What is behind the current letter from the data protection supervisory authorities to DIGA manufacturers?

Many of our customers have already received it recently: A letter from the data protection supervisory authorities regarding state certification.
What it’s all about
DiGA manufacturers are currently receiving a letter from the Data Protection Conference (DSK) via their responsible data protection supervisory authority. In this letter, the DSK refers to the test criteria published by the BfArM in July 2022. The letter has the following subject: “Note on compliance with the data protection test criteria for manufacturers of health applications in accordance with Section 139e (1) and (11) SGB V”. These test criteria are intended to enable external certification in accordance with art. 42 GDPR from 1 August 2024.
However, the DSK now considers it necessary that you “review the test criteria published by the BfArM (….) and implement the data protection requirements” before this date.
Through this direct approach by the local data protection supervisory authority, the DSK is already giving the test criteria a very strong impact.
The reason for this could be further delays in the implementation of the certification process. Obviously, the data protection criteria should already be enforced now without having to wait for the protracted implementation of the certification procedure.
We recommend that you carry out the “own critical review” mentioned by the DSK at short notice. If you have any questions, please do not hesitate to contact our data protection experts.