We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
18 November 2020
Data protection requirements
Limitations of legal basis
Limitations on location of processing
No transfer of personal data to United States
Information security management system
Additional requirements for high-security needs
BSI: technical guideline for digital health apps
The legislature recently acknowledged that digital innovation plays an important role in the health sector. The Act on Digital Supply (DGV), which came into force on 19 December 2019, established numerous essential measures to facilitate the inclusion of digital innovation to standard care under the German statutory social health security system. Almost 90% of insured persons in Germany are members of this system.
One of the most important innovations that the DVG introduced is insured persons' entitlement to medical devices based on software and other digital technologies with a medical purpose (digital health apps) under Section 33a of the Social Security Code, Book V (SGB V). In other words, digital health apps – as opposed to mere lifestyle or wellness apps, which provide no medical purpose under the meaning of medical devices law – are reimbursable by social health security insurers if certain requirements are met.
The prerequisite for the reimbursability of digital health apps is that the Federal Institute for Medicinal Products and Medical Devices (BfArM) – as the competent authority – has included the digital health app on a specific list regarding reimbursable digital health apps (DiGA-Verzeichnis), according to Section 139e of the SGB V. The details for such inclusion are set out in the Ordinance on the procedure and requirements for the assessment of digital health apps (DiGAV), which came into force on 21 April 2020.
Besides regulatory requirements (eg, compliance with the EU Medical Device Directive (93/42/EEC) and the EU Medical Device Regulation (2017/745)) from 26 May 2021 and proof of a positive healthcare effect (ie, a medical benefit for the patient or a patient-relevant structural or process improvement), the DiGAV requires digital health app manufactures to comply with strict data protection and data security requirements (Section 4). To prove compliance with the latter, the DiGAV includes a comprehensive checklist on data protection and IT security requirements, which must be completed by the manufacturer and submitted to the BfArM for approval.
On 21 July 2020 the BfArM released an updated version of its guidance on the DiGAV (Section 139e of the SGB V, (Version 2.1) – the guidance), taking into account, in particular, a European Court of Justice (ECJ) decision on the transfer of personal data to the United States (Schrems II).
Digital health apps must comply with statutory data protection rules (Section 4(1) of the DiGAV), namely:
In general, digital health apps may process personal data only based on a user's consent, as required for the processing of special categories of personal data under Article 9(2) of the GDPR (Section 4(2) of the DiGAV). The guidance further clarifies that such (free, informed and express) consent must be obtained at the beginning of the use of a digital health app and prior to the collection and processing of personal data. Consent may be obtained solely for the following purposes:
In both of the latter cases, the BfArM stresses the GDPR's data minimisation principle.
As a result of these limitations, providing consent for other purposes (eg, to use personal data as a payment to unlock specific additional functions) is not permissible. Further, the DiGAV expressly excludes any processing of personal data for marketing purposes (Section 4(4)(1) of the DiGAV).
As far as processing will be based on statutory law, the BfArM clarifies that such processing will not be permitted only by the DiGAV, but also by other laws. This applies in particular as far as processing concerns invoicing purposes with health insurance funds or compliance with obligations under medical device regulations.
In deviation to the GDPR and similar to the rules that apply for health insurance policies, the DiGAV restricts the processing of data to:
The BfArM clarifies that the processing of personal data outside the European Union on the basis of Articles 46 (standard contractual clauses) or 47 (corporate binding rules) of the GDPR is not permitted. According to the BfArM, both of these measures provide insufficient security for data processed by digital health apps.
In its prior versions, the guidance stated that data transfer to the United States was permissible as far as a respective US data importer would be certified for processing non-HR data under the EU-US Privacy Shield. In its updated version, the guidance takes into account Schrems II. The ECJ decided that the EU-US Privacy Shield does not provide for an appropriate level of data protection for transferring personal data to the United States. Accordingly, the guidance now states that the "processing of personal data in the USA is therefore no longer permitted on its basis of the EU-US Privacy Shield". In the English version of the guidance, the BfArM expressly states that the "processing of health data in the USA is therefore not permissible for a digital health app".
Digital health apps must comply with the legal requirements for data security according to the state of the art, taking into account the type of data processed (Section 4(1) of the DiGAV). The BfArM points out that IT security requirements relate to the protection of the confidentiality, integrity and availability of all data processed on the digital health app. It differentiates between basic requirements, which apply to all digital health apps, and additional requirements for digital health apps, with particularly high-security needs. In general, all requirements are based on the relevant publications and recommendations of the Federal Office of Information Security (BSI).
The BfArM recommends that manufacturers implement and execute management systems for information security (ISMS), in order to appropriately respond to high-market dynamics and the fast pace of technological developments. In particular, the BfArM requires the following series of processes:
The BfArM highlights that a comprehensive ISMS, according to the ISO-27000-series or the BSI-Standard 200-2, will be mandatory for any digital health apps to be submitted from 1 January 2022. However, a certificate under the above standards will not release a manufacturer from proving its implementation by providing the BfArM with the completed checklist, mentioned above.
Where high security needs are identified (eg, where a lack of protection may endanger the data subject's life and limb or personal freedom), the following additional requirements must be met:
On 15 April 2020 the BSI published a technical guideline on the minimum requirements for the secure operation of digital health apps (the BSI guideline). The BSI guideline explains in detail which data protection and IT security measures apps must comply with, in order to process health data.(1)
Due to the diverging prioritisation and level of detail, the BSI guideline, as well as the BfArM's guidance, should be taken into account by manufacturers.
For further information on this topic please contact Christopher Götz, Fabian Huber or Felix Hänel at Simmons & Simmons LLP by telephone (+49 2 11 4 70 53 0) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Simmons & Simmons LLP website can be accessed at www.simmons-simmons.com.
(1) A summary of the BSI guideline is available here.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.