Product liability is presumed, and not strict liability, since it does not depend on the manufacturer's fault being established, but rather on the existence of a defect in the product. It is therefore up to the injured party to prove the causal connection not between the product and the damage, but between the defect and the damage, and, once such proof has been provided, it is up to the manufacturer to provide the corresponding discharging proof, consisting in demonstrating that the defect did not exist at the time the product was put into circulation, or that it was not evident at that time on the basis of the state of technical-scientific knowledge.
Both physical damage, i.e., damage caused by death or personal injury, and material damage, i.e., destruction or deterioration of something other than the defective product, are compensable.
Should the software included in the digital health app be considered a medical device as it is used to monitor physiological processes or otherwise collect and provide information and assume diagnostic or therapeutic decisions, it is likely that it falls within class IIA or IIB of medical devices that require CE marking through the involvement of the so called “Notified Body.” Should it not fall, for any reason, within classes IIA or IIB, it would probably fall within the definition of class I of medical devices which would still require CE marking but without involvement of the CE marking process by the “Notified Body.”
In addition, all medical devices, irrespective of their class, shall be notified to the Ministry of Heath for registration before they are launched on the market.
Failure to comply with the above-mentioned rules could result in both criminal and pecuniary sanctions up to €128,400.
As far as the Data Protection regulation is concerned, it is necessary to point out that, beyond the cases in which the app is used for telemedicine purposes, the consent of the person concerned to the processing of his/her health data is necessary.
The consent must be given even before the actual installation of the medical app on one's own device and, with the same easiness, all the other rights granted to the user by GDPR (right of revocation, oblivion, etc.) must be properly granted.
Consent must be given for every purpose specified in the information notice with simple and clear language, in a transparent form and easily accessible by users and patients.
The Italian Data Protection Authority has stated that it is also appropriate for the data controller to establish (“Privacy by design and privacy by default”), all the appropriate technical and organizational measures to ensure that only personal data necessary for each specific purpose of processing are processed by default. This obligation applies to the amount of personal data collected, the scope of processing, the retention period and accessibility. In particular, such measures ensure that, by default, personal data is not made accessible to an undefined number of persons.
In addition, with regard to storage methods, duration and security measures adopted, the developer and/or producer of e-Health apps must provide, always within the information notice all the necessary information also in accordance with the Privacy Code of Conduct on Mobile Health APPs and articles 32 and 35 of the GDPR.
In the event of violations of data protection obligations, significant fines may be imposed on operators. The sanctions, depending on the violation, can be up to 10 or 20 million Euros or up to 2% or 4% of the annual worldwide turnover of the previous year, whichever is higher.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.