Data Privacy Services Life Sciences EU GDPR Audit Training

You might remember that, up to now, in France Home Trials didn’t comply with the so called MR001 (Methodology of Reference 001) from the French Data Protection Authority, the CNIL (cnil.fr). To make the process compliant with French privacy laws, it was mandatory to ask the CNIL for a special authorization (for each clinical study), which is very cumbersome and took quite some time.

To our knowledge, France was the only country in Europe to make it difficult to do Home Trials. For this reason, several of our clients decided not to recruit patients in France.

The reason why Home Trials couldn't comply with MR001 is that MR001 states that somebody who doesn't belong to the healthcare team of the clinical site cannot have at the same time the postal address of a patient and the pathology.

This was a major problem because, when a site investigator outsources the search of a nurse to an external vendor, such vendor needs of course at least the postal code and the pathology: the postal code is needed in order to find a nurse in the vicinity of the patient. and the pathology is necessary to find a nurse who is familiar with the procedures associated with the pathology.

Last year, the CNIL drafted a clarification document which was only made public recently.

This document says that DCTs are accepted, provided that the sponsor, the CRO and nursing agencies establish a clear separation between what healthcare professionals (e.g. nurses from nursing agencies) can access, and what other people (e.g. employees from sponsor and CRO), or other employees from nursing agencies) can access.

This is great news for sponsors and CROs, and it will make France more attractive to sponsors of clinical trials.

Download CNIL's clarification document here (in French): Le suivi à domicile lors de recherches dans le domaine de la santé | CNIL

Read the Q&A released by the French Network of Research Ethics Committees (in French): Foire aux questions recherches décentralisées (DGS, avril 2025) - CNCPP

Do you need support to understand French Methodologies of Reference for medical research?

Do you need to check that you home trials comply with privacy laws in EU, UK, Switzerland or elsewhere?

==> Contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.netcontact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net

Brain-computer interfaces, technology implanted in the brain to help control technology, are becoming an increasingly helpful tool for individuals with disabilities, IAPP and The Wall Street Journal reports.

For example it could help ALS patients and individuals with paralysis use their minds to control their environment — keyboards, exoskeletons, wheelchairs.

University of Pennsylvania Neurosurgeon Dr. Iahn Cajigas said the technology is beneficial to some individuals though it should only be used for medical needs and not marketed as a consumer product.

Read article from IAPP: Mind matters: Shaping the future of privacy in the age of neurotechnology | IAPP

Read article from WSJ (subscription needed): Coming to a Brain Near You: A Tiny Computer - WSJ

You can also read the working paper from the Berlin Group on the same topic: BfDI - Press - Berlin Group presents working paper with recommendations on neurotechnologies

Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.

For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).

Many thanks to GDPR hub NOYB, to databreaches.net and to IAPP for all this valuable information!

Austria:

Fact:

The DPA held that a person receiving care in their home could not base the recording of care workers via CCTV on their legitimate interest. The DPA ordered the shutdown of the cameras during the care workers' visits. Read more or edit on GDPRhub...

Takeaway:

If your organisation sends nurses at patients' homes, whether for routine care or decentralized Clinical Trials, we recommend that when you train the nurses, you inform them of this possibility, and advise them to ask the patient to deactivate their CCTV during the home visit. You may also add a clause in the contract between your organisation and the nursing agency.

France:

Fact:

An association, les Licornes Célestes, brought an action before the Conseil d’Etat (Supreme Administrative Court) seeking, on an interim basis, the suspension of the execution of an order of the French Data Protection Authority, the CNIL authorising the European Medicines Agency (EMA) to implement automated processing of the personal data of the general population in France for a study on the incidence and prevalence of pathologies within the framework of the “DARWIN EU” project.

This would have permitted the automated processing of health data of 10 million French citizens and their transfer to the servers of Microsoft.

After discussions with the CNIL, the EMA, the association and other stakeholders, the Court concluded that the requisite condition of urgency had not been met and the application for interim suspension was rejected.

Takeaway

It’s a well-known issue in France that several French health data bases accessible to researchers are hosted by Microsoft, because the French government has a global contract with Microsoft.

This is a major issue as because in the US some laws with extraterritoriality could oblige Microsoft to give access to such servers to the CIA, the FBI etc. And even if the servers are based in France.

Several members of French Parliament have already raised questions regarding this, same as several groups of citizens, but so far the situation didn’t change.

Italy:

Fact:

The Italian DPA, the Garante, fined a hospital €6,000 for unlawfully disclosing employees' health data by sending it to a shared email account. Read more or edit on GDPRhub...

