The article addresses the aspects related to data protection in the context of digital health applications.

MDCG Guidance on Legacy Devices Under the MDR: Non-Conformity and Timelines

The Federal Institute for Drugs and Medical Devices (BfArM), the German regulating authority in the sphere of healthcare products has published a guidance document dedicated to digital health applications (DiGA).

The document highlights the key points associated with the regulatory status of software products based on the existing legal framework and also provides additional clarifications and recommendations to be taken into consideration by medical device manufacturers (software developers) in order to ensure compliance thereto. 

The authority also reserves the right to make changes to the guidance and recommendations provided therein, should such changes be reasonably necessary to reflect corresponding amendments to the underlying legislation. 

The scope of the guidance covers, inter alia, the matters related to data protection. 

The BfArM plays a pivotal role in ensuring data protection standards for digital health interventions.

Collaborating with esteemed bodies such as the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the Federal Office for Information Security (BSI), BfArM has formulated testing criteria for data protection requirements specific to Digital Health Applications.

These intricate standards, available for public viewing, can be accessed on BfArM’s official website.

A significant policy change is set to take effect from August 1st, 2024.

From this date onwards, DiGA manufacturers will be obligated to demonstrate strict adherence to these data protection requirements by providing concrete evidence of their compliance.

Purpose and Scope of the Requirements

The guidance further describes the above requirements in detail.

According to the document, the core rationale behind these stringent requirements is to build an environment of trust for insured individuals who use DiGA.

Users must be assured that their personal and health data is managed with utmost care, ensuring its confidentiality, integrity, and availability at all times.

In this context, the DiGA guidelines serve as a robust framework, reinforcing and complementing the stipulations of the General Data Protection Regulation (GDPR) and other relevant national data protection laws.

Importantly, these guidelines cover the entire operational and technical ecosystem of the DiGA.

This includes all associated systems, platforms, and even third-party service providers, such as cloud computing entities.

FDA Guidance on Distinguishing Medical Device Recalls from Enhancements: Key Concepts and Definitions

Manufacturers and Their Obligations

Typically, DiGA is developed by private corporate entities.
Such manufacturers, while enjoying the benefits of digital health innovations, are bound by rigorous regulations, most notably the GDPR and the Federal Data Protection Act (BDSG). 

Within the BDSG, Section 22, which pertains to the processing of health data, is one of the most important, together with the DiGAV, Appendix 1

This section details specific requirements that a DiGA must fulfill to be eligible for listing in the official directory. 

Serving as a guideline, this appendix provides a comprehensive checklist. Comprising 40 statements, this list offers insights into both the technical facets of DiGA implementation and the broader organizational strategies and structures of the manufacturing entity.

Key Focus Areas

In order to assist medical device manufacturers (software developers) in ensuring compliance with the aforementioned requirements, the document further highlights the most important aspects to be considered, namely:

  • Permitted Data Processing Purposes: As it is stated by the authority, this is a cornerstone of the DiGAV data protection paradigm.
    Section 4 paragraph 2 of the DiGAV distinctly outlines the boundaries within which consent can be solicited for processing personal and health data.
    For manufacturers, following the requirements set forth therein is vitally important.
    It entails obtaining explicit consent from individuals before initiating data processing and understanding the intricacies related to data processing, especially in the context of billing and healthcare provision.
  • Permissible Data Processing Parameters: DiGA operational protocols mandate that before any personal data is collected and subsequently processed, the individual’s informed and voluntary consent should be duly received. Within this broader domain, specific aspects warrant attention:
    1. Intended Use which pertains to the data essential for the DiGA’s primary function in the healthcare context.
    2. Positive Care Effects for those DiGAs temporarily included in the directory, it’s mandatory to conduct comparative studies to validate their efficacy.
    3. Performance-based Remuneration relates to agreements between health insurers and DiGA manufacturers, where performance indicators can influence cost reimbursements.

It is also important to mention that processing outside Germany is permitted but with certain caveats.
While processing within the European Union is straightforward, for processing beyond the EU borders, the third country must possess an equivalent level of data protection, as determined by Article 45 of the GDPR.

Future Outlook

As it was mentioned before, a significant milestone will take place in August 2024. From this date, manufacturers must present a GDPR Article 42-compliant certificate as evidence of their commitment to data protection standards to be issued by the Deutsche Akkreditierungsstelle GmbH (DAkkS). 

The new data protection criteria effective from August 2024 reveal a multi-faceted approach, subdivided into 12 distinct subject areas.

Each segment reflects the pivotal elements of the GDPR, tailored specifically for the DiGA landscape. The areas cover such topics as legality of data processing, good faith processing, transparency, data minimization, and many more, ensuring a holistic approach to data protection.


In conclusion, BfArM, aided by BfDI and BSI, has developed and introduced a detailed set of data protection requirements for DiGA.

These guidelines not only reflect the key principles established by the GDPR but also expand upon them, guaranteeing the highest level of data protection within digital health interventions.

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.