Skip to content

Our studies and the GDPR

Entrust us with your project and we will take care of all the regulatory aspects of the studies from end-to-end. 

Our studies are conducted within a GDPR-compliant and secure system, in accordance with the French legal framework of MR-004 set up by the  CNIL (Commission nationale de l’informatique et des libertés en France).  

What is MR-004?

Since 2006, the French Data Protection Authority (CNIL) has followed the EU General Data Protection Regulation (GDPR) approach based on operators’ accountability and modified the declaration/authorization system to create simplified procedures intended to ensure data subjects’ protection while favoring research, innovation and competitiveness.

On 16 July 2018, the CNIL published revised and new referentials (Méthodologies de Référence, MR) regarding data processing specifying data protection rules in research contexts. Processing within a MR scope can be implemented after a commitment of compliance with the CNIL.

Quinten MD has chosen to work under the MR-004 reference methodology, relating to the processing of retrospective and prospective personal data implemented in the framework of research not involving the human person, studies and evaluations in the field of health.

MR-004 referential:

• obliges the data controller to appoint a Data Protection Officer (DPO)
•  requires to inform the data subjects when collecting personal data in order to comply with the GDPR
•  no longer needs written consent from patient prior to the use of their data (prior information, opposition right)
•  does not require to obtain prior authorization from the CNIL, provided they have filed a compliance undertaking with the CNIL

What are our benefits to work under MR-004?

With a simpler authorization process than in traditional research, this framework is favorable to innovation and competitiveness in full compliance with MDR requirements.

Using MR-004 reference methodology is a major factor in simplifying the implementation of our studies. This innovative framework allows us to take advantage of significant benefits for conducting retrospective and prospective health data studies on your medical devices with:

• a reduced time to data availability
•  the protection of involved subjects in accordance with GDPR and French law
• and the guarantee of secure data processing in a certified health data host

Quinten MD conducts studies within MR004 regulatory framework

It represents 3 blue hexagons. The first one on the left represents a shield and is entitled GDPR compliant protective framework.
The second one in the middle represents a chronometer and is entitled Shortened time to access data.
The third one on the right is a database with a padlock and is titled Secure data processing.

How is patient health data protected under MR-004?

Quinten MD is committed to respecting the obligations defined by the MR-004 standard, and therefore to ensuring the confidentiality and security of personal health data relating to patients in accordance with the RGPD and the French law.

Two types of information are provided by the investigating centers to patients regarding the conduct of a given study.

General information provided through posters in the centers and/or via their websites.

Individual patient information about the conduct of the study and its purpose, as well as the use of their data in the study.

After the individual information a no-objection period is observed before Quinten MD can access the data. This period allows patients to exercise their right to object to the use of their data without having to justify their decision. This decision does not affect their current or future care at the hospitals.

In order to comply with the requirements of MR-004, Quinten MD is not able to directly identify patients. All data is pseudonymized by the investigating centers before being transmitted to Quinten MD on a secure environment for processing. The data hosting and processing environment set up by Quinten MD is a certified Health Data Hosting (Hébergeur de Données de Santé, HDS) environment. The purpose of this certification is to strengthen the protection of personal health data and to build a trusted and secure environment for the processing of patient data.

What rights do patients have under MR-004?

Patients have the right to access, rectify, object to and delete their data or to limit their processing. These rights can be exercised under the conditions described in Articles 15 to 21 of the GDPR.

To exercise their rights, patients are invited to contact their investigating physician. However, for any question related to privacy protection or the processing of their data, they can directly contact our DPO.

Finally, patients also have the right to lodge a complaint with the CNIL, the French data protection supervisory authority.

If you want to know more about the legal framework of our PMCF studies