Takeaway:

This case is about human error and this can always happen even if people are well trained. The takeaway is to not use a shared mailbox to send sensitive information about the employees accessing such mailbox: the hospital could retrain its employees on this aspect.

USA:

Fact:

The State of California sent Californians’ personal health data to LinkedIn. The website that lets Californians shop for health insurance under the Affordable Care Act, coveredca.com, has been sending sensitive data to LinkedIn, forensic testing by CalMatters has revealed.

As visitors filled out forms on the website, trackers on the same pages told LinkedIn their answers to questions about whether they were blind, pregnant, or used a high number of prescription medications. The trackers also monitored whether the visitors said they were transgender or possible victims of domestic abuse.

Covered California, the organization that operates the website, removed the trackers as CalMatters and The Markup reported this article.

Visitors who filled out health information on the site may have had their data tracked for more than a year, according to Kelly Donohue, a spokesperson for Covered California, who said the LinkedIn campaign began in February 2024.

Read the article from Cal Matters here: https://calmatters.org/health/...

Takeaway:

It's hard to believe that an agency operating on behalf of a US state has implemented so many trackers on a website collecting PHI. It would be interesting to know if this was in breach of the HIPAA or not, and will this agency be trialed for this?

The takeaway for organisations in life sciences is to review periodically their websites to make sure IT developpers or marketing people didn't put trackers on such websites. Especially when the development of such websites is outsourced to an external marketing / IT agency. In such case, the contract between the life science organisation and the external agency should contain clauses banning the use of such trackers.

Fact:

Company Patient Protect released a Report on a Long-Term Impact Model of Healthcare Data Breaches.

In 2024, 81% of Americans had their medical records exposed. This paper quantifies what most ignore: the long-term financial damage of ePHI breaches. Not just fines — but years of patient churn, reputational fallout, and regulatory strain. Built on real-world data, our model reveals a compounding risk curve that small practices can’t afford to overlook. This isn’t a one-time threat. It’s an accelerating collapse.

Access the report here: The Economics of ePHI Exposure | Patient Protect Research & Breach Cost Modeling

Fact:

Florida: The U.S. Department for Health and Human Services' Office for Civil Rights settled with Florida health care provider BayCare Health System over a complaint that unauthorized personnel had access to sensitive health information. The company agreed to a corrective action plan and paid the agency USD800,000.
Full story

Takeaway:

Your organisation should have a procedure for assigning access to business applications and data bases to employees and external contractors. You should check at regular intervals that this procedure is well implemented.

At PharMarketing, we appreciate that most of our readers are versed in biology, medical, chemistry, manufacturing, legal, regulatory, clinical operations, but few of them feel comfortable with IT.

So, we decided to start a series on 'IT for Dummies', to help you grasp key and useful facts about IT security in a simple way.

After discussing Best Practices with an External Hard Disk in Dec/Jan, the key clauses to have in a contract with a SaaS software provider in February, NIS2 Directive on Cybersecurity in March, Protecting personal data while traveling in April, let's now look at the Discovery Hold: a Procedure at the Intersection of Legal, IT Security, Privacy, IP, Retention Guidelines and Business.

If documents are under a legal or customer directed discovery hold, no data should be deleted regardless of requests:

A discovery hold is a legal procedure used to preserve electronically stored information (ESI) that may be needed for litigation or investigation. It instructs employees and systems to maintain specific electronic data because there is reasonable anticipation that it could be needed for legal proceedings. This process helps prevent the destruction or alteration of evidence that could be relevant to a case.

Somme tools like Microsoft 365 provide by default a feature to create and manage a discovery hold.

Managing discovery holds can sometimes be challenging, especially when dealing with large volumes of emails or

when storage limits are exceeded. For example, a mailbox might receive thousands of emails daily, which are processed and deleted by an automated system, leading to storage issues.

To address storage issues related to discovery holds, you can exclude the DiscoveryHolds folder from compliance retention policies.

In summary, a discovery hold is a crucial tool for preserving ESI in anticipation of legal proceedings, and managing it effectively requires careful consideration of storage limitations and compliance requirements.

This evidence will be extracted and analyzed using E-Discovery platforms through a comprehensive review of all information. The documents that will be analyzed are of a very diverse nature: they can be internal reports, internal company notes, minutes of meetings, presentations made as part of marketing actions but also email exchanges, transcripts of "chats" between several users but also audio media.

