NAALA | Not An Average Legal Advisor

Knowledge center

Latest Posts

what if we told you that software can also be an in vitro diagnostic medical device? In this blog we touch upon the difference between MDR and IVDR Medical Device Software and usefull decision steps that can be used to aid the qualification. An in vitro diagnostic (IVD) medical device is…

Non-medical purpose products, such as colored contact lenses, lip fillers, and hair or tattoo removal lasers, have gained popularity in recent years. While these products do not have a medical purpose, they can still impact the health and safety of users if not manufactured or used…

Last December, the EC adopted a revamped cybersecurity law: Network and…

More blogs

Read all our blogs on information security.

Read all our blogs on privacy.

Information Security

Last December, the EC adopted a revamped cybersecurity law: Network and…

With security threats arising in all sectors, international companies…


Their is a new Dutch law that amends excisting data protection regulations to…

Discover how technology impacts children’s healthcare and data privacy. We explore…

Businesses are required to ensure that any third-party processor they work with…

The Verzamelwet Gegevensbescherming is a new Dutch law that amends existing data protection regulations to better align them with the European Union’s General Data Protection Regulation. This blog post will provide an overview of the key changes introduced by the Verzamelwet Gegevensbescherming and what they mean for individuals and organizations operating in the Netherlands.

Is your company struggling to navigate the complex landscape of personal data transfers between the EU and the US, especially in light of recent developments such as the invalidation of the Safe Harbor agreement and the Privacy Shield? With a new draft adequacy decision currently in design, it can be challenging to stay up-to-date on the latest transfer mechanisms and compliance requirements.

Last December, the EC adopted a revamped cybersecurity law: Network and Information System (NIS) 2 Directive, succeeding an earlier NIS Directive, as cyber threats developed faster than organisations and legislation were prepared for. We provide an introduction to the NIS Directives and provide you with what your organisation can do to comply with the legislation.

In the current digitalized world, online data operates as a digital lifeline. Medical data, such as patient data, has a particularly sensitive nature, hence a high information security standard is required. ISO 27001 provides guidelines to organizations for secure storage and sharing of information. NEN 7510 is a Dutch information security standard specifically for the healthcare industry.

May 26th, 2022 was the date that the In Vitro Diagnostic Medical Devices Regulations (hereinafter: “IVDR”) became applicable. Before this date, the European Directive 98/79 EC (IVDD) was the valid directive from 1998 to 2022. The IVDR therefore replaces the IVDD, with new and enhanced rules. What changes have been made regarding these two kinds of legislation?

What is an in vitro medical device, and who is obliged to comply with the (new) rules?

Holidays are over, and most people are back in full swing at work. Time to look ahead and prepare for what the new year will bring. What’s to come in terms of laws and regulations on (in vitro) medical devices, information security, data exchange and personal data protection? Will the changes affect your organization? Find out by checking out the ultimate overview of regulatory plans and announced changes and developments in 2022.

With security threats arising in all sectors, international companies are more and more aware of the need to upgrade their information security management. Are you looking for a way to structure your security management efforts in a uniformly recognizable way? The international ISO 27001 norm provides organizations with guidance for the implementation of an information security management system. 

Following unsure times in the international data transfer area, we finally have guidance with the publishing of the final version of the new Standard Contractual Clauses by the European Commission. Concluding these SCCs is, however, not enough.On a case-by-case basis, parties need to verify adequate protection under EU law of the data transferred. 

Under the GDPR, children deserve specific protection regarding their personal data. In the online world, their personal data, such as their likes and habits, constitute the experiences they have and the development they go through. Practice shows that developers of digital health solutions wouldn’t touch

children’s solutions with a ten-foot poleas it seems impossible to comply with privacy legislation. 

The Italian DPA issued a €2,5 million fine to online meal delivery service Deliveroo for violating the GDPR. This case follows a previous case in which the Garante fined online meal delivery service Foodinho €2,6 million for violating the GDPR. Why did the two meal delivery services receive such a high fine? And what lessons can be learned from this for, say, providers of digital healthcare solutions?

Data is increasingly flowing from one continent to another. How should organizations deal with such international data flows? For those working with health data, HIPAA and GDPR surely sound familiar. However, their impact may be less well known. To what extent do the US federal law and European Regulation correspond? And what is the impact of HIPAA on EU-based organizations, and of the GDPR on US-based entities?

Do you find yourself being responsible for more requirements than you anticipated due to the processing of personal data? As you may know, all data subjects (the natural persons you process data of) deserve protection of their personal information and have rights related to their personal data. These requirements result in a set of documentation that needs to be in place. We make a distinction between ‘internal’ and ‘external’ documentation.

As a developer of e-health solutions or software as a medical device, you are not only the manufacturer in charge of ensuring the quality of the product. In addition, you’re responsible for information security and data protection. That is why we at NAALA take a holistic approach into ensuring compliance to all requirements while ensuring efficiency of efforts put into complianceBut what does the overlap between MDR, GDPR and information security standards mean? Aren’t these separate processes? 

NAALA - Proposal HTA Regulation - Not an Average Legal Advisor
Introduction to the proposed HTA regulation

After more than three years of negotiations, the Council of the European Union agreed to move forward with a mandate to start discussions with the European Parliament on Health Technology Assessment. Health Technology Assessment (hereinafter: “HTA”) is an evidence-based process that allows competent authorities to determine the relative effectiveness of new or existing technologies. 

Smart drugs: Drugs or Medical Devices?

Software is on the rise when it comes to the implementation in health care; from the application of VR, AR and AI technology to health tracking apps and the ability to monitor patients at a distance. The European Medicine Association (‘EMA’) predicts that they will be seeing increasingly more drug-device combination products. But how are these products regulated? As a medical device or as a drug?

PIP breast Implants - MDR
Rolling Barrels and Ruptured Breast Implants

Over many years, the Poly Implant Prothèse (PIP) Company fraudulently made use of industrial silicone instead of medical grade silicone. Fraudulent practices such as in the PIP-case must be thwarted by the law. That was the thought of the legislators as well. This blog describes the PIP-case and its consequence: the Medical Device Regulation (MDR).