Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

The MR001 (or MR-001) reference methodology provides a framework for the processing of personal data carried out in the context of health research with the collection of participant consent. This MR001 methodology from the CNIL (National Commission for Information Technology and Civil Liberties) is aimed at research promoters (hospitals, industrial establishments, Independents investigators) who wish to guarantee their compliance with the GDPR while securing the use of sensitive data in this specialised field.

In this article, we offer you a practical guide to understanding the main principles of MR001, to whom it applies, how to use it, and the best practices to adopt for your regulatory compliance, guaranteeing data confidentiality throughout the process.

What is the MR001 reference methodology?

Two members of a healthcare establishment consult a database as part of a clinical research project. The MR001 methodology requires clear governance, including a DPO, to guarantee the legal and ethical security of data processing.

MR001, issued from CNIL (National Commission for Information Technology and Civil Liberties)) deliberation no. 2018-153, is a specific legal framework for the processing of health data as part of certain scientific research. This reference methodology is intended for projects involving the collection of participants' consent and presenting a major public interest for medical research.

The MR001 methodology covers

  • Interventional research, including research involving minimal risks and constraintse.g study of the efficacy of a medical device already in use).
  • Clinical drug trials, except for cluster trialse.g to assess the tolerability of a generic drug in a target population)
  • Studies requiring genetic testinge.g : studies on genetic predisposition to breast cancer)
  • Observational research with minimal interventione.g sleep monitoring via a connected bracelet provided to patients)

This simplified approach enables research organizations to benefit from a framework pre-established by the CNIL (National Commission for Information Technology and Civil Liberties), thus avoiding long and complex authorization procedures, unlike health research protocols without consent, which require other methodologies.

Who can use MR001 in the healthcare sector?

The MR001 reference methodology can be used as a basis:

  • Research promoters, whether based in France or abroad
  • Public and private healthcare establishments (university hospitals, clinics, research centers)
  • Independents investigators conducting clinical studies
  • processors, under strict conditions, for specific missions
  • DPOs (data protection officers) responsible for data processing compliance
  • Pharmaceutical companies for their clinical trials

Important point: Even if the data controller is not established in France, it must comply with MR001 if it processes data from people residing on French territory.

Which treatments are covered by MR001?

Treatments eligible for MR001 methodology must meet the following conditions:

  • Have a health research objective with a clearly defined public interest Purpose
  • Based on the participant's express, free and informed consent
  • Involve only relevant and necessary data, strictly defined by the CNIL (National Commission for Information Technology and Civil Liberties)
  • Respecting the principle of proportionality in data collection

Data authorized by MR001

Permitted data includes

  • Health data (medical history, test results, pathologies)
  • Demographic data (age, gender, family situation)
  • Data on lifestyle and habits (diet, physical activity)
  • Information on current medical treatments
  • Healthcare professionals' data (name, position, participation in the study)

An examination of the specific characteristics of each type of data is necessary to ensure its relevance to the study.

Data excluded from MR001

The following are strictly excluded: precise geolocation data, NIR (social security number), political opinions, religious data, criminal and judicial data. The nature of the data collected must be carefully assessed to respect these exclusions.

How do I declare a study under MR001?

The MR001 declaration procedure requires the sponsor to :

  1. Make a declaration of compliance using the official CNIL (National Commission for Information Technology and Civil Liberties)) online form CNIL (National Commission for Information Technology and Civil Liberties)
  2. Make a formal commitment to respect all the principles of the methodology with a detailed compliance undertaking
  3. Keep a detailed record of research based on MR001
  4. Carry out an impact analysis (AIPD) if necessary, according to defined criteria
  5. Appoint a competent DPO to oversee compliance

What is the role of the DPO in a research project?

The Data Protection Officer (DPO) plays a key role in implementing MR001:

  • It must be clearly identified in the information note given to participants.
  • It ensures that each research project complies with regulatory requirements.
  • Patients can contact him directly if they have any questions about the processing of their personal data.
  • Oversees the implementation of appropriate safety measures

Practical recommendation: The DPO's contact details should be easily accessible and systematically communicated in all information material given to participating patients.

What are the conditions for Data retention ?

