Question 1

We're a US company - does GDPR apply to us?

Accepted Answer

If you offer goods or services to people in the EU/EEA/UK, or monitor their behaviour - including via a connected device, app, or cloud back-end - GDPR applies extraterritorially under Article 3(2). For MedTech, this almost always applies once you sell, run a clinical investigation, or have a hospital partner in the EU.

Question 2

Isn't HIPAA enough?

Accepted Answer

No. HIPAA is a US sectoral law focused on covered entities and business associates. GDPR is a horizontal EU regulation with broader subject rights (access, erasure, portability, objection), stricter breach timelines (72 hours to a supervisory authority), and a separate technical-measures framework (Article 32). HIPAA evidence helps, but it is not a substitute.

Question 3

Do I need a DPIA for my device?

Accepted Answer

For connected medical devices and large-scale processing of health data, yes - this is explicitly listed as high-risk processing on nearly every EU member-state DPIA blacklist. The DPIA is also the document a supervisory authority will read first if anything goes wrong.

Question 4

What about sending EU patient data to US cloud regions?

Accepted Answer

Allowed, but you need a transfer mechanism. Post-Schrems II that means Standard Contractual Clauses (SCCs), a Transfer Impact Assessment, and supplementary measures - typically encryption with EU-controlled keys, pseudonymisation, and contractual restrictions on sub-processor access. We deliver all of these as part of the program.

Question 5

How does GDPR fit with EU MDR/IVDR?

Accepted Answer

Notified Bodies under MDR/IVDR increasingly want to see GDPR artifacts referenced from your QMS, technical documentation, and post-market surveillance plans - especially for connected devices and SaMD. We align the GDPR documentation with your QMS so one set of artifacts serves both audiences.

Question 6

Do I need an EU Representative?

Accepted Answer

If you don't have an establishment in the EU but you target EU data subjects, Article 27 requires a designated EU Representative in writing. We make a recommendation based on your member-state footprint and connect you with a vetted provider.

Question 7

How do we operationalize data-subject rights for a connected medical device?

Accepted Answer

Articles 15-22 give EU data subjects the right to access, rectify, erase, restrict, port, and object to processing of their personal data - within one month of request. For a connected device that means a workflow that can locate a patient's data across the device, the cloud back-end, support tickets, analytics, and any sub-processors, then act on it within the deadline. We design the request-handling runbook, build the request intake (typically a webform plus an email alias), define the verification protocol, and document who in your organization owns each step. The technical erasure pattern usually requires data-model changes - we scope and sequence those during the program build.

Question 8

What does the 72-hour breach notification timeline actually require?

Accepted Answer

Article 33 requires you to notify the lead supervisory authority within 72 hours of becoming aware of a personal-data breach - even if you don't yet know the full scope. The notification has to describe the nature of the breach, categories and approximate numbers of data subjects and records, likely consequences, and measures taken or proposed. Article 34 then requires direct notification to affected data subjects when the risk is high. Our breach runbook gives you a one-page decision tree, pre-drafted notification templates for the major EU supervisory authorities (CNIL, ICO equivalents, BfDI, Garante, AEPD), and a tabletop exercise so the team has rehearsed the workflow before they need it.

Question 9

Do we need to worry about GDPR for our US clinical investigations?

Accepted Answer

If any participant is recruited from the EU, or if processing happens in the EU, or if you analyze EU-collected investigational data in the US - yes. The processing has a clear legal basis question (consent, performance of a contract, or scientific research under Article 89), DPIA implications, and cross-border transfer requirements. We work with your clinical team and CRO to map the data flows, secure the appropriate legal basis, run the DPIA, and put the SCCs and supplementary measures in place before enrollment opens. Doing this after a study is underway is much harder and routinely delays sponsor approvals at the EU sites.

Question 10

What are the actual financial penalties for getting this wrong?

Accepted Answer

Two tiers: up to €10 million or 2% of global annual turnover (whichever is higher) for administrative violations like missing records, late breach notifications, or failure to implement Article 32 measures; up to €20 million or 4% of global annual turnover for substantive violations of the lawfulness, consent, or data-subject-rights provisions. Recent enforcement against health-data processors has trended toward the higher tier. Beyond fines, supervisory authorities can order processing to stop - which for a connected medical device effectively suspends EU sales and clinical operations until remediation is verified.

GDPR for Connected Medical Devices. EU-ready before launch.

Why US MedTech teams trip on GDPR

No Article 30 records

No DPIA for the device

Broken transfer mechanism

Documentation and controls we deliver

Records & assessments

Article 32 technical measures

Data-subject rights

Contracts & governance

How the GDPR program runs

1. Scoping & data mapping

2. Records, DPIA, and contracts

3. Article 32 measures + rights workflows

4. Embed and operate

Reviewer-ready deliverables in one engagement

Related Premarket services

Full-Service FDA Premarket Cybersecurity

FDA Deficiency Response

FDA-Compliant SBOM Services

Backed by MedTech leaders.

GDPR for Connected Medical Devices - scoped, fixed-fee, FDA-ready.