France: Decree No. 2026-209 amending provisions of public health code relating to hosting of personal health data partially enters into force

On 27 March 2026, Decree No. 2026-209 amending provisions of the public health code relating to the hosting of personal health data partially enters into force. Points 2° and 3° of Article 1 are subject to a deferred application period and will apply within six months of the decree’s publication, that is by 26 September 2026. The decree implements Article 32 of Law No. 2024-449 of 21 May 2024 on securing and regulating the digital space. It applies to patients, controllers processing personal health data, providers involved in the delivery of personal health data hosting services, and certification bodies. It introduces a new Article R. 1111-9-1 into the public health code, requiring that personal health data stored on digital media be hosted exclusively within the territory of a Member State of the European Union or a party to the Agreement on the European Economic Area. Transfers to countries outside these areas, including through remote access by a host or subcontractor, are permitted only where an adequacy decision under the General Data Protection Regulation applies or where appropriate safeguards are in place in accordance with that Regulation, together with enforceable rights and effective remedies for data subjects. The decree also amends Article R. 1111-11 to strengthen transparency requirements for hosting contracts. These must set out any applicable extra-European legal frameworks, indicate whether an adequacy decision exists, describe the safeguards implemented, and identify any remaining risks associated with data transfers or unauthorised access. In addition, hosting providers are required to publish and regularly update a mapping of transfers, remote access arrangements, and associated risks. Finally, Articles R. 1111-9, R. 1111-9-1, and R. 1111-11 are extended to the Wallis and Futuna Islands.