In the last month, both the European Data Protection Board (“EDPB”) and the Court of Justice of the European Union (“CJEU”) provided their interpretation of key data protection concepts that are crucial for ensuring compliance with Regulation (EU) 2016/679 (“GDPR”).

In Opinion 22/2024, the EDPB provided guidance to data controllers on how to effectively oversee the activities of their (sub-)processors in a GDPR-compliant manner. The opinion was requested by the Danish data protection authority and likely related to the enforcement actions against Danish hospitals which allegedly failed to oversee processors (see our blog – https://www.biosliceblog.com/2024/02/proposed-fine-against-danish-hospital-for-failure-to-supervise-data-processors/).

In early October, the CJEU provided an answer to a key question raised by the courts in the Netherlands – can the legitimate interests legal basis be used for processing of personal data for commercial purposes (e.g., sharing with third parties for advertising and promotion) (Case C‑621/22).Continue Reading Notable developments in the interpretation of key GDPR concepts – why should Life Sciences companies care?

On 1 February 2024, the Danish Data Protection Agency announced that it reported the private hospital HP Gildhøj Privathospital ApS’s (Capio A/S) to the Danish police and recommended imposing a fine of not less than DKK 1,500,000 (over 200.000 euros). In their investigation, the Danish Data Protection Agency found that the hospital had failed to effectively supervise the data processors they used for the processing of large amounts of patients’ sensitive  personal data.Continue Reading Proposed fine against Danish hospital for failure to supervise data processors

Thank you to all who joined us for our December 13 panel titled the “Race to Regulate.” In case you missed it, unpack this year’s pivotal legal challenges impacting the 2023 — and 2024 — digital legal landscape in our Year in Review Pocket Book. Continue Reading Virtual and Digital Health Digest, December 2023

Spurred, in part, by the COVID-19 pandemic and the need for new ways to reach patients at home, 2023 saw a boom in digital technologies and healthcare solutions: one-stop-shop telemedicine platforms, app-based remote patient monitoring, direct-to-consumer online pharmacies, software-based medical devices, and artificial intelligence/machine learning to bolster delivery of telehealth services. Then came a robust government response. In the EU and UK, regulatory bodies grappled with the introduction of machine learning, AI, and other software into healthcare services by, for example, new guidance from the EU Medical Device Coordination Group and UK Medicines and Healthcare products Regulatory Agency on software medical devices, the EU’s AI Act and the UK government’s AI White paper, the European Medicines Agency reflection paper on use of AI in the product lifecycle, the EU Data Privacy Framework and the equivalent UK-U.S. data bridge, and the European Health Data Space

We call this the “Race to Regulate.” This push-pull dynamic between digital health innovation and government regulation is key to evaluating regulatory risks in today’s shifting legal landscape. This digest seeks to keep up with these changes and provide you with an overview of the key guidelines and developments as the landscape develops. As we come to the end of 2023 and publish our latest Digest, join us on December 13 as we unpack pivotal moments in the 2023 Race to Regulate and discuss what’s next for virtual and digital health. Continue Reading Virtual and Digital Health Digest and webinar

On 7 July 2021, the European Data Protection Board (EDPB) adopted the final version of its guidelines 07/2021 on the concepts of controller and processor in the General Data Protection Regulation (GDPR) (Guidelines), following a period of public consultation regarding the first draft of the Guidelines (about which we reported in an earlier blogpost). As discussed below, the final Guidelines have considerable significance for the life sciences sector.

Another key GDPR development that is directly relevant for the life sciences sector and international transfers of personal health data (e.g., conduct of cross-border clinical trials) is the adoption of the new version of the standard contractual clauses (New SCCs) published by the European Commission (EC) on 4 June 2021. The second part of this blogpost outlines some key takeaways of the New SCCs. (We provide a more detailed analysis of the design, scope and main content of the New SCCs in our related advisory.)Continue Reading Recent GDPR developments relevant for the life sciences sector

On 7 September 2020, the European Data Protection Board (EDPB) initiated a public consultation on draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Any interested party could provide comments by 19 October 2020 using the dedicated form.

The draft Guidelines contain elements that are of interest for companies active in the life science sector as they may have an impact on comapnies’ day-to-day research and commercial activities in the EU and their compliance with Regulation (EU) 2016/679 (GDPR).
Continue Reading Draft EU guidelines on the concepts of controller and processor—key elements for life sciences companies

Apologies that it has been a while since we’ve posted! We have lots in the pipeline, starting with this webinar.

Data and Its Impact on Medical Technology Companies Doing Business in the EU

Today’s medical technology industry is being transformed by data—clinical data, vigilance data, real world data and personal data. As such, there is