Legal news
Update to the CNIL’s Reference Methodologies MR-001 and MR-003
By way of four deliberations dated 19 March 2026, the French data protection authority (CNIL) has updated two of its reference methodologies governing the processing of personal data carried out in the context of health research :
- MR-001, relating to processing operations carried out in the context of health research requiring the collection of consent [1] ; and
- MR-003, relating to processing operations carried out in the context of health research not requiring the collection of consent [2] .
These updates follow the needs expressed by stakeholders in the health sector during the public consultation conducted by the French data protection authority in 2024, which in turn reflect the significant developments that have taken place within the field of health research. The principal amendments made to these methodologies include, among other things, an expansion of their scope of application to cover research conducted abroad, the addition of certain categories of personal data, and revised modalities for informing data subjects.
These methodologies, are addressed to public and private actors seeking to conduct research involving human subjects, clinical trials of medicinal products, or clinical investigations of medical devices involving individuals residing in France and/or abroad.
They are accompanied by two newly introduced annexes dedicated respectively to security and quality control in the context of research activities. The “security” annex sets out the technical and organisational measures, consistent with the state of the art, that must be implemented in the context of research projects. The “quality control” annex sets out, among other things, the general requirements applicable to data monitoring, whether conducted on-site or remotely, and incorporates best practice recommendations as well as a compliance checklist.
In addition to the foregoing, the CNIL has made the following documents available on its website [3] :
- an annotated version of the new methodologies, including examples and references to useful resources ;
- compliance checklists enabling research projects to be assessed against the requirements of the methodologies ;
- a summary table of the amendments made to the methodologies ;
- an interactive questionnaire designed to assist stakeholders in identifying the appropriate steps to take depending on their specific situation.
It should be noted that data controllers who have already filed a declaration of conformity with a prior version of these reference methodologies are not required to submit a new declaration in respect of the updated versions. Furthermore, research projects, or substantial amendments to ongoing research, carried out as of 23 May 2026 in compliance with these new methodologies may be implemented without the need for a new declaration of conformity.
A forthcoming article will examine in detail the changes introduced under these new reference methodologies.
[1] Reference methodologie MR-001, CNIL
[2] Reference methodologie MR-003, CNIL
[3] Recherche en santé : la CNIL met à jour et élargit le champ des méthodologies de référence 001 et 003, CNIL