The French data protection authority ('CNIL') released, on 28 September 2022, a checklist for personal data processing activities carried out for the purposes of creating health data warehouses, for data controllers to support compliance with CNIL's referential on the same adopted in October 2021. In particular, CNIL highlighted that any missing sections indicates that the proposed processing of health data, constituting sensitive data, does not comply with its referential and as such the controller must obtain prior authorisation from CNIL. More specifically, the checklist covers, among other things, whether data controllers have completed a Data Protection Impact Assessment ('DPIA'), cross-border data transfers will be involved, contracts with processors have been concluded, data subject rights facilitated, incident prevention and management procedures have been implemented, and training and awareness of any staff has been carried out.

You can read the press release here and the checklist here, both only available in French.