France: Publication of CNIL standards on health data processing implemented in the context of early access and compassionate use authorisations

The French data protection authority (Commission Nationale de l'Informatique et des Libertés – “CNIL”) has published two standards relating to the processing of personal data within the framework of "early access authorisations" (“AAP”)[1] and within the framework of "compassionate access authorisations" (“AAC”)[2]. These standards were adopted after a public consultation by two deliberations of 22 September 2022 and published in the French Official Journal of 10 November 2022.

As a reminder, early access and compassionate use schemes allows patients suffering from a serious, rare, or disabling condition to have access to a medicinal product that is not covered by a marketing authorisation in France in a given therapeutic indication.

For the implementation of these derogatory access schemes, the law requires pharmaceutical companies, with the collaboration of healthcare professionals concerned, to ensure the monitoring of patients benefiting from a medicinal product covered by such schemes (AAP and AAC). The follow-up of patients requires the collection of personal data and the creation of a file record. It was therefore essential for the CNIL to provide a framework for the processing of personal data by the pharmaceutical company responsible for the medicinal product covered by AAC or AAP.

From now on, the reference systems will allow the processing of personal data involved in AAP and AAC schemes to be implemented without an authorisation from the CNIL, provided that a declaration of compliance has been made. Indeed, the analysis of compliance of processing with the GDPR and Data Protection Act will be simplified, and the pharmaceutical companies as data controller will simply have to make a declaration of compliance with these standards to the CNIL.

In the event the requirements of the standards cannot all be complied with, a request for authorisation from the CNIL will be necessary.

Finally, it should be noted that these standards do not apply to data processing carried out within the framework of "compassionate prescription frameworks" (“CPC”), which remain subject to CNIL authorisations.

_{[1] Article L. 5121-12 of the Public Health Code}

_{[2] Article L. 5121-12-1 of the Public Health Code}