MR001 sets specific Data retention periods:

For patient data

  • Until the product in question is marketed, or
  • 2 years after the last scientific publication, or
  • 2 years after signature of final study report

For healthcare professional data

  • Data retention possible up to 15 years after the last search involving these professionals

Archiving phase: Data must then be archived on paper or digital media, securely and in compliance with current regulations, with strictly limited access.

What does MR001 say about transfers outside the European Union?

The MR001 methodology authorizes the transfer of certain data outside the EU under strict conditions:

Transferable data

  • Indirectly identifying patient data (pseudonymized data)
  • Identifying data of healthcare professionals participating in research

Imperative conditions

The transfer outside the EU must be :

  • Strictly necessary to conduct research
  • Accompanied by appropriate guarantees (standard contractual clauses, enhanced security measures)
  • Declared and documented in the processing register

What are people's rights and information obligations?

Each participant in a research project under MR001 must be clearly and fully informed:

  • The voluntary nature of participation and the possibility of withdrawal
  • The data used and their precise scientific Purpose
  • Your rights (access, rectification, opposition, deletion under certain conditions)
  • Any data transfers outside the EU and their guarantees
  • Contact details for the DPO and data controller

Patient information is mandatory and must scrupulously meet the requirements of Article 13 of the GDPR : Purpose the research, legal basis, duration of Data retention, exercisable rights, data recipients, transfer arrangements outside the EU where applicable.

Two formats are recommended for informing people:

  • A personal information note must be given individually to each participating patient, detailing specifically the study concerned.
  • General information should be displayed in care areas via notice boards or reception areas, informing all patients of the research carried out in the facility. This can also be included in the facility's welcome booklet or on the website.

This approach guarantees ethical patient research in line with European standards.

Special cases:Information is reinforced for minors, protected adults, or people temporarily unable to consent (involvement of legal representatives or designated trusted persons).

Limitations of MR001: when does it not apply?

This image shows a healthcare professional entering patient data into a secure system. The MR001 methodology strictly regulates the collection and recording of personal data in consent-based medical research.

The MR001 methodology does not cover certain types of research:

  • Research without consent → see methodology MR002
  • Retrospective studies without direct inclusion of new participants
  • Simultaneous processing of health data and identifying data by the same processor
  • Use of certain prohibiteddata (precise geocoding, complete NIR)
  • Clustered clinical trials require a specific approach

Alternative solution: In these excluded cases, a specific authorization application to the CNIL (National Commission for Information Technology and Civil Liberties) is still required, with a longer lead time.

What are the risks of non-compliance?

Failure to comply with MR001 can result in severe penalties:

  • The CNIL (National Commission for Information Technology and Civil Liberties) ) can issue a warning or fine up to 4% of sales.
  • Treatment may be suspended immediately by administrative decision.
  • Thestudy may be called into question by a CPP (Comité de Protection des Personnes) or the ANSM.
  • The patient can seek redress and compensation for the damage suffered

Risk prevention: A robust security policy and detailed compliance register are essential to avoid these sanctions.

Conclusion

The MR001 reference methodology is a powerful tool for simplifying GDPR compliance in healthcare research. It provides a clear, secure framework that has been pre-validated by the CNIL (National Commission for Information Technology and Civil Liberties), provided that the requirements and constraints are fully mastered.

This MR001 methodology saves research sponsors a considerable amount of time, while guaranteeing optimum protection of participants' personal data.

At Dipeeo, as an external DPO registered with the CNIL (National Commission for Information Technology and Civil Liberties) we support healthcare players at every stage of their research project: declaration of compliance, drafting of information documents, completion of impact analysis (AIPD) and long-term regulatory monitoring.

Experts in the healthcare sector, with over 150 projects to our credit, we have designed audits specifically adapted to medical research.
Our clear, practical questionnaire has been developed by our lawyers and former lawyers specialized in healthcare. It enables you to analyze your data processing and provide a legal framework for your project right from the outset. 🎥 Discover it on video.

To find out more, consult the official MR001 sheet on the CNIL (National Commission for Information Technology and Civil Liberties) ) website or download our GDPR Santé practical guide dedicated to healthcare players.

Anaïs Guilloton
Anaïs Guilloton

Marketing Manager - GDPR Expert