Privacy Notice - Medical Devices Incident Reporting

The HPRA is responsible for collecting reports about incidents relating to medical devices. The HPRA assesses all incidents reported to us in order to ensure appropriate follow up and to prevent similar incidents happening again.

What information do we process?

Some of the information in incident reports will comprise personal data, and will include what are called special categories of personal data, in particular, health data.

How is your information shared?

Your contact details included on this form will be primarily used for the purposes of interaction with you regarding this incident report. Your personal data (including your contact details) may be provided to the manufacturer, distributor or person responsible for the medical devices, known as the authorised representative.  It may also be necessary to share your personal data (including your contact details) with the health care professional who implanted or who provides support in relation to your medical device or medical condition. Partially anonymised details of this report (your personal contact information will be removed) may also be shared with other international medical device regulators through IMDRF, a global forum for medical device regulators.

Sharing of the information you are submitting ensures that the information is available to all parties responsible for the safety of medical devices and allows for appropriate follow up and investigation of incidents.

What is the legal basis for processing your information?

The HPRA is legally obliged to collect what are called ‘incident reports’ relating to medical devices under the provisions of the Medical Devices Directives (and related Irish legislation) and EU Regulations 2017/745 and 2017/746 when they are applicable. The HPRA is also legally obliged to monitor investigation into incidents involving medical devices by the manufacturers, distributors or the authorised representative.

The legal basis for processing personal data in incident reports is firstly, Article 6(1)(c) of the General Data Protection Regulation (GDPR), which states:

Processing is necessary for compliance with a legal obligation to which the controller is subject

Secondly, in terms of special categories of personal data, the HPRA relies on Article 9(2)(i) of GDPR, which states:

processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

The personal data in incident reports collected by the HPRA is not expected to be transmitted to third countries by the HPRA.  The data is retained indefinitely.

The HPRA is a data controller in respect of the data in incident reports.

What are your rights under data protection law?

The right exists to request a copy of personal data held by the HPRA and to have any inaccuracies in such data corrected or deleted. Further details on data protection can be found here.

To make a request regarding your personal data under the GDPR, please submit your request in writing or via email:

Data Protection Officer
Health Products Regulatory Authority 
Kevin O’Malley House, 
Earlsfort Centre
Earlsfort Terrace
Dublin 2
Tel: +353 (1) 6764971
Fax:+353 (1) 6767836


Please ensure that you describe the records you seek in the greatest detail possible to enable us to identify the relevant records. The HPRA must confirm within one month if data is held and if so, the description of the data and the purposes for which they are kept.  The Irish supervisory authority for data protection is the Data Protection Commission. They may be contacted here. Details of your entitlement to complain to the Data Protection Commissioner will be included in the decision letter or email.