MR-001 : The French guideline to conduct a clinical trial in France

Privacy Laws

1 - What is MR-001?

MR-001 is a rule adopted by the French data protection authority ("CNIL") for the processing of personal data within the context of an interventional study. The term "interventional study" includes clinical trials as defined by the European Clinical Trial Regulation (CTR).

MR-001 specifies how the GDPR applies to clinical trials conducted in France.

2 - Procedure

The French Data Protection Law proposes a binary system:

Either the Sponsor is 100% compliant with the MR-001's requirements. It declares compliance to the CNIL, and the clinical trial can be initiated without further formalities.
Or the Sponsor is not 100% compliant with the MR-001's requirements. The Sponsor must then obtain PRIOR authorization to conduct the study.

The CNIL has a two-month period to respond from the date of the authorization request. In the absence of a response after this period, the authorization is considered tacit.

Therefore, compliance with MR-001 is a crucial step in the regulatory journey of a clinical trial in France. A sponsor must, therefore, evaluate the compliance of its trial with MR-001 in advance.

3 - Requirements related to data subjects

MR-001 distinguishes two categories of data subjects with their own requirements:
The patients/participants included in the study. This includes healthy volunteers.
The healthcare professionals involved in the study (PI, nurses, etc.).

3.1 - Requirements related to patients

Regarding the processing of patients data, MR-001 specifies that:

1. Purposes

Personal data can only be processed for the purposes of the study (endpoint and objectives of the protocol). Thus, any data processing outside the scope of the protocol (meta-analyses, data reuse, ancillary studies not provided for in the protocol) is a separate data processing subject to another regulatory framework.

2. Categories of data

Only pseudonymized data may be integrated into the clinical trial databases. The patient's identity must be kept in a separate database under the control of the investigator site with restricted access (as provided by good clinical practices).
MR-001 provides a broad list of data that can be collected. Except for the social security number, any health data can be collected if necessary for the achievement of the study's objectives.
Note: a specific de-identification process must be planned for photos, videos, and sound recordings.

3. Recipients of data

Patient's identity is accessible only by the healthcare professionals following the patient, the Clinical Research Associates ("CRAs"), the Data Protection Officer ("DPO") for data subjects rights of the Sponsor, the authorities, and the Sponsor's civil liability insurance body.
Notably, MR-001 specifies the conditions of access to directly identifying data by the Sponsor's vendors (not investigational site). Such access is limited to specific cases (reimbursement, connection to an e-PRO/e-COA portal, IMP delievry to patient's home). This access is not possible if the service provider simultaneously has access to the patient's health data, or if the data available reveal a pathology or health status.

Pseudonymized data of the patient are accessible by the Sponsor, its service providers, the professionals involved in the research, the CRAs, the authorities, and independent experts of a scientific review committee in case of publication of results.
Especially for this last category, access must be limited to the sole purpose of re-analysis of the results and must be done through an interface provided by the Sponsor.

4. Information and rights of patients

Patients must be informed of the processing of their personal data according to the mandatory information provided by Article 13 of the GDPR. This information must be provided via the Informed Consent Form (ICF).
Note: The consent is not the mandatory legal basis for data processing. Only consent in accordance with the requirements of good clinical practices is required. The CNIL refers to the Sponsor's legitimate interest as the recommended legal basis for data processing. However, the consent as a legal basis remains accepted.

Patients may exercise their GDPR rights at any time with the Sponsor's DPO, who is required to respond within a month from the request. An additional month's extension is possible.
Note: Patients may also exercise their right of access at any time with the principal investigator.

5. Data retention period

Data can be kept in the IT systems of the Sponsor, its service providers, and the investigator site until the product is marketed or up to 2 years after the last publication or, in the absence of publication, the signing of the final report.
After this period, the data is archived (restricted access) for the legal duration.
For example, the CTR provides for an archiving duration of 25 years for data appearing in the TMF.

3.2 - Requirements related to Professionals involved in the research

1. Purposes

Personal data can only be processed to ensure the legal obligations of the Sponsor

2. Categories of data

Any professional personal data (name, first name, professional address, diploma, etc.) can be collected.

3. Recipients of the data

The Sponsor, its service providers, the professionals involved in the research, the authorities can access professionals' data.

4. Information and rights of professionals involved in research

Professionals must be informed of the processing of their data by the Sponsor in accordance with article 13 of the GDPR.
Note: This is a common oversight in the MR-001. This information can be delivered via the CRO, by email, and/or through the study documentation like the ISF. Also, this information can be attached to the clinical trial agreement between the investigator site and the Sponsor.

Professionals can exercise their rights at any time with the Sponsor's DPO.

5. Data retention period

Data of professionals cannot be kept beyond 15 years from the last research in which the professional participated on behalf of the Sponsor.

4 - Other Requirements

A Data Privacy Impact Assessment ("DPIA") is required. This analysis must include a presentation of the data flow, the identification of security measures, and the analysis of potential risks to the rights and freedoms of the data subjects.

Only pseudonymized patient data may be transferred outside the European Economic Area ("EEA"). These data, as well as those of the professionals, must then comply with the measures of Chapter V of the GDPR (adequacy decision, Standard Contractual Clauses, consent, ...).
Note: Data subjects must be informed of third countries data transfer, through the ICF (Patients) or the information notice (Professionals).

The agreements between the Sponsor (data controller) and its service providers and the investigator sites (data processors) must respect the mandatory mentions of the article 28 of the GDPR. These mentions are complementary with specific provisions related to data transfer to third countries.
Note: In France, the agreement between the Sponsor and the investigator site and is legal template called "Convention Unique" which cannot be modified. This model provides for a clause dedicated to data protection. In case of data transfer outside the EU, the standard contractual clauses should be added.

The Sponsor must appoint a DPO, internal or external, and keep a register of processing activities.

Pierre Malvoisin