French Decree No. 2013-923, dated October 16, 2013, implementing EU Directive No. 2012/83/EC, has substantially completed the legal framework for pharmacovigilance. Obligations applicable to companies that manufacture and distribute medicines have been reinforced, and pharmacovigilance procedures for the EU have been further detailed. As a consequence, the French Data Protection Authority (“CNIL”) has adopted, in Decision No. 2014-099, dated April 10, 2014 (“AU-013″), updated Single Authorization No. AU-013 on personal data processing for pharmacovigilance purposes, thereby abrogating its former Single Authorization dating from January 2008.
Under the CNIL single authorization procedure, companies that intend to process personal data for certain specific purposes may implement such processing in compliance with French data protection law if they self-certify to the CNIL that the processing will comply with the specific conditions set forth by the CNIL.
According to the updated AU-013, the purposes of personal data processing for a pharmacovigilance system must be limited to (i) the collection, identification, analysis, reporting or disclosure of information relating to suspected adverse reactions to any medicinal products that are listed under Articles L. 5121-1 and R. 5121-150 of the French Public Health Code or to specified contraceptive products, including information on overdose, misuse, abuse, use during pregnancy or lactating; in addition, information relating to medication errors or potential exposure for professionals. has been added to updates AU-013, and (ii) data relating to the management of contacts between the relevant pharmaceutical company and either the ‘notifier’ (this notion being a new concept introduced by the updated AU-013, which can in practice refer to the patient, to any member of an authorized association of patients, to a health professional or to any member of a health authority), any person to be interviewed to get additional information on the adverse reaction, or any health professional in charge of the patient.
The categories of data that may be collected under the new AU-013 are limited to (i) personal data relating to persons who experienced the adverse reaction(s) that are reported (e.g., patient identification data, health data, identification data of health professionals in charge of the patient, and, if strictly necessary, information relating to family members, professions, lifestyle, drug consumption, sex life and ethnicity); (ii) personal data relating to the notifier in case he/she is a patient or member of an authorized association of patients (e.g., name, phone number, email address or, if none, postal address); and (iii) personal data relating to the notifier if he/she is a health authority or a health professional.
As regards the recipients, the updated AU-013 provides that this data shall only be made available to: (i) the company in charge of the pharmacovigilance system; if applicable, its service providers to the extent of their tasks; and any other company within the company’s corporate group or any of its partners that is involved in the marketing and distribution of the relevant medicine; (ii) third-party pharmaceutical companies involved in the marketing and distribution of any medicine, and health professionals likely to be affected by the notification; and (iii) any public bodies in charge of pharmacovigilance.
The updated AU-013 provides specific new provisions on the applicable maximum retention period, specifying that such period cannot exceed the duration of the administrative authorization delivered to the company to distribute the related medicine, plus ten years after expiry of the authorization. Beyond that period, the data must either be deleted or archived under an anonymized form.
The new AU-013 also sets forth that patient-related data may be transferred to countries outside the EU if such data contains only identification data with alphanumeric or alphabetic code. Nonetheless, the data related to the notifier can only be transferred outside EU in an anonymized form.
Data controllers that implemented personal data processing for pharmacovigilance purposes under the former Single Authorization No. AU-013 have to comply with the new requirements set forth by the new AU-013 before April 10, 2015. In case the processing is not compliant with the terms of the new AU-013, a specific authorization shall be requested from the CNIL.