← All articles

redaction

CNIL updates MR‑001/MR‑003: an operational playbook (26/05)

The CNIL updates MR‑001 and MR‑003 and releases compliance checklists. Immediate effect for health research conducted in France, impacting Luxembourg sponsors when French patients or sites are involved.

By Veille Luxgap 30/05/2026

Summary. On 26 May 2026, the CNIL updated its reference methodologies MR‑001 (with consent) and MR‑003 (without consent collection) and released self‑assessment checklists. The changes take immediate effect for studies within the French scope.

Key facts

The new texts clarify cross‑border studies, digital participant information, remote quality control/monitoring, and access to identifying data. Two checklists support sponsors and study teams in verifying compliance.

Legal framework and basis

The MRs operationalize GDPR Articles 6, 9(2)(j) and 89 (information, legal basis, minimization, retention, security, governance). For a quick refresher, see our page on GDPR essentials for research processing. The update also aligns French practice with recent EDPB Guidance 1/2026.

Impact for Luxembourg stakeholders

Who is in scope. Sponsors, CROs, private hospitals, biotechs, medtechs and insurers in Luxembourg conducting research involving data subjects located in France or processing patient data in France.

Main risks. Mis‑qualification under MR‑001/MR‑003, non‑compliant information/consent (including e‑consent), insufficient controls over access to identifying data, missing provisions for remote monitoring, and inadequate security/access logging.

Timelines. Immediate application to new studies and substantial amendments. Ongoing studies should check alignment at the next major amendment and document the remediation path.

Concrete actions this week

  • Map studies with French sites/patients and determine MR‑001 vs MR‑003 eligibility. Decide between MR adherence or CNIL authorization.
  • Update participant information (including digital formats), consent forms, remote monitoring plans, controls over identifying data, logging, encryption and segregation. Leverage the new CNIL checklists.
  • Reassess DPIA and security: document Article 6 legal basis, Article 9(2)(j) health‑data condition, Article 89 safeguards (pseudonymization, minimization, access controls), and intra/extra‑EU transfers, including strong authentication and access reviews.

Go further

Sponsors can streamline compliance with support from a certified DPO for mandate and research governance, especially to structure the legal basis, information and MR commitments. For Luxembourg teams, GDPR in Luxembourg and CNPD expectations helps align national requirements with multi‑country studies involving French sites.

Need a quick review of your study or a document audit before submission? Reach out to our team.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.

veille actualite rgpd cnil sante luxembourg recherche-clinique
LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →