MR-001 and Data Privacy in French Clinical Trials

When embarking on clinical trials, it’s important for organizations to handle participants’ personal data with heightened caution, given its sensitive nature. Simultaneously, compliance with specific legal requirements, especially those unique to each country, becomes imperative. Take France, for instance. The CNIL, its data protection authority, requires organizations to obtain prior authorization to conduct certain types of research.

Fortunately, navigating the intricate landscape of data protection during clinical trials is eased by the CNIL’s reference methodologies. These present a structured approach to compliance. Adhering to one of these methodologies allows organizations to process personal data through self-declared compliance, sidestepping the often cumbersome prior authorization process.

Importantly, these methodologies are not static. MR-001, in particular, has recently undergone a significant overhaul: on March 19, 2026, the CNIL adopted a new version, repealing the 2018 iteration. The updated methodology is also complemented by two binding Annexes. In this post, we place the spotlight on this updated MR-001 methodology, applicable to research initiated after May 23, 2026.

What is MR-001?

MR-001 is CNIL’s research methodology for studies requiring consent from participants. Following the 2026 revision, it is tailored for:

  • interventional research, including research with minimal risks and constraints;
  • clinical trials of drugs, with the exception of clinical trials in clusters;
  • research requiring examination of genetic characteristics; and
  • clinical investigations of medical devices and performance studies on in vitro diagnostic medical devices (newly in scope).

If an organization intends to undertake the specified research, it can opt for one of two routes: conform its processing activities to MR-001 methodology and self-declare compliance to CNIL via an MR-001 Declaration, or submit a research authorization request to CNIL.

It’s recommended to follow the MR-001 methodology and the self-declaration process due to its efficiency, saving time compared to seeking CNIL authorization. However, one of the above approaches should be attended to before any processing of personal data in connection with a study in France takes place. Further, it is important to note that the MR-001 Declaration and CNIL authorization process is distinct from the submission to the relevant ethics committee and separate ethics committee approval must still be sought.

Although declaring conformity with the MR-001 methodology is considered to be the more efficient option, there are still several items that need to be attended to before an organization can declare conformity, and some of them can be quite time-intensive.

New Annexes

Perhaps the most structural change is that MR-001 no longer stands alone. The updated methodology must be read together with two annexes: a Security Annex and a Quality Control Annex. Declaring conformity with the 2026 version of MR-001 requires complying with the methodology and those annexes. The Security Annex governs technical and organizational security measures, while the Quality Control Annex addresses how sponsors should verify compliance with applicable requirements and the research protocol, and confirm that research data is complete, accurate, and consistent with source data where relevant.

Relevance and Scope of MR-001

MR-001 is relevant to certain consent-based health research, including some clinical trials, that has a connection to France.

Under the 2026 version, the MR-001 methodology may be applied if the data controller is established in France, or if all or some of the participants reside in France. The updated version also clarifies that a French-established sponsor may be able to rely on MR-001 for participants in countries outside France, where the local rules governing the research require participant consent.

The methodology includes lists of personal data categories that may be processed in the context of covered research, now organized more clearly into categories such as administrative data and research data. These categories include personal data such as identity, age, health data, ethnicity, family situation, education level, and lifestyle habits can be processed where necessary and justified. By contrast, data relating to religious beliefs or criminal offenses are not included in the permitted MR-001 categories and would generally require separate assessment outside MR-001. Administrative data is generally used to organize, manage, and document the research, while research data are collected or generated for the scientific purposes of the study. This distinction matters because the categories are not treated in the same way: research data are subject to stricter handling requirements, including pseudonymization in accordance with the Security Annex.

With respect to pseudonymization, and to limit the risk of patient re-identification, the 2026 version replaces the previous initials-based code with a non-meaningful inclusion number that may not contain initials, a date of birth, or any other existing patient identifier. This change aligns with the updated distinction between administrative data and research data by requiring research data to be linked to participants through a pseudonymous identifier rather than directly identifying information.

