REGULATORY FRAMEWORK FOR PERSONALISED NUTRITION€¦ · Agenda (1) Personalised nutrition: food with health effects, usually referred to as “functional foods” > regulatory framework

REGULATORY FRAMEWORK

FOR

PERSONALISED NUTRITION

Food Matters Live London, 22 November 2018 11.05 – 11.25 AM

Karin Verzijden www.axonlawyers.com

2

Agenda

(1) Personalised nutrition: food with health effects, usually referred to as

“functional foods” > regulatory framework of functional foods

(2) Targeted approach: not one-size-fits all, but targeted particular

lifestyles and dietary requirements > implies processing of personal

data

Example: MixFit’s solution for personalized nutrition:

https://www.youtube.com/watch?v=n1cJdqf20PY

3



Regulatory framework functional foods

No legal definition of functional foods / personalised nutrition

• Food products as a start

• Health benefits link these products to medicinal products…

• … or even to medical devices.

In order to correctly position your product, any operator in the personalized

nutrition space should be familiar with this regulatory framework.

4


Food product (art. 2 Regulation 178/2002)

Any substance or product, whether or not processed, intended to be

ingested by humans.

Sub-categories include:

• Food supplements

• Fortified foods

• Medical foods

• Novel foods

Examples: food (ingredients) high in certain vitamins & minerals / protein

rich foods / new functional ingredients /

5


Medicinal product (art. 1.2 Directive EU/2001/83) is any substance

• presented as having properties for treating / preventing disease

• which may be used in humans to restore, modify or correct

physiological functions by exerting a pharmacological / immunological

or metabolic action (…)

Application in practise

• As of the 80’ies, the ECJ has developed the criteria “medicinal product

by presentation” and “medicinal product by function”.

• Examples: Van Bennekom (227/82) and Hecht-Pharma (C-140/07).

6


Medical devices (art. 2.1 Regulation 2017/547)

• Any instrument, apparatus, appliance etc.

• intended by the manufacturer to be used for a specific medical purpose

• such as the diagnosis / monitoring / prevention of a disease

• which does not achieve its principal intended action by a

pharmacological, immunological or metabolic means.

Examples include medical apps or certain dietary formula’s.

7


For each type of product, specific rules for market access apply

• Food products: in principle no prior market authorization required

• Medicinal product: prior market authorization mandatory

• Medical devices: CE-mark mandatory

For each type of product, specific rules for advertising apply

Focusing on food products only:

• For food products use of authorized nutrition & health claims is, in

principle, permitted.

• Use of medical claims is strictly prohibited (consideration 3 Regulation

1924/2006 and art. 7.1 (b) Regulation 1169/2011).

8


• Nutrition claim informs what’s in the product: e.g. “high in protein”.

• Health claim informs on the effect of a product: e.g. “Plant stanol esters

have been shown to lower/reduce blood cholesterol. High cholesterol is

a risk factor in the development of coronary heart disease”.

Scope of application: B2C, however also applicable in B2B when involving

HCP’s (ECJ C-19/15 Verband Sozialer Wettbewerb v Innova Vital)

• Medical claim states or implies that a certain product reduces a health

problem: “Spirulina contributes to the improvements of the brain

function” or “Aloë Vera contributes to calming down digestion”.

9

Regulatory framework functional foods • Thin line between authorized health claims (in particular disease risk

reduction claims) and prohibited medical claims.

When marketing functional foods the distinction is of the essence, because:

• in case of doubt, medicinal products legislation > any other legislation

(art. 2.2 Directive 2001/83);

• medicinal products cannot be marketed without a market authorization

issued by the competent authorities of a Member State;

• when marketing food products that by function or presentation qualify as

a medicinal product, you are at risk of important fines.

10

Processing personal data

An an operator in the personalized nutrition space, you are

processing personal data.

Remember the MixFit movie:

“MixFit gets to know you and your lifestyle to decide which one is the most

performing fuel for the perfect machine called you.”

