Medicine is one of the biggest use cases for emerging information technologies. Data processing brings huge advantages but forces lawmakers and practitioners to balance between privacy, autonomy, accessibility, and functionality. ICT-connected Implantable Medical Devices plant themselves firmly between traditional medical equipment and software that processes health-related personal data, and these implants face many data management challenges. It is essential that healthcare providers and others can identify and understand the legal grounds they rely on to process data. The European Union is currently updating its framework, and the special provisions in the GDPR, the current ePrivacy Directive, and the coming ePrivacy Regulation all provide enhanced thresholds for processing data. This article provides an overview and explanation of the applicability of the rules and the legal grounds for processing data. We find that only a cumulative application of the GDPR and the ePrivacy rules ensure adequate protection of this data and present the legal grounds for processing in these cases. We discuss the challenges in obtaining and maintaining valid consent and necessity as a legal ground for processing and offer use case-specific discussions of the role of consent long-term and the lack of an adequate 'vital interest' exception in the ePrivacy rules.

中文翻译：

---

何时处理医疗植入物的数据是合法的？根据欧盟数据保护法，出于治疗目的处理来自 ICT 植入式医疗设备的健康相关个人数据的法律依据。

医学是新兴信息技术的最大用例之一。数据处理带来了巨大的优势，但迫使立法者和从业者在隐私、自治、可访问性和功能之间取得平衡。与 ICT 连接的植入式医疗设备牢固地介于传统医疗设备和处理健康相关个人数据的软件之间，这些植入物面临着许多数据管理挑战。医疗保健提供者和其他人必须能够识别和理解他们处理数据所依据的法律依据。欧盟目前正在更新其框架，GDPR 中的特殊条款、当前的电子隐私指令以及即将出台的电子隐私法规都提高了数据处理的门槛。本文概述并解释了规则的适用性以及数据处理的法律依据。我们发现，只有累积应用 GDPR 和电子隐私规则才能确保对这些数据的充分保护，并为这些情况下的处理提供法律依据。我们讨论了获得和维持有效同意的挑战以及作为处理法律依据的必要性，并针对长期同意的作用以及电子隐私规则中缺乏适当的“切身利益”例外情况进行了特定用例的讨论。