French Data Protection Authority (CNIL)

Mission

Regulation

Type of actor

Institutional player

Fields of intervention

Health / Social care / Social / Medical Device

Intervention zone

National

What is the CNIL?

In the digital world, the Commission nationale de l'informatique et des libertés (CNIL) is France's personal data regulator. It supports private and public players in implementing their personal data protection compliance.

Go to the CNIL website

Missions

Inform, educate: the CNIL responds to requests from individuals and professionals. It carries out communication actions with the general public and professionals whether through its networks, the press, its website, its presence on social networks or by providing educational tools;
Protect citizens' rights: anyone can contact the CNIL in the event of difficulty in exercising their rights;
Advise and regulate: the CNIL oversees the search for solutions enabling public and private organizations to pursue their legitimate objectives in strict compliance with citizens' rights and freedoms;
Accompanying compliance: to help private and public organizations comply with the RGPD, the CNIL offers a comprehensive toolbox tailored to their size and needs;
Anticipate: as part of its innovation and foresight activity, CNIL, thanks to its LINC laboratory, sets up a watch to detect and analyze technologies or new uses that could have significant impacts on privacy. It contributes to the development of privacy-protecting technological solutions by advising companies as far upstream as possible, with a view to privacy by design;
Control and sanction : control enables CNIL to verify the concrete implementation of the law. It can require a player to regularize its processing (formal notice) or impose sanctions (fines, etc.).

I have a project. How can I contact the CNIL?

To integrate RGPD obligations into your project and manage your data;
To be in compliance with the specific regulations to which health data are subject;
To design your user pathsof digital service or product and thus enable people to control their personal data and know their rights;
To prevent risks and organize the security of your data;
To make your RGPD compliance a competitive advantage ;
To benefit from practical tools (see accessible resources) developer guide, repositories, registry templates etc.
To benefit from a network: regular animation of workshops for startups working in the healthcare field, some of which are available online, presence in innovation venues such as Station F, online posting of web pages dedicated to startups on the cnil website.

At what stage of my project should I contact you?

Prior to implementing data processing, once the scope of my project is well defined (what data do I want to collect and use? to do what with it? how will I inform people? what security measures are envisaged?) ;
Ideally, on the basis of d'une analyse d'impact relative à la protection des données.

Consult our dedicated pages to identify the main actions you need to take to begin your compliance with protection des données personnelles.

Does it finance projects?

Accessible resources

Information on the Healthcare sector Practical RGPD awareness guide for VSEs and SMEs (in partnership with bpifrance) Hub Startup: how to turn your RGPD compliance into a competitive advantage? Access the software for conducting a Data Protection Impact Assessment (DPIA) Discover CNIL's digital innovation laboratory Co-constructing user paths that respect RGPD and privacy

Practical guide

All the questions you need to ask about CNIL.

In some cases, you may be required to appoint a data protection officer. This appointment is mandatory for certain companies operating large-scale processing operations presenting particular risks

In other cases, the appointment of a delegate is recommended, particularly if your business requires you to conduct an in-depth analysis of the RGPD. The delegate can be appointed internally from among your staff or externally. He or she can also be shared between several organizations or within professional associations or federations.

FOR MORE INFORMATION:

About the compulsory designation cases and competencies of the data protection delegate:

Dossier the data protection delegate on the CNIL website

If your data processing operations are likely to give rise to specific risks or new data protection issues, don't hesitate to contact the CNIL (contact details on the "CONTACT" page of the CNIL website). In addition, your subcontractors have a duty to advise you on data protection issues. Don't hesitate to contact them!

The CNIL regularly organizes workshops for startups with FrenchTech Central (find the program here)

Yes, depending on demand. In particular, the CNIL offers individual support as part of its call for projects "Personal data sandbox" and its Enhanced support.

3 Place de Fontenoy - Unesco 75007 Paris

Our podcasts on the subject :

Discover our podcasts on the subject

See all Podcasts

Regulations

#16 Complying with the CNIL when processing health data

The CNIL, or Commission Nationale de l'Informatique et des Libertés, is the French authority responsible for ensuring the protection of personal data and privacy in the digital world. For digital health innovators, understanding the role and requirements of the CNIL is crucial.

Mission and role of the CNIL:

The main mission of the Paris-based CNIL is to protect the rights and freedoms of French citizens with regard to personal data. It oversees the application of the French Data Protection Act (Loi Informatique et Libertés), as well as the General Data Protection Regulation (RGPD) in France.

Importance for digital health innovators:

Health data is considered sensitive and benefits from enhanced protection. Innovators must therefore be particularly vigilant in their handling:

Data security: The CNIL requires robust security measures to protect health data.
Patients' rights: Patients have specific rights concerning their data, such as access and the right to rectification.
Prior formalities: Certain data processing operations require formalities with the CNIL before implementation.

Compliance and sanctions:

In France today, non-compliance with data protection rules can result in severe sanctions. The CNIL has the power to impose fines of up to several million Euros if the law is not respected. These fines can have a significant impact on a company's finances, up to several tens of millions of Euros in the most serious cases. As an authority, it can also take online complaints from French people, and check whether they are legitimate with regard to a piece of legislation, the law.

Resources for innovators:

The CNIL (Commission Nationale de l'Informatique et des Libertés) offers training and guides to help professionals comply with regulations and the law. It also offers specific advice for the e-health sector. These resources can include examples of code that complies with security and data protection standards, an advisory role on a specific topic, or training as part of the innovator's activity.

In conclusion, for innovators, working closely with the CNIL is essential to ensure the compliance of their projects and effectively protect patients' personal data in the world of innovation.