General Data Protection

Introduction to General Data Protection in the EU Market

In preparing to export your medical devices to the EU Market, it is important to determine whether or not your products will fall under the scope of 'medical device' according to this specific legislation in the EU Market. If they do qualify as medical devices, you will also need to determine the appropriate classification in order to determine your unique path to compliance.

It is a particularly exciting and stressful time as medical device manufacturers worldwide transition from the framework of the Medical Device Directive 93/42/EEC to the Medical Device Regulation 2017/745/EC. As the Directive has been in place since June 14th, 1998 and was amended in , this will undoubtedly be a great undertaking for medical device manufacturers, Authorized Representatives & Notified Bodies in completing this transition.

EU General Data Protection Legislation

Until the publication of the General Data Protection Regulation on April 27th, 2016 and the subsequent two year transition period, the General Data Protection Regulation 95/46/EC was the reigning legal framework for data processing.

From May 25th, 2018, the GDPR  2016/679/EU becomes fully applicable in the EU as the main legal framework for data processing.


Key Facts:

  • All entities which process or store EU citizens' data must comply with GDPR requirements
  • Non-EU based entities must appoint an Authorized Representative in order to ensure their compliance at all times
  • Article 3 of the GDPR clarifies many important points:
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Learn more:


Sign-up for our newsletter to stay up-to-date on all GDPR related matters!

Subscribe to our Newsletter