Gemelli Digital Medicine & Health
Regulation
GDMH strongly believes a robust and solid regulatory compliance is essential in conveying efficient and secure Digital Medicine solutions in the Healthcare market.
Policies & Credentials
Despite the vastness of Digital Health products currently on sale in the healthcare market, a strongly-defined regulatory path is needed to disambiguate the different digital solutions, their scope and use, and the creation and development process ongoing behind them.
At the moment, the EU MDR 745/2017 (Medical Device Regulation) is the reference point for companies, manufacturers, suppliers, importers or distributors of medical devices. It defines:
More stringent rules
around Softwares as Medical Devices (SaMD) used to execute and support the clinical trials regarding their actual benefits in the therapeutic journey.
Guidelines
for safety and performance involving the SaMD’s development and production phases before the commercialization and more control on the post-marketing surveillance.
Transparency
through the European database of medical devices and their traceability.
Class I Devices
The manufacturer can independently assign the CE marking and self-declare the Oproduct’s conformity to standards.
Class II, III and sub.I Devices
The MDR stipulates that there must be a Notitied Bodv to assess the required conformity. A determining element in the evaluation and approval of Class Il and o Class III Digital Medicine products is the evidence generated by clinical trials, (ISO 14155:2011) conducted in principle under the responsibility of a sponsor (Article 63 of the MDR); this role should be assumed by either the manufacturer or another physical or legal person.
International Standard
Organization Indications
Together with the MDR’s guidelines, the International Standard Organization (ISO) gives further indications and norms to follow in order to develop, produce and commercialize medical devices starting from the international standards for clinical trials, up to the post-marketing surveillance and the information security systems for the management individuals’ data.

01.
STANDARD ISO 14155:2011
Clinical investigation of medical devices for human subjects — Good clinical practice.
02.
STANDARD ISO 13485:2016
Medical devices — Quality management systems — Requirements for regulatory purposes.
03.
STANDARD ISO/IEC 27001:2022
Information security, cybersecurity and privacy protection — Information security management systems — Requirements.
For more informations
04.
ISO 20417
Medical devices – Information to be supplied by the manufacturer.
05.
Technical report ISO/TR 20416
Medical devices – Post-market surveillance for manufacturer.
06.
ISO/TR 11147:2023
Health informatics — Personalized digital health — Digital therapeutics health software systems.
DATA PROTECTION
GDPR
EU 2016/679 General Data Protection Regulation (GDPR) defines the following:
- Accountability of the data controller and the data processor.
- Security measures must be adapted to the risk inherent in the processing of personal data
- Mandatory creation of a Record Of Processing Activities (ROPA) and notification to the Data Protection Authority of a data breach
- Mandatory (for the processing when is needed) of the Data Protection Impact Assessment (DPIA)
- Mandatory designation of the Data Protection Officer (e.g. for large corporate groups or even small entities that process very sensitive data).
Given the above, GDMH has:
- Designating a Data Protection Officer
- Having a Record of processing activities
- Having a Policy for the protection of personal data

“Companies that offer digital medicine services must be able to equip themselves with their own privacy risk assessment system, without counting, as in the past, upon legal review by the Supervisory Data Protection Authority (SDPA)”.
Giorgianni. F. 2023. GDPR as a First Step Towards Free Flow of Data in Europe. In: Cesario, A., D’Oria, M.. Auffray, C.. Scambia, G. (eds) Personalized Medicine Meets Artificial Intelligence. Springer.