Privacy notice for medical devices incident reporting

What information do we process?

The HPRA assesses all incidents involving medical devices which are reported to us to ensure they are appropriately followed up and to help prevent similar incidents happening again. Some incident reports will contain personal data including what are called ‘special categories’ of personal data, in particular, health data relating to the subject of the reported event.

Legal basis for processing

The legal basis for processing personal data in incident reports is firstly, Article 6(1)(c) of the General Data Protection Regulation (GDPR), which states:

Processing is necessary for compliance with a legal obligation to which the controller is subject

Secondly, in terms of special categories of personal data, the HPRA relies on Article 9(2)(i) of GDPR, which states:

processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

The HPRA is legally obliged to collect incident reports relating to medical devices under the provisions of the Medical Devices Regulation (MDR EU 2017/745), the In Vitro Diagnostic Medical Devices Regulation (IVDR EU 2017/746) and related Irish legislation. 

The HPRA is also legally obliged to monitor the investigations conducted into incidents involving medical devices. These investigations may involve device manufacturers, authorised representatives with responsibility for the device, and/or device distributors.

How is your information processed and shared?

The information you have provided in this report, including your contact details, will be shared with the manufacturer, their authorised representative, and/or the device distributor. Your contact details will also be used by the HPRA to follow up with you regarding the report. Any information provided which is not relevant to the investigation will not be shared with any other party.

The manufacturer may request access to or return of the relevant device to aid their investigation. If so, they may contact you to make the necessary arrangements. Please contact the HPRA if you have any queries in relation to this.

In certain cases, it may be beneficial to gather further information relevant to this report from the doctor or other healthcare professional who provides support in relation to the device or medical condition involved. If this is the case, we will contact you to seek your agreement.  

Partially anonymised details of this report (personal contact information will be removed) may also be shared with other international medical device regulators on a confidential basis. Sharing this information ensures that the information is available to all parties responsible for the safety of medical devices and allows for appropriate follow-up and investigation of incidents. 

The HPRA uses third party service providers and suppliers (also known as data processors) to carry out both our regulatory functions and other related tasks. These third parties process personal data on behalf of the HPRA and appropriate arrangements are in place with them to protect personal data.

The personal data in incident reports collected by the HPRA is not generally expected to be transmitted to third countries by the HPRA. In cases where it is necessary to do so, the HPRA will make every effort to ensure all personal data is appropriately protected and the transfer complies with data protection legislation. 

The data is retained permanently. 

The HPRA fully respects your right to privacy and treats all personal information with the appropriate standards of security and confidentiality, strictly in accordance with data protection legislation.  

What are your rights under data protection law?

Data protection law provides you with the following rights regarding processing of your personal data:

  • The right to request access to your data
  • The right to request your data be rectified or erased
  • The right to request processing of your data be restricted
  • The right to lodge a complaint to the Data Protection Commission

How to contact us

To make a request regarding your personal data under the GDPR, please submit your request in writing or via email:

Data Protection Officer
Health Products Regulatory Authority
Kevin O'Malley House,
Earlsfort Centre,
Earlsfort Terrace,
Dublin 2

Tel: +353 (1) 676 4971
Fax: +353 (1) 676 7836
Email: dataprotectionofficer@hpra.ie

Please provide sufficient information in your request to enable us to deal with your query. Further information regarding data protection at the HPRA can be found in our main privacy notice.