regulatory framework for personalised nutrition€¦ · agenda (1) personalised nutrition: food...
TRANSCRIPT
REGULATORY FRAMEWORK
FOR
PERSONALISED NUTRITION
Food Matters Live London, 22 November 2018 11.05 – 11.25 AM
Karin Verzijden www.axonlawyers.com
2
Agenda
(1) Personalised nutrition: food with health effects, usually referred to as
“functional foods” > regulatory framework of functional foods
(2) Targeted approach: not one-size-fits all, but targeted particular
lifestyles and dietary requirements > implies processing of personal
data
Example: MixFit’s solution for personalized nutrition:
https://www.youtube.com/watch?v=n1cJdqf20PY
3
Regulatory framework functional foods
No legal definition of functional foods / personalised nutrition
• Food products as a start
• Health benefits link these products to medicinal products…
• … or even to medical devices.
In order to correctly position your product, any operator in the personalized
nutrition space should be familiar with this regulatory framework.
4
Regulatory framework functional foods
Food product (art. 2 Regulation 178/2002)
Any substance or product, whether or not processed, intended to be
ingested by humans.
Sub-categories include:
• Food supplements
• Fortified foods
• Medical foods
• Novel foods
Examples: food (ingredients) high in certain vitamins & minerals / protein
rich foods / new functional ingredients /
5
Regulatory framework functional foods
Medicinal product (art. 1.2 Directive EU/2001/83) is any substance
• presented as having properties for treating / preventing disease
• which may be used in humans to restore, modify or correct
physiological functions by exerting a pharmacological / immunological
or metabolic action (…)
Application in practise
• As of the 80’ies, the ECJ has developed the criteria “medicinal product
by presentation” and “medicinal product by function”.
• Examples: Van Bennekom (227/82) and Hecht-Pharma (C-140/07).
6
Regulatory framework functional foods
Medical devices (art. 2.1 Regulation 2017/547)
• Any instrument, apparatus, appliance etc.
• intended by the manufacturer to be used for a specific medical purpose
• such as the diagnosis / monitoring / prevention of a disease
• which does not achieve its principal intended action by a
pharmacological, immunological or metabolic means.
Examples include medical apps or certain dietary formula’s.
7
Regulatory framework functional foods
For each type of product, specific rules for market access apply
• Food products: in principle no prior market authorization required
• Medicinal product: prior market authorization mandatory
• Medical devices: CE-mark mandatory
For each type of product, specific rules for advertising apply
Focusing on food products only:
• For food products use of authorized nutrition & health claims is, in
principle, permitted.
• Use of medical claims is strictly prohibited (consideration 3 Regulation
1924/2006 and art. 7.1 (b) Regulation 1169/2011).
8
Regulatory framework functional foods
• Nutrition claim informs what’s in the product: e.g. “high in protein”.
• Health claim informs on the effect of a product: e.g. “Plant stanol esters
have been shown to lower/reduce blood cholesterol. High cholesterol is
a risk factor in the development of coronary heart disease”.
Scope of application: B2C, however also applicable in B2B when involving
HCP’s (ECJ C-19/15 Verband Sozialer Wettbewerb v Innova Vital)
• Medical claim states or implies that a certain product reduces a health
problem: “Spirulina contributes to the improvements of the brain
function” or “Aloë Vera contributes to calming down digestion”.
9
Regulatory framework functional foods • Thin line between authorized health claims (in particular disease risk
reduction claims) and prohibited medical claims.
When marketing functional foods the distinction is of the essence, because:
• in case of doubt, medicinal products legislation > any other legislation
(art. 2.2 Directive 2001/83);
• medicinal products cannot be marketed without a market authorization
issued by the competent authorities of a Member State;
• when marketing food products that by function or presentation qualify as
a medicinal product, you are at risk of important fines.
10
Processing personal data
An an operator in the personalized nutrition space, you are
processing personal data.
Remember the MixFit movie:
“MixFit gets to know you and your lifestyle to decide which one is the most
performing fuel for the perfect machine called you.”
