A company supplying products and services to customers in the European Union that does not have an office or is not established in any EU Member State or in the United Kingdom, probably requires an EU authorised data protection representative. QFI can serve as an EU Authorised Data Protection Representative according to Recital 80 Regulation (EU) 2016/679 and Data Protection Act 2018 (Pure and Applied GDPR) supporting medical device manufacturers who collect, process and archive personal data on European data subjects pursuant to Regulation (EU)2016/679. Such personal data necessary in fundamental scientific research, risk assessment, clinical investigation and other health-related purposes, are subject to the Regulation. While manufacturers are generally familiar with the requirements and recommendations concerning informed consent and other ethical committee expectations, comprehensive understanding of regulations on special categories of personal data, probabilities, requisite controls and available penalties for violation, are less known.

Our EUDPRP provides the following:

• EU data protection representation services to organisations outside the EEA
• Official address as GDPR representative through our offices in the EU and UK
• Point of contact for personal data protection pursuant to the regulation
• Communication and act of on behalf with European and UK data protection supervisory authorities
• Notify and assist in resolving investigations on breach of personal data
• Where agreed, retain data protection processing activity records according to Article 5 (1) (e) Regulation (EU) 2016/679
• Conduct preliminary and renewal data protection system conformity assessment to identify areas our client members might need to improve
• evaluate documented processes and procedures, conduct Data protection impact assessments.
• Devise and implement documented systems, processes and procedures in client member management systems to integrate Regulation (EU) 2016/679, Data protection Act 2018 and Regulation (EU) 536/2014 also where requested, US Privacy Shield elements.
• Conduct data protection risk assessment, formulate safety and reliability engineering analysis and cover NHS digital standards requirements.

QFI offers services as designated representative according to Article 27 of the Regulation through a fully-documented EU Personal Data Protection Designated Representative Programme [EUPDPDRP] designed for the medical device sector. Our services cover marketed product, including medical devices, personal protective equipment and related technologies such as stand-alone and cloud-based medical device software, product undergoing clinical investigation or supplied for special purposes, as well as digital systems supporting medical use. Additionally, QFI will continue to offer data protection representation into the UK beyond 31 December 2020. EUDRP acts on behalf of a data controller on processor pursuant to Chapter IV Section 1 Article 27 Regulation (EU) 2016/679, including obligations where Article 3 (2) apply to Representatives of controllers or processors not established in the Union. The programme also offers practical resources to help manufacturers conduct personal data protection regulation gap analyses, assess risk, produce documented procedures integrated within registered QMS and other management system constructs, evaluate concordance of international arrangements to avoid violation of European requirements and, where necessary, help remediate breaches of personal data obligations involving medical devices, thereby improving security and safety measures.

At QFI, we:

• Ensure your privacy policy, data protection processes and procedures fulfil requirements
• Check if your organisation records of processing activities comply
• Examine data protection technical documentation required by Regulation (EU) 2016/679 and Data protection Act 2018 is complete
• Check procedures to fulfil data transfer requests and attend to breaches of personal data to ensure that they are compliant and efficient

If data protection professional consulting services are required, we can provide GDPR compliance inspections and audits, devise and assist implementing compliance management systems and solutions, create data protection governance programmes, create privacy policies and deliver specific training.