As permitted by the GDPR, France has enacted some specific requirements for the processing of health data, in particular in the context of medical research. Following a report, the French supervisory authority (“CNIL”) audited two organizations carrying out medical research in early 2022 to check their compliance with these requirements. On March 13, 2023, the CNIL published a statement announcing that it reminded these two organizations of their legal obligations under the French data protection framework.
Under the French data protection rules, the processing of health data for most medical research purposes must either be specifically authorized by the CNIL or comply with one of the standards issued by the CNIL (e.g., the MR-001, MR-002, etc.).
The CNIL’s standards require in particular that the controller conduct a data protection impact assessment for the medical research it intends to conduct, something that none of the two audited organizations had done. The CNIL clarifies in its statement that controllers may conduct a single assessment to cover several processing operations presenting similar risks (e.g., similar research projects using the same IT tools).
Another requirement is that patients participating in the research must receive all the information mandated by Art. 13 GDPR. After auditing the two organizations, the CNIL found that the information they provided to patients was incomplete. For example, they sometimes failed to mention the type of personal data collected, their retention period, the data protection officer’s contact details or the right to lodge a complaint with the CNIL. The CNIL also highlighted that in one case, patients were wrongfully told that the data was “anonymized”, where, according to the CNIL, it was only coded or “pseudonymized”. Despite being found in breach of the French data protection rules, none of the audited organizations were fined. The CNIL only issued a formal reminder of their legal obligations, before closing the proceedings. However, this public statement serves as a good reminder for medical research organizations to keep an eye on their compliance with the GDPR and local Member State rules.