The Regulation (EU) 2021/2226 of electronic instruction for use (eIFU) in Article 7 refers to the websites where users can view their eIFU documents. As websites can also be considered a tool for monitoring and tracking visitors’ actions and behaviour, the data collected in this way may, in certain circumstances, be considered personal data.
To be more specific a personal data means:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
The most common online identifiers regarded by regulators as personal data include IP addresses and cookie identifiers, especially when third-party cookies are used.
Organizations should first assess whether their website collects any personal data from EU citizens within the meaning of the GDPR. If such data is collected, then—regardless of where the company is located—Article 3 of the GDPR applies. This means the organization operating the website must comply with all relevant GDPR requirements.
Here are some key elements briefly listed, including GDPR Representative requirements (not exhaustive):
- Provide consent for data collection (through the implementation of a cookie banner)
- Accessible privacy policy for visitors
- Internal documentation (e.g. technical and organisational measures according to Art. 32 and if applicable Records of processing activities according to Art. 30)
- Procedures for managing information security risks
- Appoint Data Protection officer if applicable (Art. 37)
- Appoint EU Representative if applicable (Art. 27)
Even when providing something as straightforward as access to eIFUs, companies can unintentionally collect personal data. Ensuring GDPR compliance is critical to avoid regulatory risks, being sanctioned with high fines, and to maintain trust with users.
MDSS supports manufacturers worldwide with GDPR EU Representative services.
Contact us today to learn more about how we can assist you.
Disclaimer: Please verify the conditions with applicable laws independently. MDSS does not guarantee the completeness of the information provided.
