France: Issued CNIL formal reminder for two medical research organisations of their data protection obligations

On 13 March 2023, the French Data Protection Authority (CNIL) issued a statement reminding two organisations carrying out medical research of their legal obligations under the French data protection framework. The reminder follows an investigation into two organisations carrying out medical research between January and July 2022, which found that they failed to conduct a data protection impact assessment for their medical research as required by law. In addition, the CNIL found that the information provided by the organisations to patients participating in the research was incomplete. In particular, the CNIL determined that the organisations sometimes failed to specify the nature of personal data collected, their retention period, the data protection officer’s contact details, or the right to lodge a complaint with the CNIL. The CNIL also noted that in one case, patients were wrongfully told that the data was “anonymised”, where it was only “pseudonymised”. The CNIL has now closed the proceedings against the organisations.