As permitted by the GDPR, France has enacted some specific requirements for the processing of health data, in particular in the context of medical research.  Following a report, the French supervisory authority (“CNIL”) audited two organizations carrying out medical research in early 2022 to check their compliance with these requirements.  On March 13, 2023, the CNIL published a statement announcing that it reminded these two organizations of their legal obligations under the French data protection framework. 

Under the French data protection rules, the processing of health data for most medical research purposes must either be specifically authorized by the CNIL or comply with one of the standards issued by the CNIL (e.g., the MR-001, MR-002, etc.).

The CNIL’s standards require in particular that the controller conduct a data protection impact assessment for the medical research it intends to conduct, something that none of the two audited organizations had done.  The CNIL clarifies in its statement that controllers may conduct a single assessment to cover several processing operations presenting similar risks (e.g., similar research projects using the same IT tools).

Another requirement is that patients participating in the research must receive all the information mandated by Art. 13 GDPR.  After auditing the two organizations, the CNIL found that the information they provided to patients was incomplete.  For example, they sometimes failed to mention the type of personal data collected, their retention period, the data protection officer’s contact details or the right to lodge a complaint with the CNIL.  The CNIL also highlighted that in one case, patients were wrongfully told that the data was “anonymized”, where, according to the CNIL, it was only coded or “pseudonymized”. Despite being found in breach of the French data protection rules, none of the audited organizations were fined.  The CNIL only issued a formal reminder of their legal obligations, before closing the proceedings.  However, this public statement serves as a good reminder for medical research organizations to keep an eye on their compliance with the GDPR and local Member State rules. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Alix Bertrand Alix Bertrand

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix…

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix is a member of the Paris and Brussels Bars.