Data protection and cloud-based health applications – new guidance from the German Data Protection Conference for app providers

This is due to the fact that a large amount of user data, in particular health data, is collected, stored and processed during use. A comprehensive data protection check should therefore be performed before the application goes live. Thus, providers and manufacturers can prevent subsequent measures by the data protection supervisory authorities or (monetary) claims by data subjects.

Providers and manufacturers of digital health applications should consider the following points, among others:

1. Responsibility under data protection law
   Manufacturers and providers must check whether they are responsible under data protection law for the processing of user data. This may be the case if, in addition to producing the app, they also decide on the purposes and means of data processing. This must always be checked on a case-by-case basis.
   
   In addition to the manufacturer and provider, further parties might also be involved in data processing. These may include cloud providers, doctors and other service providers. From a data protection perspective, the role of the parties involved is crucial in each individual case. For example, if their processing of data is subject to instructions, a data processing agreement should be concluded with them.
   
   This responsibility is associated with various obligations under data protection law, which, in the worst case, can result in a fine imposed by the supervisory authority in case of non-compliance.
    
2. Compliance with the principles of privacy by design and privacy by default
   From the data protection supervisory authority’s perspective, the application must be set up with regard to the data protection-friendly technical design in such a way that it can be used without using the cloud function and without creating a user account.
   
   The cloud function shall be permitted in exceptional cases if it is absolutely necessary in order to achieve the therapeutic benefit and is expressly requested by the user. If the user decides against cloud-based processing, the data shall be allowed to be stored locally on the end device at most.
   
   The user must be provided with a corresponding choice and information about the cloud function’s existing benefits and risks. With regard to the use of cloud solutions, the DSK’s data protection classification therefore remains strict.
    
3. Data use for research and quality assurance purposes
   The utilization of user data for research and quality assurance purposes is generally only possible on a legal basis. This may be, for example, the user’s consent. With regard to the use of data for research purposes, consent may be waived in exceptional cases if the requirements are met (Art. 27 BDSG (German Federal Data Protection Act)). The law also provides for an exception for manufacturers of medical devices. These do not require user consent for quality assurance purposes either, as they are legally obliged to ensure quality assurance and risk management in accordance with the EU Regulation on Medical Devices 2017/745.
   
   However, in the DSK’s opinion, the range analysis functions and software error tracking mechanisms regularly implemented in apps and web applications are generally not compatible with the application’s purpose.
   
   In addition to the aforementioned issues, the further data protection requirements must be observed. This may include, for example, guaranteeing and complying with data subjects’ rights and data security (implementation of technical and organizational measures) as well as the obligation to conduct a privacy impact assessment. 

Speaking of data security:

For refundable digital health applications in accordance with the German Digital Health Applications Ordinance (“DiGAV”), changes are coming into force with regard to data protection and data security requirements:

• From August 1, 2024, digital health applications must implement the test criteria for the data protection requirements to be demonstrated by digital health applications set by the German Federal Institute for Drugs and Medical Devices in accordance with Art. 139e (11) SGB V (German Social Code, Book V), (Art. 4 (8) DiGAV). Proof of compliance with the requirements shall be provided by submitting a certificate issued in accordance with the test criteria pursuant to sentence 1 in accordance with Article 42 of the General Data Protection Regulation (GDPR).
• From January 1, 2025, digital health applications must meet the data security requirements defined by the German Federal Office for Information Security (“BSI”) pursuant to Art. 139e (10) SGB V (Art. 4 (7) DiGAV. From January 1, 2024, the BSI offers procedures for checking and confirming compliance with the requirements by means of corresponding certificates.

Paper on data protection and cloud-based digital health applications