France: Publication of CNIL standards on health data processing implemented in the context of early access and compassionate use authorisations

Written By

alexandre vuchot module
Alexandre Vuchot

Partner
France

I'm a partner in our international Commercial group, based in Paris, where I provide our clients with strategic commercial advice.

johanna harelimana Module
Johanna Harelimana

Associate
France

I am a junior associate, with experience advising clients on regulatory matters across several sectors, especially in life sciences, food and beverages, and environmental sectors.

The French data protection authority (Commission Nationale de l'Informatique et des Libertés – “CNIL”) has published two standards relating to the processing of personal data within the framework of "early access authorisations" (“AAP”)[1] and within the framework of "compassionate access authorisations" (“AAC”)[2]. These standards were adopted after a public consultation by two deliberations of 22 September 2022 and published in the French Official Journal of 10 November 2022.

As a reminder, early access and compassionate use schemes allows patients suffering from a serious, rare, or disabling condition to have access to a medicinal product that is not covered by a marketing authorisation in France in a given therapeutic indication.

For the implementation of these derogatory access schemes, the law requires pharmaceutical companies, with the collaboration of healthcare professionals concerned, to ensure the monitoring of patients benefiting from a medicinal product covered by such schemes (AAP and AAC). The follow-up of patients requires the collection of personal data and the creation of a file record. It was therefore essential for the CNIL to provide a framework for the processing of personal data by the pharmaceutical company responsible for the medicinal product covered by AAC or AAP.

From now on, the reference systems will allow the processing of personal data involved in AAP and AAC schemes to be implemented without an authorisation from the CNIL, provided that a declaration of compliance has been made. Indeed, the analysis of compliance of processing with the GDPR and Data Protection Act will be simplified, and the pharmaceutical companies as data controller will simply have to make a declaration of compliance with these standards to the CNIL.

In the event the requirements of the standards cannot all be complied with, a request for authorisation from the CNIL will be necessary.

Finally, it should be noted that these standards do not apply to data processing carried out within the framework of "compassionate prescription frameworks" (“CPC”), which remain subject to CNIL authorisations.

[1] Article L. 5121-12 of the Public Health Code

[2] Article L. 5121-12-1 of the Public Health Code

Latest insights

More Insights
featured image

Saudi Arabia: Qualified obligation on data controllers to register with Data Protection Authority

3 minutes Dec 03 2024

Read More
Curiosity line yellow background

China TMT: Bi-monthly Update - September & October 2024 Issue

19 minutes Nov 28 2024

Read More
Curiosity line green background

China Cybersecurity and Data Protection Monthly Update - November 2024 Issue

19 minutes Nov 28 2024

Read More