Data protection policy

Summary of NMVS regulations on the  exchange of data from the NMVS with third parties

No rights may be derived from this summary

1. Introduction

1.1 The Dutch Medicines Verification Organisation (“NMVO”) manages a database for the prevention of medicines falsification: the Dutch Medicines Verification System (NMVS). The database has been in operation since 9 February 2019.

1.2 Each medicine package has a unique code. Manufacturers, licensees and wholesalers ensure that each unique code is entered into the NMVS. Pharmacists ensure that the code on the package is compared with the NMVS for each medicine dispensing. So-called verification scans can also be done elsewhere in the chain.

1.3 Every “movement” of a drug packaging is thus recorded in the NMVS. It is also known who registers such a “movement”. This data is commercially sensitive and sometimes privacy-sensitive.

1.4 This document aims to be a readable summary of applicable laws and regulations with regard to the safety of the NMVS and the protection of personal and company data.

2. Safety and integrity of the NMVS

2.1 The technical security of the NMVS is strict. Unauthorised persons do not have access to the NMVS. Protection against hacking, DDoS attacks, malware and other threats is always kept up to date.

2.2 Users are subject to agreements or protocols that include obligations to keep the connection to the system secure and comply with the regulations with regard to the use of the system.

2.3 In the event that users compromise the integrity of the system or the proper functioning of the NMVS is compromised, NMVO maintains an escalation procedure that can ultimately lead to a user being shut down from the system.

2.4 The European umbrella organisation EMVO maintains the European central database (the so-called “hub”). The security and integrity of that central database shall be subject to equivalent rules and procedures.

3. Data exchange from the NMVS

3.1 The information that NMVO may or must exchange is set out in Commission Delegated Regulation (EU) 2016/161 of 2 October 2015 supplementing Directive 2001/83/EC of the European Parliament and of the Council by laying down detailed rules on the safety features on the package of medicinal products for human use (hereinafter referred to as ’the Regulation’). Please note: this system of regulations is also informally referred to by the term “FMD”.

3.2 The sharing of data from the NMVS mainly concerns data exchange with the national competent authority (IGJ). Outside this relationship, hardly any data can and may be exchanged.

3.3 The following sections describe when data may be exchanged for each category.

4. Data on the operation of the NMVS for the IGJ

4.1 NMVO is obliged to inform IGJ about the correct functioning of the NMVS. This is not about the data itself, but about the way in which it is processed via the NMVS.

4.2 NMVO must regularly submit a report to IGJ on the operation of the NMVS. Again, this is not about the data itself.

4.3 There is also a general obligation to give the IGJ access to monitor the operation of the NMVS. This, for example, concerns processing speed, availability of the system, numbers of registrations and decommissioning of medicines packages, et cetera. The IGJ, in turn, investigates reports of potential falsifications. It is up to the IGJ what information it sees in the context of such an investigation. In doing so, the IGJ has access to all data in the NMVS, including personal data and sensitive company data. This is allowed because there is a legal basis.

4.4 Access for supervision shall also apply to supervision of investigations into possible cases of falsification. Here, data can also be viewed by the IGJ during supervision.

4.5 As mentioned, these data are exchanged with the IGJ only.

5. Audit trail and information for IGJ

5.1 The NMVS keeps a complete overview of all operations for each drug package. An operation means, among other things, the moment that a package is put into the system, scanned by wholesalers for verification, deregistered to the public when it is issued, et cetera. This also includes the data of the users performing these operations and of the nature of the operations. This overview is called “audit trail”.

5.2 The audit trail is linked to a unique identification number of a medicine package.

5.3 If the IGJ requests an audit trail or further information with respect to a unique identifier, NMVO must provide that data. This can also comprise personal data or commercially sensitive data.

5.4 The same applies to information relating to a particular unique identifier. The Regulation does not determine what that information should be. Apart from the audit trail and information on the nature of the medicinal product, the database does not contain any information.

5.5 The data on an audit trail or a certain unique identifier is only exchanged with the IGJ.

6. Information on compliance with the Regulation for IGJ

6.1 NMVO should draw up reports enabling competent authorities to verify that marketing authorisation holders, manufacturers, wholesalers and pharmacists comply with the requirements of the Regulation. These reports are stored in the system. At the request of the IGJ, NMVO must deliver it immediately.

6.2 NMVO must report the IGJ if a licensee, manufacturer or wholesaler no longer meets the requirements of the law.

7. Reporting possible cases of falsification to the IGJ

7.1 NMVO receives alerts if something is wrong when a package with a unique code is decommissioned. This happens if the code is not recognized when decommissioned out or has been decommissioned before.

7.2 NMVO must investigate each alert. If a potential falsification cannot be ruled out, a warning is sent to the IGJ, the European Medicines Agency and the Commission, stating the unique code (from which it can also be deduced which medicine is involved) and the user where the alert comes from.

7.3 The IGJ, in turn, investigates reports of potential falsifications. For this the IGH has access to the NMVS. It is up to the IGJ what information it sees in the context of such an investigation. In doing so, the IGJ has access to all data in the NMVS, including personal data and sensitive company data. This is allowed because there is a legal basis.

8. Information for IGJ for pharmacovigilance or pharmacoepidemiology

8.1 According to the Regulation, the IGJ must have access to the NMVS for pharmacovigilance or pharmacoepidemiology.

8.2 Pharmacovigilance refers to the harmful effects of a medicine on an individual.

8.3 Pharmacoepidemiology looks at harmful effects of a drug on a population.

8.4 It is up to the IGJ what information it studies in the context of a study on pharmacovigilance and pharmacoepidemiology. For this, the IGJ has access to the NMVS. In doing so, the IGJ has access to all data in the NMVS, including personal data and sensitive company data. This is allowed because there is a legal basis.

9. Exchange on alerts with Market Authorization Holders

9.1 A market authorisation holder is a party authorised to put a medicinal product into circulation. This is also referred to as “registration holder”.

9.2 If there is an alert, a signal will also be sent to the market authorization holder in the context of the mandatory investigation. This signal does not include where and at which transaction or issue the alert originated. This signal is only intended to alert the holder of a potential falsification of medicinal products put into circulation by the market authorization holder. This signal can be useful to determine the cause of an alert and to use this information to rule out the possibility of a potential falsification.

10. List of wholesalers

10.1 For a medicinal product bearing a unique identifier, a list of wholesalers shall be uploaded. These are wholesalers designated by market authorizations holders to provide storage and distribution. This only concerns the name of the wholesalers in question.

11. Other grounds

11.1 NMVO may be obliged to share data from the NMVS in civil, tax or criminal proceedings or an investigation. With a view to the GDRP, this is also a legal basis for sharing personal data.