There, the BfArM provides an assessment and offers concrete answers in an FAQ. According to this, processing of personal data outside the EU solely on the basis of Article 46 DSGVO (Standard Contractual Clauses) or Article 47 (Binding Corporate Rules) is not permissible for DiGA (cf. § 4 para. 3 DiGAV).
Since the EU-US Privacy Shield Agreement is no longer sufficient for this purpose, the use of service providers from the USA is not permitted. For service providers with a branch in the EU and a parent company in the USA, the use of services is possible “under certain conditions”. The main requirement is that the flow of personal data to the USA is fully excluded. The responsibility for this lies with the DiGA manufacturers.
Encryption of personal data with storage of the keys in the EU is mentioned as a possible solution. However, there is no more detailed information on this.
Therefore, DiGA manufacturers are recommended to operate in the familiar legal area and, for example, to orient themselves to the BSI Grundschutz and C5 guidelines for German cloud providers.