“FitBit analyses biometric, genetic and lifestyle inputs to define which

one is the best and most balanced nutrition for you.”


12

As per 25 May 2018 the GDPR applies in all Member States

www.eugdpr.org


13

Why has the GDPR such a large impact?

Broad scope: GDPR applies to any processing of personal data of EU data

subjects

• no need for controller / processor to be based in EU

• no requirement for any payments by data subjects in view of products or

services offered

• also covers monitoring behaviour of EU citizens


14

Major changes in a nutshell

Rights of data subjects increased + strengthened

• E.g right to transparent info, new rights re. data portability and profiling

Obligations for controllers (and processors) have increased

• stricter requirements for consent

• demonstration compliance GDPR & transparency

• DPIA and DPO

• privacy by design and privacy by default

Enforcement serious stuff

• Administrative fines can go up to 4 % annual turnover of entire group


15

How to lawfully run a business offering personalised nutrition?

• Biometric data, genetic data and data concerning health are “special

categories of data” or “sensitive data”

• Explicit consent from the data subjects is required for processing

sensitive data.

• Consent should be “clear affirmative act”

• Pre-ticked boxes no go!

• Withdrawal consent should be as easy as providing it

• Burden of proof is on the controller / processor

• Identical requirements apply to potential partners.


16

Principle of granular consent applied to personalised nutrition

Example

Health technology company MixFit wants to:

• share the personal data it obtains from its clients with its micro nutrients

supplier DSM;

• apply profiling, i.e. any form of automated form or processing personal

data to evaluate certain personal aspects;

• use the personal data from its clients to do direct marketing.

Granular consent implies that each specific aspect of MixFit’s business

must be covered by an (explicit) consent. Direct marketing excepted?


17

Proper administration of personal data in order to accommodate

clients requests

• Example 1: Client want to access his/her personal data

You should be able to provide these data within reasonable time.

• Example 2: Client objects against further direct marketing

You should be able to delete client from the direct marketing list.

• Example 3: Client wants to obtain his/her full data and wants to have

these transferred to your competitor (“right to data portability”)

You should provide these data in a structured, commonly used and

machine-readable format and, in principle, transfer these to your competitor


18

Data Protection Officer (DPO)

Data Protection Impact Assessement (DPIA)

• What is it?

• When do you need one in the personalised nutrition business?

• What are the consequences of (not) putting in place a DPO / DPIA?

When core activities of your company:

• comprise the processing on a large scale of sensitive data > DPO is

required;

• are likely to result in high privacy risks > DPIA is mandatory.

> Recent guidance of EDPB on 9 high risk processing actions (Oct. 2018).


19

Privacy by default

Only process those personal data that are necessary for each specific

purpose of your business.

Do not ask for more data if not needed for your business, such as

physical or IP address, gender or date of birth (“data minimization”)

Data protection by design

Apply appropriate technical and organizational measures to your business

to implement data protection principles.

Apply pseudonimisation


20

How about GDPR enforcement so far?

• 1st fine of € 4.800 imposed by Austrian Data Protection Authority to

online gambling business monitoring large part of public space with

camera attached to its premises.

• July 2018: 2nd set of fines imposed by Portugese Data Protection

Authority to hospital upon inspection for not respecting patient

confidentiality (€ 300.000,00) and for the inability to ensure data integrity

into its system (€ 100.000,00)

2

1

Conclusions

22

(1) Market access of functional foods

Make sure your products fall into the “food” category and stick to the rules.

(2) Advertising functional foods

Use only authorized health & nutrition claims and avoid medical claims

(3) Processing personal data of your clients

• Do not obtain more data than required for your business.

• Properly inform the client on the use of those data.

• Put in place appropriate measures in order to safely process personal

data and to be able to properly address client request.

Appropriate data processing measures can be a competitive advantage!

Documents

REGULATORY FRAMEWORK FOR PERSONALISED NUTRITION€¦ · Agenda (1) Personalised nutrition: food with health effects, usually referred to as “functional foods” > regulatory framework