Message 001
Communication from the Commission - TRIS/(2023) 3385
Directive (EU) 2015/1535
Notification: 2023/0682/FR
Notification of a draft text from a Member State
Notification – Notification – Notifzierung – Нотификация – Oznámení – Notifikation – Γνωστοποίηση – Notificación – Teavitamine – Ilmoitus – Obavijest – Bejelentés – Notifica – Pranešimas – Paziņojums – Notifika – Kennisgeving – Zawiadomienie – Notificação – Notificare – Oznámenie – Obvestilo – Anmälan – Fógra a thabhairt
Does not open the delays - N'ouvre pas de délai - Kein Fristbeginn - Не се предвижда период на прекъсване - Nezahajuje prodlení - Fristerne indledes ikke - Καμμία έναρξη προθεσμίας - No abre el plazo - Viivituste perioodi ei avata - Määräaika ei ala tästä - Ne otvara razdoblje kašnjenja - Nem nyitja meg a késéseket - Non fa decorrere la mora - Atidėjimai nepradedami - Atlikšanas laikposms nesākas - Ma jiftaħx il-perijodi ta’ dewmien - Geen termijnbegin - Nie otwiera opóźnień - Não inicia o prazo - Nu deschide perioadele de stagnare - Nezačína oneskorenia - Ne uvaja zamud - Inleder ingen frist - Ní osclaíonn sé na moilleanna
MSG: 20233385.EN
1. MSG 001 IND 2023 0682 FR EN 05-12-2023 FR NOTIF
2. France
3A. Ministères économiques et financiers
Direction générale des entreprises
SCIDE/SQUALPI - Pôle Normalisation et réglementation des produits
Bât. Sieyès -Teledoc 143
61, Bd Vincent Auriol
75703 PARIS Cedex 13
3B. Délégation au numérique en santé
Ministère de la Santé et de la Prévention
14 avenue Duquesne
75007 PARIS
4. 2023/0682/FR - S00S - HEALTH, MEDICAL EQUIPMENT
5. Order amending the Order of 11 June 2018 approving the accreditation framework of certification bodies and the certification framework for hosting personal health data
6. The activity of hosting personal health data on digital media
7.
8. This draft Order amends the accreditation framework for certification bodies and the certification framework for hosting personal health data.
In accordance with the provisions of Articles L.1111-8 and R.1111-10 of the Public Health Code, all personal health data hosts must be in possession of a certificate of conformity issued by a certification body on the basis of a certification framework, approved by order of the Minister for Health.
The main changes to the certification framework for the hosting of health data are intended to:
- Clarify which activities hosting providers have obtained certification for, in particular by specifying the definition of the activity of administering and operating health systems;
- Improve the readability of the guarantees provided by the host to each provider using his services;
- Clarify the host’s contractual obligations;
- Incorporate changes to ISO 27001 into the certification framework for hosting health data.
The revised health data hosting framework also proposes to add four new data sovereignty requirements, specifically:
- Restricting the storage of health data to the territory of a State forming part of the European Economic Area;
Two requirements relating to the host’s transparency vis-à-vis his customers:
- Informing them of any transfer to or remote access of the customer’s data from a territory outside the European Economic Area (EEA) which does not ensure an adequate level of data protection within the meaning of Article 45 of the GDPR, and of the organisational and technical measures implemented to regulate such a transfer;
- Informing them of any subjection to extra-Community regulations which could entail a risk of access to the data by a body located in a country which does not ensure an adequate level of data protection within the meaning of Article 45 of the GDPR, and of the measures taken to mitigate that risk;
A transparency requirement vis-à-vis his potential customers: the host must make public and keep up-to-date detailed information on any transfers of data he hosts to a non-EEA country and on the measures taken to ensure compliance with the GDPR.
9. The mandatory certification procedure for hosting personal health data, created by law, is intended to guarantee users and healthcare professionals that this sensitive data within the meaning of the GDPR, entrusted as part of medical care, is secure.
This draft Order is adopted pursuant to Articles L.1111-8 and R.1111-10 of the Public Health Code to approve a revised version: on the one hand, the certification framework for the hosting of health data, and on the other hand the accreditation framework for certification bodies, which were initially approved by the Order of 11 June 2018. Decree No 2018-137, which created the provisions of Articles R. 1111-8-8 et seq. of the Public Health Code, as well as the Order of 11 June 2018, were both notified to the European Commission in 2017.
The overall certification scheme implemented in 2018 has not been changed, with only some points being updated.
The only requirements added to the certification framework relate to the sovereignty of health data and aim to ensure compliance with the GDPR (the previous framework having been approved before the entry into force of the GDPR).
The certification scheme for the hosting of health data must provide guarantees to stakeholders in the health and medico-social sector with regard to data protection vis-à-vis non-EU legislation that could entail a risk of data disclosure, and should not provide guarantees to individuals as to the effectiveness of their rights under the General Data Protection Regulation (GDPR).
The framework was the subject of an opinion issued by the French Data Protection Authority (CNIL) dated 13 July 2023.
Pending the outcome of the discussions at European level on future European frameworks (EUCS – European Cybersecurity Certification Scheme for Cloud services), it was decided not to align it, to date, with the requirements in terms of extraterritorial immunity laid down by the French framework called “SecNumCloud version 3.2”, adopted by the ANSSI (the French Information Systems Security Agency).
10. References to basic texts: 2017/0343/F, 2017/0379/F
The reference texts must be sent as part of a previous notification:
2017/0343/F
2017/0379/F
11. No
12.
13. No
14. No
15. No
16.
TBT aspects: No
SPS aspects: No
**********
European Commission
Contact point Directive (EU) 2015/1535
email: grow-dir2015-1535-central@ec.europa.eu
