EU Compliance Guide for Non-EU SaMD & Connected Health Devices

## A Practical Guide to GDPR Article 27 Representatives for Non-EU MedTech and SaMD Companies For non-EU manufacturers of Software as a Medical Device (SaMD) and connected health products, entering the European Union market involves a dual compliance challenge. While achieving CE Marking under the EU Medical Device Regulation (MDR) is a primary focus, companies that process the personal health data of EU residents must also comply with the General Data Protection Regulation (GDPR). A critical, and often misunderstood, requirement of the GDPR is the mandate for many non-EU companies to appoint an Article 27 representative. This representative is not merely an administrative contact but a formal legal entity that serves as the point of contact for EU data subjects and supervisory authorities. Understanding the scope, cost factors, and service levels of an Article 27 representative is essential for budgeting, risk management, and building a sustainable EU compliance strategy. This guide breaks down the key considerations for selecting and partnering with the right representative for your MedTech or SaMD product. ### Key Points * **Mandatory Requirement:** Appointing a GDPR Article 27 representative is a legal obligation for most non-EU companies that process personal data of EU residents, including health data from medical devices, if they do not have a physical establishment in the EU. * **Distinct from MDR Authorized Representative:** The Article 27 representative handles data protection and GDPR compliance, while the EU Authorized Representative (AR) under the MDR handles device safety and regulatory compliance. Their roles are legally distinct, though some providers offer bundled services. * **Cost is Risk-Based:** The cost of an Article 27 representative is not one-size-fits-all. It is heavily influenced by the volume and sensitivity of the data processed (e.g., diagnostic data vs. wellness data), the complexity of data flows, and the level of liability the representative assumes. * **Service Levels Vary Widely:** Services range from a basic "postbox" function (forwarding communications) to a comprehensive partnership that includes managing data subject requests, liaising with Data Protection Authorities (DPAs), and providing strategic advice on data protection impact assessments (DPIAs). * **MedTech Expertise is Crucial:** An effective representative for a SaMD company needs more than just GDPR knowledge. They must understand the nuances of medical device software, cybersecurity risks, and the specific types of sensitive health data being processed to provide meaningful support. ### Understanding the Role of the GDPR Article 27 Representative Under Article 27 of the GDPR, a non-EU company (acting as a "controller" or "processor") that offers goods or services to individuals in the EU or monitors their behavior must designate a representative within the Union. For a SaMD or connected device manufacturer, this is almost always the case if the device is marketed to EU users and collects their personal data. The primary functions of the Article 27 representative are: 1. **Serve as a Point of Contact:** The representative is the local contact for EU-based data subjects (e.g., patients, users) who wish to exercise their GDPR rights, such as the right to access, rectify, or erase their data. 2. **Liaise with Supervisory Authorities:** The representative is the main intermediary for communications with national Data Protection Authorities (DPAs). They receive inquiries, notices, and legal documents on behalf of the non-EU company. 3. **Maintain Records of Processing Activities (ROPA):** The representative must maintain a copy of the company’s ROPA (as required by GDPR Article 30) and make it available to DPAs upon request. It is critical to note that appointing a representative does not absolve the non-EU company of its own GDPR obligations. The ultimate liability for compliance remains with the manufacturer. ### Distinguishing the Article 27 Rep from the MDR Authorized Representative A common point of confusion for MedTech companies is the difference between the GDPR Article 27 representative and the EU Authorized Representative (AR) required by the MDR. While both are mandatory EU-based entities for non-EU manufacturers, their responsibilities are entirely separate. | Feature | **GDPR Article 27 Representative** | **MDR Authorized Representative (AR)** | | :--- | :--- | :--- | | **Governing Regulation** | General Data Protection Regulation (GDPR) | EU Medical Device Regulation (MDR 2017/745) | | **Core Focus** | Data protection and privacy of personal data | Medical device safety, performance, and regulatory compliance | | **Key Responsibilities** | Point of contact for data subjects and DPAs; maintains ROPA | Verifies conformity assessment, registers device in EUDAMED, handles vigilance reporting and incident communication | | **Liability** | Acts on behalf of the data controller; liability for compliance remains with the non-EU company | Shares legal liability with the manufacturer for defective devices placed on the EU market | | **Required Expertise** | Data privacy law, information security, data breach management | Medical device regulations, quality management systems (ISO 13485), technical documentation, clinical data | ### Key Factors Influencing the Scope and Cost of an Article 27 Representative The cost for an Article 27 representative can range significantly. Manufacturers should evaluate their needs based on the following factors, which directly correlate to the risk profile and workload for the representative. #### 1. Volume and Sensitivity of Data This is the most significant cost driver. A higher risk profile requires a more engaged and expert representative, leading to higher fees. * **Low Risk Example:** A wellness wearable that tracks heart rate and step count for fitness purposes. While this is personal data, it may not be considered "special category