CNIL MR-001: What clinical trial sponsors need to know

CNIL MR-001 is the primary data protection framework for interventional clinical trials in France where participants give informed consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.. Organisations conducting these studies must either apply for direct authorisation from the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), or declare that they comply with an applicable Reference Methodology, such as MR-001. This framework has been in place since 2018, but the May 2026 update introduced further complexity to the methodology. 

For many sponsors, MR-001 offers a significantly more efficient route for conducting interventional, consent-based clinical research in France. However, organisations should not underestimate the impact of the framework’s requirements, particularly where multinational vendor contracting models or international data transfers are involved. 

Used well, MR-001 can help streamline compliance for clinical trials in France. But when treated as a tick-box exercise, it can quickly create regulatory, contractual, and operational challenges. 

Key takeaway: CNIL MR-001 provides a more efficient route for conducting clinical trials in France than seeking specific authorisation from the CNIL, but organisations should not treat it as a simple administrative declaration. Early planning around vendor arrangements, international transfers, and participant data flows is essential to align with the framework’s requirements in practice. 

In this blog, we explain what CNIL MR-001 is, how the self-declaration processA series of actions or steps taken in order to achieve a particular end. works, and the operational requirements that most commonly catch international sponsors out. 

• What is CNIL MR-001? 
• The difference between self-declaration and full authorisation 
• Commonly misunderstood requirements 
• Preparing for CNIL MR-001 compliance 

What is CNIL MR-001?

CNIL’s Reference Methodologies (MRs) are pre-approved compliance frameworks for processing personal dataInformation which relates to an identified or identifiable natural person. in health research.  

MR-001 applies to interventional clinical research involving human participants and informed consent. This applies to most commercial clinical trials conducted in France. 

The framework explains how GDPR requirements apply to these studies and provides organisations with a simplified route for complying with French data protection requirements. Rather than seeking formal authorisation from the CNIL for each study, organisations can self-declare conformity with MR-001, provided they can fully meet its requirements. 

This allows sponsors to rely on a pre-established compliance frameworkA series of policies, procedures, actions plans etc. detailing an organisation's compliance with any relevant laws, Codes of Practice etc., avoiding the lengthy and often complex process of applying for individual authorisation from the CNIL. 

What’s the difference between self-declaration and full authorisation under CNIL MR-001?

When conducting a clinical trial in France, sponsors must generally notify the CNIL through one of two routes: 

Formal Application for Medical Research Authorisation 

Organisations can choose to provide detailed information about the research activity, categories of data processed, safeguards implemented, and intended data flows. The CNIL then reviews the submission directly, which can take many months and may involve additional clarification requests. Importantly, authorisation is not guaranteed. 

As a result, full authorisation is typically reserved for studies that cannot meet the conditions of a Reference Methodology, such as where prohibited data flows or operational arrangements are unavoidable. 

Declaration of Conformity with MR-001

For most conventional interventional trials, the self-declaration route is significantly more straightforward. Completed through CNIL’s online portal, the declaration typically requires: 

• Sponsor identification details, including French business identifiers where applicable 
• EU Representative contact information for non-EU sponsors 
• Authorised signatory details for the individual approving the declaration on behalf of the organisation 
• Declaration statement, confirming the organisation commits to complying with MR-001 

Once the declaration has been submitted and acknowledged by the CNIL, participant data can begin to be processed, subject to other applicable clinical and ethical approvals. 

MR-001 declarations are made at organisational rather than trial level, meaning the framework can support multiple qualifying studies once declared. 

However, declaring conformity with MR-001 is not simply an administrative exercise. Organisations are effectively confirming that their trial operations, governance measures, vendor arrangements, and data flows align with CNIL requirements. If this is later found not to be the case, organisations may face regulatory scrutiny, legal liabilities, contractual complications, and reputational consequences. 

Which CNIL MR-001 requirements most commonly catch sponsors out?

The main challenges usually sit within vendor arrangements. Sponsors using global vendors across multiple jurisdictions may need to adapt their processes specifically for French participants in order to align with MR-001 requirements. 

Two areas in particular need careful review: 

• Where identifiable participant data is transferred 
• Whether vendors receive both administrative data and research data 

We look at each of these areas in more detail below. 

1. Cross-border transfers of identifiable participant data are restricted 

For international sponsors operating under the MR-001 framework, identifiable participant data must not be transferred outside the EU unless the recipient is located in a country that benefits from an adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has.... Unlike typical GDPR transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. scenarios, organisations cannot rely on Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) or other transfer mechanisms to overcome this restriction. 

This means that if a vendor located outside the EU requires access to participant names, addresses, or other directly identifying information, organisations must carefully assess whether the transfer is permitted under MR-001. In many cases, the arrangement may not be compatible with the framework. 

Pseudonymised or coded clinical trial data can still be transferred internationally where appropriate GDPR transfer mechanisms, including SCCs, are in place. However, organisations must clearly understand which vendors receive identifiable participant data, which receive coded health data, and where the contracting legal entities of those vendors are located. 

This frequently affects participant reimbursement providers, ePRO platforms, and home healthcare services.  

In practice, this often means reviewing global vendor arrangements much earlier in the study setup process. Sponsors may need to assess whether: 

• Certain vendors can continue to support French participants 
• Additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... or operational changes are required 
• French-specific workflows need to be introduced 

2. Vendors cannot receive both administrative and research data

Under MR-001, vendors can generally receive either administrative data or research data, but not both. 

Administrative data includes any data directly identifying the participant, such as their name or telephone number.  

Research data includes any data relating to the study itself, including participant study subject identification numbers. 

There are limited exemptions to this requirement, including activities relating to: 

• Medical monitoring and associated follow-up activities 
• Administrative tasks, such as participant reimbursement and home delivery 
• The provision of GDPR Article 13 transparency information 
• Quality control activities 

This can create operational challenges for international sponsors because many modern clinical trial services are built around integrated participant support models. A single provider may otherwise manage multiple administrative activities as part of the same service, such as participant communications, reimbursement, scheduling, logistics, and health-related interactions.  

Whilst MR-001 permits certain exceptions, organisations must demonstrate physical and organisational separation between the teams handling each activity, which may prove challenging to demonstrate in practice. 

As a result, organisations may need to adapt vendor arrangements or introduce separate workflows specifically for French participants in order to maintain the required separation between identifying data and health data. 

In practice, sponsors should be able to clearly demonstrate how identifying data and coded health data remain separated down their supply chain. This often requires clear vendor mapping, DPIAs, RoPAs, and oversight of processor responsibilities during study setup. 

Data protection considerations for vendor Data Processing Agreements 

How can sponsors prepare for CNIL MR-001 compliance?

Sponsors should avoid treating MR-001 as a late-stage administrative exercise. In practice, compliance often depends on early planning across legal, privacy, procurement, and study delivery teams. 

Key considerations include: 

• Reviewing vendor arrangements early in study planning  
• Identifying which vendors access identifiable participant data  
• Assessing international transfer implications  
• Aligning DPIAs, contracts, and RoPAs with French requirements  
• Ensuring vendor oversight processes accurately reflect how participant data is handled in practice  

For multinational clinical trials, understanding these requirements early can help organisations avoid delays, vendor complications, and operational redesign work later in the study lifecycle. 

The DPO Centre supports Life Sciences organisations with clinical trial data protection compliance, including MR-001 alignment. Get in touch to discuss your CNIL compliance strategy.

In case you missed it…

• Clinical trials part 4: Practical approaches to DPIAs 
• Clinical trials and GDPR: 5 common misconceptions and how to overcome them
• Pseudonymisation under the GDPR: What the latest EU ruling means for organisations