New CNIL standard for all companies doing product vigilance activities

Written By

ariane mole module
Ariane Mole

Of Counsel
France

I am a partner and co-head of our firm's International Data Protection Group. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world.

The CNIL published on 18 July 2019 a new standard concerning the processing of personal data for the purpose of vigilance in the health sector.

This standard, long awaited by the industry, applies notably to pharmacovigilance and materiovigilance, i.e. notably to all companies doing product vigilance (pharma, medical devices, addictive substances, cosmetics, food safety, etc.)

The standard is of great importance since according to the French Data Protection Act such processing activities are submitted to the CNIL’s prior authorization. The scope of the French prior authorization requirement is extraterritorial, and any organization worldwide doing product vigilance on individuals residing in France must obtain an authorization in order to be allowed to carry on their activities. But if their activities comply with the CNIL’s new standard, then they can now file a declaration of compliance with the CNIL, instead of filing a full request for authorization.

The standard provides a detailed framework which must be complied with in order to benefit from the simplified filing procedure, such as its purposes, the legal basis, the personal data that can be processed, the recipients, the storage period, the content of the data subjects’ information notice, the security requirements, and the conditions for transfers of personal data outside of France. A data protection impact assessment is required.

In case a processing does not meet all the requirements of the standard, an authorization from the CNIL will remain necessary.

Link to the CNIL's new standard (in French)

Click here to access our unofficial English translation of this standard

Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line blue background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More
Curiosity line green background

The New Cybersecurity Dawn – Hong Kong readies for new critical infrastructure legislation

7 minutes Dec 10 2024

Read More