The CNIL published on 18 July 2019 a new standard concerning the processing of personal data for the purpose of vigilance in the health sector.
This standard, long awaited by the industry, applies notably to pharmacovigilance and materiovigilance, i.e. notably to all companies doing product vigilance (pharma, medical devices, addictive substances, cosmetics, food safety, etc.)
The standard is of great importance since according to the French Data Protection Act such processing activities are submitted to the CNIL’s prior authorization. The scope of the French prior authorization requirement is extraterritorial, and any organization worldwide doing product vigilance on individuals residing in France must obtain an authorization in order to be allowed to carry on their activities. But if their activities comply with the CNIL’s new standard, then they can now file a declaration of compliance with the CNIL, instead of filing a full request for authorization.
The standard provides a detailed framework which must be complied with in order to benefit from the simplified filing procedure, such as its purposes, the legal basis, the personal data that can be processed, the recipients, the storage period, the content of the data subjects’ information notice, the security requirements, and the conditions for transfers of personal data outside of France. A data protection impact assessment is required.
In case a processing does not meet all the requirements of the standard, an authorization from the CNIL will remain necessary.
Link to the CNIL's new standard (in French)