As permitted by the GDPR, France has enacted some specific requirements for the processing of health data, in particular in the context of medical research.  Following a report, the French supervisory authority (“CNIL”) audited two organizations carrying out medical research in early 2022 to check their compliance with these requirements.  On March 13, 2023, the CNIL published a statement announcing that it reminded these two organizations of their legal obligations under the French data protection framework. 

Under the French data protection rules, the processing of health data for most medical research purposes must either be specifically authorized by the CNIL or comply with one of the standards issued by the CNIL (e.g., the MR-001, MR-002, etc.).

The CNIL’s standards require in particular that the controller conduct a data protection impact assessment for the medical research it intends to conduct, something that none of the two audited organizations had done.  The CNIL clarifies in its statement that controllers may conduct a single assessment to cover several processing operations presenting similar risks (e.g., similar research projects using the same IT tools).

Another requirement is that patients participating in the research must receive all the information mandated by Art. 13 GDPR.  After auditing the two organizations, the CNIL found that the information they provided to patients was incomplete.  For example, they sometimes failed to mention the type of personal data collected, their retention period, the data protection officer’s contact details or the right to lodge a complaint with the CNIL.  The CNIL also highlighted that in one case, patients were wrongfully told that the data was “anonymized”, where, according to the CNIL, it was only coded or “pseudonymized”. Despite being found in breach of the French data protection rules, none of the audited organizations were fined.  The CNIL only issued a formal reminder of their legal obligations, before closing the proceedings.  However, this public statement serves as a good reminder for medical research organizations to keep an eye on their compliance with the GDPR and local Member State rules. 

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Alix Bertrand Alix Bertrand

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix…

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix is a member of the Paris and Brussels Bars.