FRANCE Law and Practice Contributed by: Emmanuelle Trombe, Anthony Paronneau and Anne-France Moreau, McDermott Will & Schulte
2.4 Use of Online Tools to Support Clinical Trials The use of online tools to support clinical trials (eg, for recruiting or monitoring purposes) is not fully regulat- ed in France, although there are guidelines at the EU level. Restrictions however apply on the processing of patient data (see 2.5 Use of Data From Clinical Trials and 2.6 Personal or Sensitive Data ). 2.5 Use of Data From Clinical Trials Data resulting from clinical trials usually relate to both participants and investigating personnel, thereby qualifying as personal data under Article 4 of the General Data Protection Regulation (EU) 2016/679 (GDPR). More specifically, data relating to clinical trial participants often reveals details about their health status and generally falls within the category of “data concerning health” (GDPR, Article 4 (15)), which is part of the broader classification of sensitive data. Even when pseudonymised, such data remains classi- fied as personal data, as pseudonymisation does not irreversibly prevent the re-identification of individuals, unlike anonymisation, which is the determining factor for data to be considered non-personal. The transfer of health data to affiliates or third parties may occur under the established GDPR framework, provided that participants are informed and that the processing is based on one of the exemptions out- lined in Article 9 of the GDPR, which serves as the legal basis for processing sensitive health data. In the context of clinical trials, such processing gener- ally relies either on consent or on public interest, as defined under Article 9 of the GDPR and Article 44, 3° of the French Data Protection Act ( Loi No 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés , or LIL). Where processing is grounded on consent, the trans- fer of data is permissible only if explicitly addressed in the consent form signed by the participants. Where the processing is based on public interest, the data controller must obtain prior authorisation from the French Data Protection Authority (CNIL) or adhere to a reference methodology. In addition, such authorisa- tion or reference methodology must identify the third party or the affiliate as an authorised recipient.
When the recipient is located outside the European Union, additional requirements come into play. The data controller must ensure that the transfer is subject to an adequacy decision by the European Commis- sion or, failing that, is governed by standard contrac- tual clauses or binding corporate rules. Furthermore, the data controller may need to conduct an impact assessment to evaluate the adequacy of the third country’s legal framework in safeguarding the rights of data subjects. 2.6 Personal or Sensitive Data In addition to the usual conditions for processing of sensitive data under the GDPR and French law (see 2.5 Use of Data From Clinical Trials ), databases con- taining personal or sensitive data can be subject to the requirements applicable to Health Data Warehouses. The CNIL considers that databases designed for facilitating secondary use of health data (eg, research, studies and in some cases, AI training), named “Health Data Warehouses”, qualify as autonomous health data processing and should be grounded on one of the exemptions of Article 9 of the GDPR. In practice, the legal grounds for such Health Data Warehouses are either the explicit consent from data subject or a CNIL authorisation. A standard CNIL authorisation can be granted for organisations which comply with the framework on Health Data Warehouses – however, this framework is designed for Health Data Warehous- es justified by a public interest mission. The data protection requirements imposed by GDPR can be supplemented by health law requirements, mainly from the French Public Health Code (FPHC), if the databases contain medical data. Organisations hosting personal health data collected in the course of preventive, diagnostic, care or medico-social monitor- ing activities (“HDS data”) on behalf of a data controller must hold a specific Hébergeurs de données de santé or HDS certification (Article L.1111-8 of the FPHC). Processing of medical information is also frequently subject to a strong duty of confidentiality (“medical secrecy”) under Article L.1110-4 of the FPHC.
89
CHAMBERS.COM
Powered by FlippingBook