The adequacy decision for the transfer of personal data to the USA no longer exists following the “Schrems II” ruling of the European Court of Justice. According to the DiGAV, there is no possibility to switch to other mechanisms for secure data transmission (such as standard contractual clauses). The background to this decision is apparently the special need for protection of health data. The German legislator is convinced that health data is only safe in a third country if an adequacy decision is in place.
What does this mean for you as a manufacturer of DiGA?
Manufacturers of DiGA who are obliged to comply with the specifications of the DiGAV may consequently not use providers from the USA and/or with a server location in the USA until a new adequacy decision with the USA is passed (or a change in the law of the DiGAV) and should instead switch to European providers and/or those in a country with an adequacy decision.
What should you do now?
- Check whether you are obliged to comply with the DiGAV.
- Check whether you are transferring data to US providers or providers with a server location in the USA.
- If the above points apply to you, switch to other authorised providers (European or from a country with an adequacy decision).
If you have any questions, please feel free to contact us.