Lars Lensdorf, Dr. Dr. Adem Koyuncu, and Anna Oberschelp de Meneses of Covington and Burling write:
Digital health apps are increasingly used in practice. They raise various questions under regulatory and data protection and data security laws. On November 6, 2023, the German Conference of the Independent Data Protection Supervisory Authorities (Datenschutzkonferenz, DSK), a national body which brings together Germany’s federal and regional data protection authorities, issued a paper about the GDPR’s application to cloud-based digital health applications (“health apps”) that are not subject to the German Digital Health Applications Ordinance (Digitale Gesundheitsanwendungen-Verordnung, the “DiGA Regulation”).
Germany was the first country in the world that offered reimbursement for digital health apps under the statutory health system. Reimbursable health apps are medical devices and must meet specific requirements set out in the DiGA Regulation and be approved by the German Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte, BfArM). The DiGA Regulation imposes specific data protection and data security requirements on health apps (in addition to safety, functionality, quality and interoperability requirements). The DSK’s paper does not discuss the specific obligations imposed by the DiGA Regulation. The DSK paper also refers to digital health apps that are not subject to reimbursement under the DiGA Regulation.
Read more at Inside Privacy.