Message 001
Communication from the Commission - TRIS/(2025) 3364
Directive (EU) 2015/1535
Notification: 2025/0708/FR
Notification of a draft text from a Member State
Notification – Notification – Notifzierung – Нотификация – Oznámení – Notifikation – Γνωστοποίηση – Notificación – Teavitamine – Ilmoitus – Obavijest – Bejelentés – Notifica – Pranešimas – Paziņojums – Notifika – Kennisgeving – Zawiadomienie – Notificação – Notificare – Oznámenie – Obvestilo – Anmälan – Fógra a thabhairt
Does not open the delays - N'ouvre pas de délai - Kein Fristbeginn - Не се предвижда период на прекъсване - Nezahajuje prodlení - Fristerne indledes ikke - Καμμία έναρξη προθεσμίας - No abre el plazo - Viivituste perioodi ei avata - Määräaika ei ala tästä - Ne otvara razdoblje kašnjenja - Nem nyitja meg a késéseket - Non fa decorrere la mora - Atidėjimai nepradedami - Atlikšanas laikposms nesākas - Ma jiftaħx il-perijodi ta’ dewmien - Geen termijnbegin - Nie otwiera opóźnień - Não inicia o prazo - Nu deschide perioadele de stagnare - Nezačína oneskorenia - Ne uvaja zamud - Inleder ingen frist - Ní osclaíonn sé na moilleanna
MSG: 20253364.EN
1. MSG 001 IND 2025 0708 FR EN 25-11-2025 FR NOTIF
2. France
3A. Ministères économiques et financiers
Direction générale des entreprises
SCIDE/SQUALPI - Pôle Normalisation et réglementation des produits
Bât. Sieyès -Teledoc 143
61, Bd Vincent Auriol
75703 PARIS Cedex 13
3B. Délégation au numérique en santé
Ministère de la Santé et de la Prévention
14 avenue Duquesne
75007 PARIS
4. 2025/0708/FR - SERV - INFORMATION SOCIETY SERVICES
5. Decree amending certain provisions relating to the hosting of personal health data
6. Hosting of personal health data
7.
8. 8. This decree, issued pursuant to Article 31 of the SREN Act, aims to:
(1) Specify the sovereignty obligations set out in IV of Article L.1111-8 of the Public Health Code, by incorporating requirements 28 to 31 of the HDS standard notified under notification number 2023/0682/FR:
- It requires that health data be hosted exclusively on the territory of a Member State of the European Union or party to the European Economic Area. In the case of remote access from a third country, such access must be based on an adequacy decision of the European Commission or, failing that, on appropriate safeguards detailed in the hosting contract.
- It introduces new contractual obligations for hosting providers, who must inform their clients about extra-European regulations that may lead to unauthorised transfer or access to data, the measures put in place to limit their effects, any remaining residual risks.
- A transparency obligation is introduced, requiring hosting providers to publish and update a map of data transfers to countries outside the EEA and a description of the risks of unauthorised access.
(2) Bring certain provisions of Article R.1111-11 into line with those of the GDPR:
- On the content of the contractual clause concerning the modalities for the exercise of the rights of data subjects with the rights actually provided for in the GDPR.
- On requirement 19, aligned with the GDPR to target individuals' rights as provided for in the GDPR, when it is updated in 2024.
9. Article 32 of the SREN Act amends Article L.1111-8 IV of the Public Health Code (CSP) by adding new data sovereignty obligations to be complied with by hosts of personal health data, providing, on the one hand, the obligation to store data in the EU and, on the other hand, by providing for new stipulations that must be included in the contract between the host and its client in view of the risks of personal data being transferred or accessed without authorisation by non-European legislation.
The content of these contractual obligations and stipulations must now be specified by decree of the Council of State.
Article 32 of the SREN Law also provides that the hosting of health data as part of an electronic archiving service is now subject to the ‘health data host’ (HDS) certification requirement, in addition to being approved by the Minister for Culture. This amendment to the law does not imply any regulatory changes, except for the clarification that the hosting activity corresponding to the “safeguarding of health data” includes the activity of “electronic archiving”.
The notified project complies with European regulations on personal data, in particular Regulation (EU) 2025/327 on the European Health Data Space (EHDS). In particular, the obligation for health data hosts to locate physical data within the EU or EEA is consistent with Article 86 of the EEDS Regulation, which expressly grants Member States the option of limiting the storage of health data to the territory of the EU. Furthermore, the submission of remote access to data from a third country by the host or one of its processors to an adequacy decision by the Commission pursuant to Article 46 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) complies with Article 90 of the EHDS Regulation, which gives Member States the possibility to maintain or introduce additional conditions relating to international access to health data. Finally, the obligation to include, in the absence of an adequacy decision by the Commission, the measures taken to address the risks of unauthorised transfer or access to such data by third countries outside the EU or the EEA is also in line with Article 90 of the EEDS Regulation, which gives Member States the option of subjecting the transfer of personal data to additional protection conditions.
10. References to basic texts: 2023/0682/FR, 2017/0343/F
The basic texts were forwarded with an earlier notification:
2023/0682/FR
2017/0343/F
11. No
12.
13. No
14. No
15. No
16.
TBT aspects: No
SPS aspects: No
**********
European Commission
Contact point Directive (EU) 2015/1535
email: grow-dir2015-1535-central@ec.europa.eu