privacy and liability matters. Adem also provides strategic advice. He knows the life sciences sector also from…

Adem is a life sciences industry advisor with more than 25 years of professional experience. He has a broad practice that cuts across regulatory, compliance, IP, privacy and liability matters. Adem also provides strategic advice. He knows the life sciences sector also from his earlier work in the pharmaceutical industry and as a medical doctor. He represents clients before courts and authorities and assists them in contract negotiations, investigations and transactions. For years, Adem is listed in various lawyer rankings.

See some Accolades from Clients and Surveys:

  • “Adem Koyuncu is one of the most intelligent lawyers I know.” (Legal 500 2023)
  • “He is one of the most detail-oriented and client-focused partners I have ever encountered.” (Client, Chambers 2021)
  • “Great professional and human competence, good team player.” (Client/Adverse Party, JUVE 2022)
  • “I find him to be one of the most pragmatic regulatory lawyers. He was a doctor before a lawyer, has been in-house, worked on lots of stuff that I have to handle in-house, which helps when getting advice. He is really good at saying it’s a complex situation and your best option is to do this.” (Chambers 2022)
  • “He always comes through with extremely helpful advice. He brings a unique understanding and experience to his practice as both a lawyer and medical doctor.” (Chambers 2021)
  • “He is an excellent dispute resolution lawyer and advises at the highest level, including, in particular, strategic advice.” (Legal 500 2023)
  • “He is very sharp and quick, while at the same time having a good sense of humor and nerves of steel. Very pleasant to work with.” (Legal 500 2022)
  • He is described as “versatile competent, reliable and high quality” (JUVE 2021) and “incredibly fast.” (JUVE 2018)
  • Provides advice at “an outstanding level.” (Legal 500 2015)
  • “Very strong negotiation skills.” (JUVE 2011)
  • Clients appreciate his “very broad knowledge and long-standing expertise” (JUVE 2021/22) and that “he is approachable, knowledgeable and really easy to talk to over the various issues. He is calm and has seen most problems before.” (Chambers 2020)
  • Peer lawyers described him as “highly competent” and a “very good and pleasant lawyer” (JUVE 2014) and as “the off-label-guru, substantively very good, creative.” (JUVE 2022)

Adem is the author of numerous publications (e.g., in leading books on pharma law, product liability and clinical trials) and frequent speaker at different events. As such, he will soon speak at following events:

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.