The sponsor of the trial needs to be able to justify that the personal data collected is relevant, adequate, and strictly necessary. For example, if a sponsor wishes to collect ethnicity related data, the specific scientific reasons justifying such collection must be documented. The same logic applies to newly clarified research data categories, such as sexual orientation, household income bracket, or perceived social support: they may be collected only where they are necessary for the research and justified by the protocol.

What Are the MR-001 requirements?

In order to conform to MR-001, the data controller (the sponsor of the trial) must comply with various obligations. These include, for example:

  • The data controller must carry out a data protection impact assessment (DPIA) before declaring compliance with MR-001.
  • The data controller must appoint a data protection officer (DPO), in accordance with article 37 of the GDPR.
  • Research participants must be provided with prescribed information regarding the research. This includes information on the collection of personal data which shall be compliant with MR-001 requirements and the provisions of Article 13 of the GDPR including information such as the identity and contact details of the data controller, the purpose of the processing, the legal basis for processing, etc.
  • A privacy notice must also be provided to health professionals involved in the research.
  • A security and confidentiality policy must be implemented and monitored.

After the 2026 revision, data processing operations carried out pursuant to the 2018 MR-001 may continue in compliance with its provisions, and data controllers who have made a declaration of conformity to the 2018 MR-001 are not required to re-declare their compliance. However, all research implemented after May 23, 2026, must comply with the updated methodology. Some of the most significant new obligations include:

  • All research data must now be pseudonymized in line with the Security Annex.
  • The practice of using initials-based participant codes must be reviewed and replaced with non-meaningful inclusion numbers.
  • Multi-factor authentication (MFA) is mandatory, from January 1, 2027, for internet-accessible systems and from January 1, 2028, for all systems.
  • The recipient framework has been restructured: vendors can receive either administrative data (identifying the participant) or research data (relating to the study itself), but not both (with limited exceptions). This means that arrangements with integrated service providers (e.g., CROs) may need to be adapted to ensure appropriate segregation of data.
  • The Quality Control Annex introduces detailed rules for verifying data completeness and accuracy against source documents (e.g., medical records).
  • Transfers of administrative data outside the EU are only permitted under an adequacy decision, or in the specific case where the research is conducted in a third country by a French-established data controller and the transfer is to that third country. International transfers must therefore be reviewed and assessed for compliance.

A Word of Warning

While the CNIL’s reference methodologies enable smoother compliance, it is important to recognize that the CNIL actively monitors adherence to these methodologies. In a notable development in 2023, the regulatory body issued warnings to two medical research organizations for non-compliance. The infractions primarily revolved around failures to provide adequate information to participants and to conduct a comprehensive DPIA.

These incidents underscore the necessity for organizations to meticulously assess their compliance posture before declaring conformance to MR-001. Beyond the initial declaration, a sustained commitment to the stipulated obligations is also imperative. Regular internal audits and reviews ensure that the organization not only meets the baseline requirements but consistently upholds the integrity and security of participants’ personal data throughout the course of the research. With the 2026 revision adding two binding Annexes, new pseudonymization rules, and a restructured data-flow model, a fresh gap assessment against the new MR-001 is strongly advisable. Remember, compliance is not a one-time box-ticking exercise but an ongoing commitment to the requirements set forth by CNIL.

Navigating the intricacies of MR-001 can be complex, but the VeraSafe team is ready to assist your organization in achieving and maintaining compliance. From initial assessments to continuous support, we help clinical trial sponsors align with the stringent requirements outlined by CNIL, fostering a seamless and legally sound clinical trial process.

You may also like:
Guide to DPIAs in EU Clinical Trials: Navigating Regulatory Submissions
Viable Transfer Mechanism for Key-Coded Clinical Trial Data
Data Privacy Automation: Pros, Cons, and Pitfalls of Streamlining Compliance

Related topics: Clinical Trials, Compliance Tools and Advice, GDPR

Monthly Newsletter

Contact VeraSafe to discuss your data security management and privacy program today.