GDPR & CE Mark

Would you recommend for a medical device company that maintains a QMS system (under CE mark) to incorporate all GDPR changes inside the QMS?

QMS is established to certify quality and compliance of products to legal requirements.

A QMS system under CE mark may be related to product safety which can affect data protection if personal data are acquired by the medical device.

Certification process is encouraged by European Authorities and Member States under article 42 GDPR.

Are there subjects or areas that you would not want to be checked by the CE/QMS audit that relate to GDPR?

CE mark or QMS audit can be helpful to demonstrate accountability to GDPR requirements. However, depending on QMS audit that you implement in your company some areas may be not covered. Employee data processing and its storage or the transfer of data outside the EU may be not covered, if your QMS is focused only on product safety, it can be an example. Also, compliance of the data processor to GDPR provision should be checked.

Please consider that according to paragraph 4 article 42 GDPR “certification does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities”.