data" if not used for diagnostic or medical purposes. * **High Risk Example:** A diagnostic AI SaMD that analyzes patient medical images (e.g., MRIs, CT scans) to detect disease. This involves processing large volumes of "special category data" (health data), which carries the highest level of protection under GDPR and exposes the company and its representative to greater scrutiny. #### 2. Complexity of Data Processing Activities The complexity of how data is collected, used, stored, and transferred impacts the representative's workload in understanding and documenting these activities. * **Simple:** A standalone mobile app where data is stored locally on the user's device and encrypted backups are sent to a single cloud server. * **Complex:** A connected device ecosystem involving a wearable sensor, a smartphone app, a cloud platform, and third-party analytics services, with data flowing between multiple jurisdictions. #### 3. Level of Service and Partnership The desired scope of service directly affects the price. * **Basic ("Postbox"):** The representative's role is limited to receiving and forwarding communications from data subjects and DPAs. The manufacturer is responsible for drafting all responses and managing the entire process. This is the cheapest option but offers the least support. * **Enhanced:** The representative helps manage data subject access requests (DSARs), provides templates for responses, and offers initial guidance on inquiries from DPAs. * **Comprehensive Partnership:** The representative acts as a strategic advisor. This may include reviewing DPIAs, advising on data breach response protocols, actively participating in communications with DPAs, and providing ongoing training and compliance updates. This is the most expensive but most valuable option for high-risk device manufacturers. #### 4. Liability and Indemnification The contract between the manufacturer and the representative will outline liability. Representatives who assume a greater share of procedural responsibility or offer insurance coverage for potential fines will charge higher fees to compensate for their increased risk exposure. ### Strategic Decision: Bundling vs. Separating Your EU Representatives Manufacturers have the choice to either hire two separate, specialized providers for their MDR AR and GDPR Art. 27 roles, or to find a single provider that offers both services. **Arguments for Separating Services:** * **Deep Specialization:** Each provider is an expert in their respective domain (device regulation vs. data privacy). This can be critical when dealing with complex, high-risk products. * **Avoids Conflicts of Interest:** In a serious incident involving both a device malfunction and a data breach, having separate representatives ensures that each issue is handled by a specialist without competing priorities. * **Flexibility:** It allows the manufacturer to select the "best-in-class" provider for each distinct function. **Arguments for Bundling Services:** * **Streamlined Operations:** A single point of contact can simplify communication, contract management, and administration. * **Potential Cost Savings:** Bundling services may result in a discounted package price compared to engaging two separate firms. * **Holistic View:** A provider with expertise in both MDR and GDPR can offer a more integrated compliance strategy, especially for SaMD where device functionality and data processing are intrinsically linked. The right choice depends on the manufacturer’s risk tolerance, internal expertise, and the complexity of their device and data processing activities. ### Finding and Comparing Providers Selecting the right Article 27 representative is a critical compliance decision. Manufacturers should conduct thorough due diligence and treat the selection process like hiring a key legal partner. Here is a checklist of questions to ask potential providers: 1. **Experience with MedTech/SaMD:** Do they have specific experience representing medical device or digital health companies? Can they provide anonymized case studies or references? 2. **Team Expertise:** What are the qualifications of the team members who will be handling the account? Do they have certifications like CIPP/E (Certified Information Privacy Professional/Europe)? Do they understand cybersecurity principles relevant to medical devices? 3. **Scope of Services:** Request a detailed breakdown of what is included at different service tiers. Clarify their exact role in handling a DSAR or a DPA inquiry. 4. **Incident Response Protocol:** What is their process in the event of a data breach? How will they coordinate with the manufacturer's internal team? 5. **Liability and Insurance:** What level of professional liability or cyber insurance do they carry? What are the indemnification clauses in their contract? 6. **Language Capabilities:** Can they effectively communicate with data subjects and DPAs across all relevant EU member states? 7. **Pricing Structure:** Is the fee a flat annual rate, or are there additional charges for handling inquiries or incidents? Ensure there are no hidden costs. > To find qualified vetted providers [click here](https://cruxi.ai/regulatory-directories/gdpr_art27_rep) and request quotes for free. ### Key EU References When navigating GDPR compliance, it is essential to consult the official source documents and guidance from supervisory authorities. * The Official Text of the General Data Protection Regulation (EU) 2016/679. * Guidance and official opinions from the European Data Protection Board (EDPB). * Resources and guidance published by national Data Protection Authorities (DPAs) in the specific EU countries where the device is marketed. *** This article is for general educational purposes only and is not legal, medical, or regulatory advice. For device-specific questions, sponsors should consult qualified experts and consider engaging FDA via the Q-Submission program. --- *This answer was AI-assisted and reviewed for accuracy by Lo H. Khamis.*