GDPR and Clinical Investigations: Five Pointers for Medical Device Companies

This is the fourth article in this medtech law series started in December 2019 and jointly published by medtech firms De Novo Legal (Ireland) and Swiss Peak Technologies SA (Switzerland).

In this issue, the authors’ objective is to raise awareness on selected concrete data protection issues (GDPR) affecting medtech players, large and small, in the area of clinical investigations.                                                                                                 

1. Why is patient data important to medical device companies?

Collection of individual patient data, which is oftentimes sensitive in nature, is a key function of medical device companies. This is because hidden within these masses of data may be the key to solving previously incurable or untreatable conditions or the evidence required to secure regulatory approval for devices. 

2. What personal data is covered by GDPR?

The EU General Data Protection Regulation (“GDPR”) defines personal data as: ‘any information relating to an individual whether it relates to his or her private, professional or public life.’ Data concerning health is personal data which relates to the physical or mental health of a person and which reveals information about his or her health status. Such data is afforded additional special protection as sensitive personal data under GDPR.

3. Which medtech activities may be affected by GDPR?

The medical device industry by design involves the collection and collation of personal data (and particularly sensitive health data) over and above those of other industries. Most industries need only concern themselves with data of their employees and customers; however medical device companies also collect patient data. Some examples include:

  1. Research required for clinical evaluations and other medical research;
  2. Clinical investigations;
  3. Adverse event reporting;
  4. Post-market clinical follow up.

4. How should GDPR affect the internal processes of medtech firms? 

The delicate balance to be achieved is the protection of an individual’s right to privacy whilst simultaneously putting medtech companies in a position to operate following clear and simple steps.

Although new dilemmas constantly arise for which new solutions are needed, the industry has existing ethical and legal safeguards in place which can be utilised as a starting point to achieve and evidence compliance with data protection regulations. 

In other words, in many cases this will mostly involve reviewing and adapting existing legal documents and processes to ensure they extend to GDPR requirements.

5. Some GDPR Tips for medtech clinical investigations

Drawing from previous work which the undersigned have dealt with, the following are some areas to be mindful of, as well as some selected practical tips when assessing the impact of GDPR on medtech activities:

·     Data and Stakeholders. Firms should take a step back and consider what health data they have access to or generate. For instance:

 -      What other entities process that same data on your behalf? A clinical investigation often involves a number of stakeholders: the medical device company as sponsor, the trial site, the investigators themselves and perhaps a CRO. 

-      Typically, the sponsor will act as a controller or a joint controller. But it is important to establish and factor in: who determines the nature of the processing of this data, who is a sub-processor, who is a controller/joint controller and who is a processor within your group of stakeholders?

-      Data processing agreements should be put in place where appropriate as all entities are required to document processing operations as well as implement technical and organisational measures to ensure compliance with GDPR.

·     Geography. As a general rule, GDPR will apply if any data controller, processor or a subject is based in the EU. If you transfer data to processors located outside the EU (for example a CRO or laboratory), these transfers will be subject to restrictions on cross-border transfers. EU-Switzerland transfers raise specific issues to be looked into; as do EU-UK transfers post-Brexit. 

·     Pseudonymisation. Although pseudonymisation (key-coding) is encouraged as a safeguard, data should ideally be encrypted, anonymised and patient identifiers removed where possible. Data which has been merely pseudonymised will still be subject to GDPR because it could potentially be attributed back to an individual.

·     Minimisation and Retention. GDPR seeks to minimise the amount of personal data stored and the length of time it is stored. In terms of retention, medtech companies should be able to point to public or scientific interests in health research when justifying how long data is retained. Patient identifiers should be removed wherever possible and the retained dataset anonymised.

·     Informed Consent. When relying on informed consent as a basis for obtaining sensitive data, the onus under GDPR is placed firmly on the controller to prove consent was valid and informed. There is some debate ongoing as to whether consent can be freely given where there is an imbalance of power between the subject and the sponsor/investigator. Also, consent laws vary from country to country. However, informed consent is not new in clinical investigations as there are already legal and ethical safeguards in place. Therefore, it should be possible to amend existing trial protocol documentation to ensure that the applicable medtech requirements are bolstered to include tackling the new requirements of GDPR. So that for example, subjects are:

-      treated fairly and transparently;

-      told what their data will be used for;

-      reminded that they can withdraw consent and how to do this;

-      notified who will process their data and how it will be stored and that they are given access to appropriate data protection and privacy policies. 

Feel free to contact either of us with any questions or queries you may have on the above.

Kevin Moore is the founder of DeNovo Legal ( In 2011, Kevin became the only lawyer in Ireland or the U.S. to be selected to participate in the affiliated BioInnovate Ireland and Stanford Biodesign Fellowships. He established DeNovo Legal, a bespoke practice for the life science sector having gained a unique understanding of the I.P., compliance, ethical and funding challenges facing medical devices companies. Kevin has also lectured in Medical Device Law and Regulation at NUI, Galway, a module which he created and first began teaching in 2016.

You can reach Kevin at This email address is being protected from spambots. You need JavaScript enabled to view it.

Sylvain Poitras is the founder and Managing Director of Swiss Peak Technologies SA (, a firm based in Geneva that provides medtech legal traction. Sylvain has been providing medtech law advice and support in Europe and beyond for some 20 years working with and for Big Medtech (Medtronic, Cardinal Health), SMEs and investors, including on EU-US cross-border issues. He is qualified as an attorney-at-law in the US (NY) and Canada (QC) and holds a Master of Public Health (MPH) in health-sector management from Harvard University. He has been a lecturer on European medtech law (CE-marking, innovation, contracting practices, compliance) at two leading Swiss universities (EPFL & UNINE) since 2010. Since its creation in 2016 Sylvain has been a health-sector mentor and judge with leading start-up accelerator MassChallenge Switzerland.

You can reach Sylvain at This email address is being protected from spambots. You need JavaScript enabled to view it.

The information contained in this article is intended for general information purposes only and is subject to changes without notice. It does not therefore constitute legal or professional advice. Specific advice should be sought on any particular matter.