Health Data Warehouses (HDW): securing programmes from design to deployment
As a law firm specialising in personal data and health data, we support the legal, compliance, data and medical affairs teams of pharmaceutical groups in designing, implementing and scaling their Health Data Warehouses (HDW): GDPR compliance and CNIL requirements, governance and data access, contracting and vendor management, security, transparency, and the legal framework for use cases (research, clinical trials, real‑world evidence (RWE), pharmacovigilance, innovation).
Our services
Strategic scoping of the HDW and its use cases (research, clinical trials, RWE/real‑world studies, pharmacovigilance, public health, academic partnerships).
GDPR compliance: qualification of processing activities (primary/secondary use), purposes, legal bases, role allocation (controller / joint controller / processor), retention, records and documentation.
Risk assessment and DPIA support: methodology, risk mitigation measures, decision logs and traceability.
CNIL HDW framework: implementation of applicable requirements, compliance roadmap, regulatory filing strategy (CNIL authorisation where required) and preparation of interactions with the authority.
Pseudonymisation / anonymisation: legal analysis aligned with technical choices, key governance and re‑identification risk assessment.
Governance and data access: committees, eligibility criteria, request intake and review workflow, access rules, authorisation policies, traceability and auditability.
Data sharing & partnerships: data sharing/making available agreements, consortia, researcher access, alignment with transparency and confidentiality obligations.
Contracting and vendor management: GDPR clauses, security, onward processing chains, supplier audits, reversibility, service levels and incident management.
Hosting and HDS requirements: contractual structuring, responsibilities, location, sub‑processors and applicable security requirements.
Information and transparency: privacy notices, objection mechanisms where applicable, and implementation of a transparency portal.
Data security: organisational and technical requirements (access control, logging, segmentation, encryption, vulnerability and incident management).
AI and value creation: legal framework for AI use cases connected to the HDW (responsibilities, compliance, governance, security requirements and bias management).
EHDS: anticipating and building a compliance trajectory for the European Health Data Space Regulation (secondary use, governance and security requirements).
International transfers and multi‑country programmes: transfer impact assessments, SCCs, supplementary measures and group governance.
Targeted training (legal, compliance, data/IT, medical) and implementation workshops with your teams and vendors.
Use cases (pharmaceutical industry)
Setting up a group HDW for RWE analyses, observational studies and product performance monitoring, with robust access governance and traceability.
Integrating clinical trial data and real‑world sources (registries, hospital partners, platforms) and contractually securing data flows.
Implementing transparency and information pathways (portal, notices) for large‑scale processing.
Structuring vendor management (HDS host, integrator, data/AI providers) and preparing for internal/external audits.
We also provide dedicated regulatory monitoring to support decision‑making in a fast‑moving French and European landscape (authority guidance and recommendations, EHDS developments, sector‑specific rules and regulators’ updates).
Why entrust us with your HDW programme?
Group‑level standards: securing large‑scale programmes, harmonising practices and deliverables, and implementing robust access governance.
Operational and audit‑ready approach: documentation and contractual clauses aligned with internal requirements, supplier audits and supervisory authority reviews.
360° perspective: alignment between GDPR, the CNIL HDW framework, security requirements, AI and the EHDS trajectory.
Multi‑jurisdiction capability: European programmes and international transfers (SCCs, supplementary measures, group governance).
Cross‑functional coordination: working at the interface of Legal, Compliance, Data, IT/Security, Medical Affairs and Pharmacovigilance teams, as well as vendors.
Our approach
Scoping: objectives, perimeter, mapping of data flows and stakeholders.
Compliance & risk: legal qualification, DPIA, security measures and governance.
Contracting: processing arrangements, data sharing, reversibility, audits.
Transparency & deployment: information, portal, access procedures, documentation.
Ongoing steering: changes, new use cases, monitoring and updates to deliverables.