When does your medical app need a CE marking in Germany? And which rules apply?

You are developing an application for a mobile phone or another stand-alone software with a medical purpose – a “medical app”. You are probably already aware that the “Medizinproduktegesetz” might apply to your medical app in Germany. But does it really? When exactly? And does it apply to the complete app or just to certain modules of your app?

The good news is that the BfArM (“Bundesinstitut für Arzneimittel und Medizinprodukte”) has just published guidelines (October 2015). These guidelines are not binding but summarize the current legal situation briefly. The guidelines (unfortunately only in German language) are available here.

So when is your app a medical device (which needs a CE marking) or a mere fitness- and wellness product (which does not need a CE marking)?

Practically the only relevant legal question to be answered is: “What is the intended purpose of your app?” The intended purpose of your app is determined by the labelling, the manual and your advertising. If that purpose is one or more of:

  • diagnosis, prevention, monitoring, treatment or alleviation of a disease,
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,
  • investigation, replacement or modification of the anatomy or of a physiological process or
  • control of a conception

then your app will almost always be a medical device in need of a CE marking. If it does not have a CE marking, there are criminal charges involved as well as possible impoundments of the app and possibly negative press.

If the intended purpose of your app is just fitness, wellness, sports or nutrition, the app is generally not a medical device.

The above categorization is rather broad. So the guidelines give some more – although non-binding – hints:

Every time an app not only transfers data, but modifies it, this is an indication for a medical device. According to the guidelines this can especially be the case if you are tempted to describe a certain purpose of your app with: “to alarm”, “to analyze”, “to calculate”, “to detect”, “to diagnose”, “to interpret”, “to convert”, “to measure”, “to control”, “to surveil” or “to amplify”.

Likewise, if you implement functions in your app with regard to one of the following, your app is probably a medical device:

  • guiding a decision making process or making decisions on “its own”
  • calculating e.g. the doses of drugs
  • surveilling a patient and aggregating the data, if the results affect a diagnosis or a therapy
On the other hand, simply saving or archiving data or compressing data losslessly, communicating the data or doing simple searches do not – on its own – result in a medical device. General remarks like “This is not a medical device.” within the AppStore description of the app or within other kinds of manuals or advertisements are irrelevant.

You can also decide if you want to certify the whole app or if you can isolate certain modules and only certify them. However, deciding where to draw the line between medically relevant modules or medically non-relevant parts of the app is difficult and – given the legal consequences in case of an error – risky.

The guidelines give some more examples and refer to other – already familiar – documents, in particular to the MEDDEV 2.1/6 including the decision diagram in this document. The MEDDEV 2.1/6 are non-binding too, though.

Another relieving statement in the guidelines is that you can generally expect your medical app (if it is a medical device) to be classified in Class I (and not IIa or IIb). A classification in Class I means that you can issue the CE declaration of conformity yourself without involving a Notified Body. On the other hand you are solely responsible for the correct classification and for the conformity of your medical app with all the requirements. You also still have to draw up the technical documentation.

The guidelines do not give any instructions on how to design your medical app from a data privacy perspective. Here, you not only need to be aware about data security but especially about involving third parties. Beware that even hosting a service on a server of a third party (even if that server is located within Germany) is legally considered to be a transfer of the relevant personal data and is forbidden without a legal framework.

Also not included in the guidelines are the legal requirements for apps in general – like obligatory statements in the imprint. However, most of the relevant statements necessary within the imprint are given in § 5 Telemediengesetz.