Skip to main content

Back to CNIL Day on “Health Data Protection: From Care to Research”

Back to CNIL Day on “Health Data Protection: From Care to Research”


Back to CNIL Day on “Health Data Protection: From Care to Research”

19 July 2022

On June 23rd the French Data Protection Authority, the National Commission for Data Protection and Liberties (herein after “CNIL”) organized a one-day conference in partnership with Bordeaux University. This event was an opportunity for attendees to receive a technical and operational point of view on the implementation of GDPR in the health care environment.

Cloud security certifications provide a degree of transparency and can help the controller have greater confidence in the security of the CSPs. This article briefly describes cloud computing and then describes the different certification schemes currently in operation. We provide guidance to controllers on how to fulfil their obligations when working with CSPs.

The legal framework for health personal data

In accordance with Article 4 of GDPR, personal data relating to health are considered as information “related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. By referring to this definition and the prohibition of processing them due to their sensitive nature mentioned as article 9, CNIL’s jurists have strengthened the full enforcement of GDPR on this type of data. The CNIL recommended identifying the data through a case-by-case analysis regarding to the context of their collection. This qualification work can reveal three types of health personal data: health data per nature, health data leading to health status per correlation with other information, and health data used for a specific medical purpose. In addition to GDPR, protection of health personal data shall also include other specific regulations applicable to health care environment such as:

  • the prohibition of collection health personal data (article 8 and chapter 9 from French Computer and Freedom Law);
  • medical confidentiality and respect for privacy (article L. 1110-4 from French Public Health Code);
  • health personal data hosting (articles L. 1111-8, R. 1111-8-8)
  • no commercial use of on health personal data (articles L. 1111-8, L. 4113-7 from French Public Health Code).

Medical Research Legal Specificities in France

Jurists from CNIL and Bordeaux University introduced the French legal framework for data protection in medical research context. This system is built on the distinction of 2 types of research projects: projects involving the human subjects (RIPH) or projects not involving the human subjects (RNIPH).
There are 3 categories of RIPH:

  • those entailing a procedure that is not justified by his or her usual care and is not without risks for the person (RIPH1), –
  • those entailing entails a procedure with minimal risks and constraints for the person (RIPH2),
  • those not entailing a procedure and not bringing any risks (RIPH3).
    For all of them (RIPH or RNIPH), the data protection is implemented through the following steps:
  • characterizing the research project
  • determining the procedure applicable to the research project
  • carrying out a data protection impact assessment if necessary
  • checking and documenting the research project’s conformity with a CNIL’s reference methods
  • submitting the research project to French Competent Authorities and/or Ethic Committees to get their opinion or authorization before the start of the project if necessary;
  • in case of non-conformity with a reference method, asking CNIL for a specific authorization for the research.

CNIL enforced reference methods as simplified authorization processes to guarantee the implementation of GDPR principles and data confidentiality. There are currently six reference methods that cover six specific regulatory processes, with each of them introduces a set of conditions to comply with for a sponsor based in France. This is regardless of the location of the research participants, any research project conducted on French participants, or the location of the sponsor. If the CNIL must deliver a specific authorization for a research project in case of non-compliance with a reference method, the CNIL will be attentive to the preservation of participants’ interests.

Implementing GDPR in hospital

The DPO and the IT Director from Bordeaux Hospital provided an operational point of view on the enforcement of GPDR inside the structure. Together, they underlined the difficulty of implementating the GDPR enforcement due to the large number of processing activities involving large flows of personal data. These processing activities do not only cover healthcare within the hospital, but they also cover HR, financial affairs, and large-scale suppliers’ management. As in other structures, the DPO of Bordeaux Hospital emphasized the challenge to get people to consider GDPR implementation as a priority which implies their involvement. At the national level, CNIL reported that 30,000 DPO have been appointed for 80,000 organisations. This number has increased over the past years but still falls well short of what is required as many organisations are still working without a DPO even though it is mandatory.


Benoit Morel

Data Protection Manager


Anastassia Negrouk

DPO & Chief Operating Officer

If you want to contact us

Contact us