France: CNIL adopts three standards for the health sector and publishes guide on data retention
The French data protection authority ('CNIL') adopted, on 28 July 2020, three referentials for the health sector ('the Standards'). In particular, the Standards include a non-binding standard on the processing of personal data by medical and paramedical clinics, which replaces the simplified norm NS-50 for medical professionals and paramedicals working on an independent basis. Furthermore, the Standards include two standards on data retention periods, the first on retention periods for processing activities in the health sector outside of the research domain and the second on data retention periods for processing activities for the purposes of research, study, and analysis in the health sector.
In addition, CNIL published a practical guide ('the Guide') on data retention periods in general which offers guidance on, among other things, the principle of data minimisation, defining retention periods, and the retention period standards.
You can read the press release here, the standard on processing by medical and paramedical clinics here, the standard on data retention periods in the health sector here, the standard on data retention periods for research purposes here, and the Guide here, all only available in French.