It is often through informal modes of communication that we find the most interesting and relevant information for the investigation or future litigation. This phase of investigation is called "pre-trial discovery". The American rules of civil procedure (Civil rights cases concluded in U.S. district courts, by disposition, 1990-2006) require each party to exchange all the relevant evidence in the dispute at its disposal, including those that are not favorable to it.

The objective is to ensure greater equality and justice between the parties. This is specific to the US: for example, in some European countries there is no obligation for the parties to produce evidence. In such case the production of evidence before the civil court is based on the free communication of documents by the parties.

In addition to this major difference in civil procedure, American companies are required to comply with the strict rules imposed by the Discovery procedure, under penalty of very severe penalties.

Certain personal information, such as emails, may be considered private under some European laws and are therefore protected by the secrecy of correspondence. Thus, an employer cannot access electronic messages exchanged by employees if they are personal and therefore confidential.

However, there are limits to this principle, and certain electronic communications may be subject to disclosure under specific conditions. If the employee has not identified the correspondence as personal, the employer may access this information, which is professionally related.

In the United States, the rule of law is different: all employee documents and files are the property of the company and are therefore accessible by the employer because they are considered to be professional. And as US privacy laws are not as strict as in the EU/UK/Switzerland, and as there is no Data Protection Authority in the US, this allowed for the development of the Hold Discovery' practice. Such practice is limited in Europe at this time, as some aspects of it are contrary to the EU GDPR 2016/679.

Furthermore, if a US company has an affiliate in Europe and requests its affiliate to disclose information as part of a 'Hold Discovery' procedure, the European affiliate must first check that the transfer of personal data (if any personal data are involved) from Europe to the US complies with EU GDPR.

South Korea's Data Protection Authority, the Personal Information Protection Commission ('PIPC') held a joint meeting on 16 May with relevant organizations including the Health Insurance Review & Assessment Service, National Health Insurance Service, and Korea Disease Control and Prevention Agency avoiding data leaks, and strengthening the data security of their Application Programming Interfaces (APIs*).

This meeting is a follow-up measure to the measures to strengthen personal information protection for the method of requesting personal transmission through the website discussed at the Transmission Agency Council on April 25th.

The PIPC pointed out that the 'scraping' method, in which an agent receives the data subject's authentication information and accesses a website to automatically collect personal information, can cause various risks such as authentication information leaks, excessive information collection, and service interruptions, and thus has a great risk of weakening the data subject's control.

In particular, the PIPC emphasized that preemptive response to the recent surge in 'credential stuffing' cases, which involve automatically entering leaked IDs and passwords on the dark web and other sites, is urgent.

The PIPC explained that it is considering additional protective measures such as:

revision of the terms of use for the website of the information transmission agency,
application of multi-factor authentication (MFA)
introduction of CAPTCHA (capture control, hacking, hazing), and
detection and blocking of abnormal login attempts.

Read article from Korea's PIPC(in Korean): 보도자료 상세 페이지 | 개인정보보호위원회

( * ) An API is a program developed to transfer automatically data from one system to another; in this case, it can be for example between the Korean social security health database and the MyData Platform.

On 21 May 2025, Malaysia's Department of Personal Data Protection, the PPDP, published guidelines for appointing a Data Protection Officer ('DPO') for organizations that process the personal data of 20,000 data subjects or 10,000 sensitive data subjects:

Download the guidelines here (in Malaysian) Guidelines And Circular On Personal Data Protection, Appointment Of Data Protection Officer (DPO) • Personal Data Protection

The PPDP also published a FAQ document regarding the new DPO directive (in Malaysian): FAQ on the Appointment of Data Protection Officer (DPO) • Personal Data Protection

Are you looking for an experienced person in Malaysia with good knowledge of the life science industry to act as your local DPO? Contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net

1) The EU Commission and the 30 countries in EU/EEA have voted simplification measures to the EU GDPR:

No, the EU Commission is considering that, but there is opposition from several countries and from professional groups.

2) A Discovery Hold is a procedure where a US life science company can request their affiliates in Europe to store all research data forever and to transfer such data to the US, in order to demonstrate evidence of a discovery

Yes and no:

Yes, because a US organisation can store research data;
No, because if the research data contains personal data (even redacted):
a) in order to store data for a long time, the affiliate in Europe must conduct a risk analysis to demonstrate that the risk to the private life of data subjects in Europe is negligible or limited
b) the affiliate in Europe must have a valid waiver to transfer personal data from Europe to the US

To send us a RFI/RFQ, a message, or to subscribe to our free GDPR Life Sciences Newsletter