MedTech Europe Calls for Clarification on EDPB’s Proposed DPIA Template
MedTech Europe has published its response to the European Data Protection Board (EDPB) public consultation on the draft Data Protection Impact Assessment (DPIA) template, expressing support for the objective of promoting consistent data protection practices across the European Union while raising concerns about the practical implementation of the proposed framework.
According to the association, many organisations in the medical technology sector have already developed mature, risk-based DPIA methodologies that are integrated into broader compliance and risk management systems. MedTech Europe argues that the introduction of a highly detailed template should not create unintended compliance expectations or disrupt existing approaches.
Concerns Raised by the Industry
A key concern highlighted in the response is the risk that the template could become a de facto standard for DPIAs, even if its use is intended to be voluntary. The association notes that organisations may face uncertainty regarding whether supervisory authorities will expect DPIAs to follow the proposed structure or may challenge assessments presented in alternative formats.
MedTech Europe also questions whether the template adequately reflects the realities of organisations operating across multiple jurisdictions and managing complex processing activities. In particular, the association points to the extensive level of detail required and warns that it could increase administrative burden without necessarily improving data protection outcomes.
The response further highlights concerns regarding:
Limited alignment with existing mature DPIA frameworks;
The complexity and proportionality of the proposed documentation requirements;
Limited usability in organisations involving multiple stakeholders, including legal, compliance, IT, clinical and R&D teams;
A lack of practical guidance on risk assessment methodologies;
Insufficient clarity regarding the lifecycle and updating of DPIAs;
Limited consideration of sector-specific realities, including the processing of health data and activities common within the medical technology sector.
Recommendations to the EDPB
In its submission, MedTech Europe recommends that the EDPB:
Clearly confirm that the DPIA template is entirely optional;
Clarify that compliance should be assessed based on substance rather than format;
Position the template as a flexible and illustrative tool rather than a replacement for existing DPIA frameworks;
Reinforce the principles of proportionality and risk-based application;
Provide practical examples and reference methodologies;
Clarify expectations regarding DPIA updates throughout their lifecycle;
Consider sector-specific guidance, including examples relevant to health data processing and medical technology activities.
What This Means for Manufacturers
Although the consultation does not introduce new regulatory requirements, medical device manufacturers and digital health companies may wish to monitor the outcome of the EDPB consultation.
The response from MedTech Europe reflects industry concerns that any future DPIA framework should remain flexible and compatible with existing risk-based processes. The association is also seeking confirmation that organisations will continue to have the freedom to use their own established methodologies, provided they meet GDPR requirements.
The final position adopted by the EDPB may be particularly relevant for organisations that regularly conduct DPIAs involving health data, software-related activities, clinical investigations, or post-market monitoring processes.
Read the full document below.
