Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL provides recommendation on new health data processing procedures

On June 13, 2024, the French data protection authority (CNIL) published its recommendation on the procedures for notifying CNIL in relation to health data processing.

In particular, CNIL reminded that Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (the Act) outlines prior formalities regarding the processing of health data. Notably, when processing health data, CNIL notes that Article 65 of the Act provides that formal authorization is not necessary where, among other things:

  • the data subject has given explicit consent to the processing of their personal data for one or more specific purposes;
  • the processing is necessary to safeguard the vital interests of the data subject or another natural person if they are incapable of giving consent; or
  • the processing is necessary for the purposes of preventive medicine, medical diagnostics, the administration of care or treatment, or the management of health services and carried out by a member of a health profession.

CNIL outlined that only substantial modifications to health data processing are subject to a new approach. Substantial modifications include changes to processing, such as the addition of new purposes or the addition of new categories of sensitive data that are collected. Substantial modifications are subject to additional steps such as obtaining new consent and a request for authorization from CNIL. Likewise, where new processing operations were implemented after authorization from CNIL, new authorization from CNIL must only be sought where the new processing operation is not compliant with the framework for processing.

Specifically, substantial modifications to processing health data include the following circumstances, among others:

  • change of identity of the controller/addition of a joint controller;
  • a new category of recipients of health data;
  • a new purpose of processing;
  • new categories of sensitive data processed;
  • addition of a new data source;
  • matching new data with data sources;
  • addition of a special category of persons concerned;
  • significant increase in the number of people concerned;
  • restriction of data subject rights compared to what was initially planned;
  • significant extension of the duration of the collection, processing, retention, etc.;
  • a change in technical and organizational measures likely to weaken data security; and
  • a data transfer under measures other than an adequacy decision, or appropriate guarantees such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

You can read the press release here, the recommendation on processing modification here, and the procedures for processing health data here, all only available in French.