The European Database on Medical Devices (Eudamed) is the IT system developed by the European Commission (Commission) to implement Regulation (EU) 2017/745 on medical devices (MDR) and Regulation (EU) 2017/746 on in-vitro diagnostic medical devices (IVDR). Its aim is to streamline and facilitate information flow between various stakeholders. The Commission Implementing Regulations (Regulations), which will come into force on 19 December 2021, are a welcome indication that a fully functional database is on the horizon. The Regulations set out the rules for how Eudamed will operate, including accessing the database, collecting personal data and the procedure in case of malfunctions.
Access and Registration to Eudamed
Under the Regulations, Eudamed will be accessible in different forms, depending on the party accessing it. Authorised users such as economic operators may access Eudamed through a restricted website, which facilitates the manual inputting of data together with machine-to-machine data exchange services. Non-identified users may access the database via a public website. The public website will provide information about devices placed on the market, corresponding CE certificates, economic operators and clinical investigations.
Who approves the access requests?
- the Commission registers the competent authorities, the authorities responsible for the notified bodies and the notified bodies themselves;
- in Ireland, the competent authority and authority responsible for the notified bodies is the Health Products Regulatory Authority (HPRA), and the notified body is the National Standards Authority of Ireland (NSAI);
- a “natural person” must submit an access request on an actor’s/economic operator’s behalf via the restricted website, accepting the user rights and obligations under the IT Security provisions;
- the national competent authority of the country where the prospective actor is established (i.e. their registered place of business) must approve this application (except when the request concerns a sponsor of a clinical investigation or a performance study);
- for manufacturers established outside of the EU, the national competent authority shall be the authority responsible for the authorised representative mentioned in the actor registration request; and
- for system or procedure pack producers established outside of the EU, the national competent authority shall be the authority of the Member State, where the first system or procedure pack of that producer is to be placed on the market.
Commission Responsibility for Eudamed
The Regulation sets out the following obligations on the Commission:
- ensuring the European Medical Device Nomenclature (EMDN) is available to authorised users free of charge;
- setting up application support teams to assist Eudamed users;
- making available the relevant technical documentation including providing, Frequently Asked Questions and machine-to-machine data exchange services support documentation; and
- providing testing and training websites for actors. The data entered into these testing and training websites will not be available to the public.
Ownership and Processing Personal Data on Eudamed
As the owner of Eudamed, the Commission has full administration rights. To comply with the MDR and IVDR, the following categories of personal data will be processed on Eudamed:
- names of actors and authorised users;
- their contact details; and
- identification, contact details and professional qualifications of other persons reported in Eudamed for the purposes of complying with obligations under the MDR and IVDR.
Technical Issues with Eudamed
The Commission is obligated to take all necessary measures to avoid malfunction of Eudamed and sets out the steps to take should a malfunction occur. Should there be a suspension of the submission of data in Eudamed for more than 12 hours, actors will benefit from an easing of submission periods to Eudamed. However, they must provide general information about the data and the fact its submission is pending, to the national competent authorities concerned and to the notified body that issued the certificate of conformity. Should the malfunction last for more than 24 hours, the actor shall provide further data as requested.
Article 10 delineates the IT Security requirements on the Commission, which include providing the following documents:
- a document on user rights and obligations;
- the declaration on information security responsibilities;
- the privacy statement; and
- the information security requirements for data exchange.
The same easing of submission periods as set out in the event of a malfunction will apply in cases where Eudamed functionality is suspended due to an IT security risk.
The Regulation also allows the Commission to suspend access, either temporarily or permanently for authorised users who carry out fraudulent activity in Eudamed.
Three out of the six modules of Eudamed are now available (UDI/Device Registration and Notified Body and Certificate Modules as of 4 October 2021; and Actor Registration Module as of 1 December 2020). We will continue to monitor further updates from the Commission and the HPRA and keep you updated. If you require additional information on any aspect of the MDR or IVDR, please contact Charleen O’Keeffe.
Contributed by Charleen O’Keeffe & Sinéad Cullen