Please be informed that a new version of the technical file describing the M2 criteria has been published.
The following text has been as clarification to criterion 6:
The providers of category 3 apps confirm that they have carried out a data protection impact assessment according to articles 35 and 36 of the General Data Protection Regulation (GDPR) and have made it publicly available, indicating the url where it is available.
In case the communication of personal data by the application requires an authorization from the Information Security Committee according to Chapter VII of the Act of December 13, 2006 containing various provisions concerning health, this communication only takes place after such authorization has been obtained and in accordance with the provisions of this authorization.