21 1 Apps in healthcare and medical research; European legislation and practical tips every healthcare provider should know PART IB: ENFORCEMENT Enforcement of the GDPR The GDPR provides rules that are directly applicable in all Member States as of May 25th 2018. Under the previous Data Protection Directive (DPD), each EU Member State had to transpose the directive into internal law, resulting in differences in the enforcement of these laws (Art. 4, DPD).9 Enforcement of the GDPR is facilitated by the European Data Protection Board (EDPB). This board consists of 28 Data Protection Authorities (DPA’s) from all Member States and the European Data Protection Supervisor (EDPS). The EDPS is appointed by a joint decision of the European Parliament and the Council for a five-year term. The current term started on December 6th 2019.17 Under the GDPR, it is possible for the national DPA’s to make binding decisions including the option to impose a fine (Art. 83 and 84 GDPR). The national DPA’s handle reports of data breaches, they can mediate in disputes between data processors and controllers, but they can also undertake their own research.10 Enforcement of the MDR The NB’s and Competent Authorities (CA’s) as indicated by the European Commission are entrusted with the enforcement of the MDR. One of the topics of MDR is the increased post-market surveillance. This implies that the manufacturer should continue to meet requirements during the entire lifecycle of the product. NB’s and CA’s can perform an unannounced audit to enforce the MDR (Chapter 7, Art. 80, 90). In many cases annual performance and safety reporting will be mandatory.15 It is important to note, that only manufacturers of medical devices with risk II and higher are audited by NB’s. NB’s can implement their own audit processes; however, they are required to follow the ISO 17021 standard for the MDR. Most NB’s will create a quality management system (QMS) following the ISO 17021, ISO 14971 and ISO 13485 standard (see Table 2).18,19 The aforementioned standards are not legally valid on their own, however they provide guidelines for the practical implementation of the MDR. To keep track of all available medical devices and to improve coordination between EU member states, every medical device should have an Unique Device Identifier (UDI) and be registered within the European database on medical devices (EUDAMED).20 Wrongly applying or not applying CE-marking, or uncomplying to the standards for post market surveillance, is ground for penalization. The most common reasons for failing an audit are: providing an incomplete search strategy, providing an incomplete audit trail, using ad hoc processes, questionable data integrity and providing non-transparent documentation. The NB usually gives the manufacturer an opportunity to revise documentation and visit again, sometimes even several times. When standards are not met after the re-audit, a manufacturer can be fined and ultimately, the NB can decide
RkJQdWJsaXNoZXIy MTk4NDMw