No more self-certification for DiGA Apps | Medical law
The manufacturers of digital health applications (DiGA) currently demonstrate compliance with the data protection requirements in accordance with Section 139e (2) sentence 2 no. 2 SGB V by means of a self-declaration in accordance with the Digital Health Applications Ordinance (DiGAV). If all other requirements are met, the DiGA will be included - provisionally if necessary - in the DiGA directory maintained by the BfArM.
This self-declaration - which is not unusual from the perspective of medical device law - was objected to from a data protection perspective. From 01.04.2023, the option of self-declaration will no longer apply. From this date, proof of a data protection certificate within the meaning of Section 42 GDPR will be required. Section 139e (11) SGB V was amended for this purpose.
The data protection certificate is to be based on test criteria with which the data protection requirements of the GDPR and Section 4 DiGAV are to be translated into application-oriented test points.
Date: 23. May 2022