Health Research: The French Data Protection Authority Updates Two Reference Methodologies and Strengthens Its Support for Research Stakeholders

Publication by the French Data Protection Authority, May 26, 2026

Reference methodologies (“MRs”) are one of the principal compliance tools for the processing of personal data carried out in the context of health research. Organizations that meet all of the conditions set out in these frameworks may limit themselves to filing a declaration of compliance with the French Data Protection Authority (“CNIL”) rather than undertaking a more burdensome authorization procedure.

The CNIL has just adopted a significant overhaul of MR-001 (research involving the collection of the participant’s consent) and MR-003 (research without the collection of consent), which had not undergone a major revision since 2018. Beyond an editorial reorganization intended to improve their readability, this update introduces several substantive changes designed to reflect recent developments in clinical research and digital practices. The authority is also accompanying this reform with a set of practical tools intended to facilitate compliance by stakeholders in the sector.

Adapting the Methodologies to New Research Practices

The first notable change concerns the scope of the frameworks. In particular, the new MR-001 now expressly covers clinical investigations of medical devices as well as performance studies relating to in vitro diagnostic medical devices. They also take into account research conducted partly or entirely abroad by data controllers established in France.

The conditions for lawfulness are clarified: the appropriate legal basis is the performance of a task carried out in the public interest for sponsors entrusted with a research mission by law (university hospitals, research organizations), and legitimate interest for private sponsors.

The rules on the categories of data processed have also been expanded. The MRs now allow certain additional information to be processed where necessary for the research, such as sexual orientation, geographic origin, or certain data relating to household income. They also govern the determination of participants’ vital status through consultation of the register of deceased persons maintained by the French national statistics institute (INSEE), particularly in long-term follow-up research.

The CNIL has also clarified the rules applicable to data recipients. The new versions draw clearer distinctions among the various actors involved in a research project and the data they may access according to their respective roles. Specific provisions are thus introduced for follow-up activities, participant information, administrative tasks, and quality control. In certain narrowly defined cases, a single actor may combine several of these functions.

The arrangements for informing data subjects are also evolving to reflect the growing digitalization of research. The MRs now expressly permit GDPR information to be provided electronically. They also introduce several practical accommodations, including the possibility of deferred information where enrollment occurs in an emergency context, as well as certain derogations regarding the information of holders of parental authority.

Another significant change: the framework for international transfers has been relaxed on certain points. Participants’ administrative data may now be transferred outside the European Union in precisely defined situations, in particular to a country benefiting from an adequacy decision or where research is conducted in a third country by a data controller established in France.

Finally, the CNIL strengthens the requirements relating to the use of processors. The new MRs notably incorporate a reference to codes of conduct as a mechanism for demonstrating compliance, require audits of processors, and specify the documentation obligations applicable to processor chains.

Two New Annexes on Security and Quality Control

One of the principal innovations of this reform lies in the creation of two cross-cutting annexes, to which MR-001 and MR-003 now directly refer.

The first is devoted to security. Its purpose is to bring together in a single document, taking into account the state of the art, the security measures that the CNIL considers most relevant for health research.

This annex comprises thirty general requirements covering, among other things, risk analysis, data minimization, encryption, access management, logging, documentation, and user awareness. Among the most structuring measures is the requirement to use multi-factor authentication for access to research data, with that requirement taking effect on January 1, 2027 for web-accessible tools and on January 1, 2028 for other tools.

The annex also introduces specific rules for three situations common in modern research: the electronic provision of information to participants, the publication and reanalysis of research results, and the use of non-meaningful codes that make it possible to identify participants without directly using their identity data.

The second annex concerns quality control (“monitoring”), that is, the operations intended to verify the completeness and accuracy of the data collected by comparing them against source documents, such as the participant’s medical record.

The main value of the document is that it fully incorporates the remote quality-control practices that have developed widely since the health crisis. The annex thus restates existing CNIL recommendations, setting out common requirements applicable to on-site and remote controls (data minimization, authorizations, information of individuals, security measures) as well as additional safeguards specific to remote-control arrangements, whether based on videoconferencing tools or on dedicated secure platforms.

New Practical Tools to Facilitate Compliance

Beyond the update to the frameworks themselves, the CNIL has clearly sought to improve their adoption by practitioners.

The authority is thus making available annotated versions of MR-001 and MR-003 incorporating practical examples, points of caution, and cross-references to EDPB guidelines or to applicable sector-specific regulations. These documents are intended to facilitate understanding of the concrete scope of the requirements and to answer many of the operational questions that may arise when implementing a research project.

The CNIL is also publishing compliance grids that function as checklists. These tools are intended to help project teams, DPOs, and sponsors verify in a structured manner compliance with all of the conditions set out in the frameworks.

Finally, the authority has announced an interactive questionnaire to identify the formalities applicable depending on the nature of the research contemplated and the framework likely to apply.

* * *

The new MRs and their annexes entered into force on May 23, 2026. Data controllers that have already declared compliance with an earlier version need not repeat that step, provided that research launched—or substantially modified—on or after that date complies with the new version. For ongoing research, the measures in the security annex must be deployed as soon as possible and no later than May 2027, with multi-factor authentication following its own timeline (January 1, 2027 for web-accessible tools and January 1, 2028 for others). In all cases, internal documentation (records of processing activities, DPIA) must be updated and the required formalities completed with the competent ethics committee and health authority.