“FitBit analyses biometric, genetic and lifestyle inputs to define which
one is the best and most balanced nutrition for you.”
Processing personal data
12
As per 25 May 2018 the GDPR applies in all Member States
www.eugdpr.org
Processing personal data
13
Why has the GDPR such a large impact?
Broad scope: GDPR applies to any processing of personal data of EU data
subjects
• no need for controller / processor to be based in EU
• no requirement for any payments by data subjects in view of products or
services offered
• also covers monitoring behaviour of EU citizens
Processing personal data
14
Major changes in a nutshell
Rights of data subjects increased + strengthened
• E.g right to transparent info, new rights re. data portability and profiling
Obligations for controllers (and processors) have increased
• stricter requirements for consent
• demonstration compliance GDPR & transparency
• DPIA and DPO
• privacy by design and privacy by default
Enforcement serious stuff
• Administrative fines can go up to 4 % annual turnover of entire group
Processing personal data
15
How to lawfully run a business offering personalised nutrition?
• Biometric data, genetic data and data concerning health are “special
categories of data” or “sensitive data”
• Explicit consent from the data subjects is required for processing
sensitive data.
• Consent should be “clear affirmative act”
• Pre-ticked boxes no go!
• Withdrawal consent should be as easy as providing it
• Burden of proof is on the controller / processor
• Identical requirements apply to potential partners.
Processing personal data
16
Principle of granular consent applied to personalised nutrition
Example
Health technology company MixFit wants to:
• share the personal data it obtains from its clients with its micro nutrients
supplier DSM;
• apply profiling, i.e. any form of automated form or processing personal
data to evaluate certain personal aspects;
• use the personal data from its clients to do direct marketing.
Granular consent implies that each specific aspect of MixFit’s business
must be covered by an (explicit) consent. Direct marketing excepted?
Processing personal data
17
Proper administration of personal data in order to accommodate
clients requests
• Example 1: Client want to access his/her personal data
You should be able to provide these data within reasonable time.
• Example 2: Client objects against further direct marketing
You should be able to delete client from the direct marketing list.
• Example 3: Client wants to obtain his/her full data and wants to have
these transferred to your competitor (“right to data portability”)
You should provide these data in a structured, commonly used and
machine-readable format and, in principle, transfer these to your competitor
Processing personal data
18
Data Protection Officer (DPO)
Data Protection Impact Assessement (DPIA)
• What is it?
• When do you need one in the personalised nutrition business?
• What are the consequences of (not) putting in place a DPO / DPIA?
When core activities of your company:
• comprise the processing on a large scale of sensitive data > DPO is
required;
• are likely to result in high privacy risks > DPIA is mandatory.
> Recent guidance of EDPB on 9 high risk processing actions (Oct. 2018).
Processing personal data
19
Privacy by default
Only process those personal data that are necessary for each specific
purpose of your business.
Do not ask for more data if not needed for your business, such as
physical or IP address, gender or date of birth (“data minimization”)
Data protection by design
Apply appropriate technical and organizational measures to your business
to implement data protection principles.
Apply pseudonimisation
Processing personal data
20
How about GDPR enforcement so far?
• 1st fine of € 4.800 imposed by Austrian Data Protection Authority to
online gambling business monitoring large part of public space with
camera attached to its premises.
• July 2018: 2nd set of fines imposed by Portugese Data Protection
Authority to hospital upon inspection for not respecting patient
confidentiality (€ 300.000,00) and for the inability to ensure data integrity
into its system (€ 100.000,00)
2
1
Conclusions
22
(1) Market access of functional foods
Make sure your products fall into the “food” category and stick to the rules.
(2) Advertising functional foods
Use only authorized health & nutrition claims and avoid medical claims
(3) Processing personal data of your clients
• Do not obtain more data than required for your business.
• Properly inform the client on the use of those data.
• Put in place appropriate measures in order to safely process personal
data and to be able to properly address client request.
Appropriate data processing measures can be a competitive advantage!