On 26 May 2026, the French data protection authority CNIL fined IQVIA Operations France €5 million over failures in two authorised health data warehouses. The regulator published the decision on 28 May 2026, made the sanction public, and gave the company six months to fix some of the remaining breaches or face a further penalty of €10,000 per day.
This matters because the case cuts across three arguments large organisations still make when they process sensitive data at scale. First, “the data is anonymous”. Second, “our partners handle the notice”. Third, “the warehouse was authorised, so the hard part is done”. CNIL rejected all three on the facts it published.
What CNIL said IQVIA was doing
According to the CNIL notice, IQVIA relied on two health data warehouses that the regulator had previously authorised: the LRX warehouse, fed by data from around 14,000 pharmacies, and the EMR warehouse, fed by data from several thousand doctors. IQVIA used the warehouses to run studies for itself and for pharmaceutical clients.
CNIL said complaints from individuals and associations, alongside a television investigation, triggered inspections at the company and at partner pharmacies. Those inspections led the restricted committee to conclude that IQVIA was not complying with the conditions attached to the authorisations, especially around informing people, handling objections, and securing the data.
Why the “anonymous data” argument failed
One of the more important parts of the case is CNIL’s rejection of IQVIA’s claim that the data in the warehouses was anonymous. The regulator said it was only pseudonymous. In its summary, CNIL points to the unique identifier attached to each patient, the depth of the information collected, and the possibility of combining IQVIA’s dataset with publicly available information to work back to an individual.
That matters because once the data is still personal data, GDPR obligations remain in play. CNIL expressly linked that point to the rights and safeguards that were supposed to protect data subjects in the warehouse model. For teams still treating pseudonymisation as an escape hatch, this is a costly reminder that it is a safeguard, not an exemption.
What the regulator found
CNIL’s published summary and the underlying deliberation SAN-2026-008 describe four practical failures.
- For both warehouses, IQVIA did not have measures to analyse connection logs regularly enough to detect abnormal activity effectively.
- For the EMR warehouse, access to the data was not protected with multi-factor authentication.
- For the EMR warehouse, the patient information sheet contained inaccuracies and there was no effective process for people to exercise their right to object.
- For the LRX warehouse, inspections at four pharmacies found that customers were not being informed that their data was being transferred to IQVIA.
CNIL also found that IQVIA had carried out some studies using the LRX warehouse outside the applicable legal framework, and that pharmacy software still transmitted customer data even where a refusal had been recorded. That last point is a classic Article 25 GDPR problem: if the system design ignores an objection or refusal state, the policy on paper does not help much.
Why this is bigger than one French enforcement action
The headline amount is large, but the operational lesson is larger. CNIL is saying that an authorisation for a health data warehouse is not a one-off green light. The controller still has to prove that the live system matches the authorised model. If the information notice is wrong, the objection route does not work, or the controls around access are weak, the authorisation becomes part of the evidence against you rather than a shield.
That point should land with any organisation using sensitive data for analytics, research, product development, or client studies. Health data is a special case, but the compliance pattern is general: if you depend on third parties to present notices, capture objections, or honour a suppression flag, you still own the outcome as controller. The same wider enforcement pattern shows up in other recent GDPR fines, where weak operational controls sit behind the legal finding.
The security lesson is equally plain. CNIL’s criticism was not about exotic security tooling. It focused on missing basics: log review and multi-factor authentication. That should sound familiar to anyone following health-sector enforcement in the UK as well as the EU.
What managers should check now
- Review whether any “anonymous” dataset in your environment is actually only pseudonymous once identifiers, linked records, or external datasets are considered.
- Test your information and objection process in the live workflow. Do not rely on a template notice sitting in a legal folder.
- Check whether partner locations, clinics, pharmacies, or resellers are the only point where data subjects are supposed to be informed. If they are, audit what happens in practice.
- Confirm that access to sensitive analytics environments uses multi-factor authentication and that log review is real, scheduled, and evidenced.
- Inspect product and integration logic to make sure a refusal, objection, or opt-out state actually stops downstream transmission.
For UK organisations, the facts come from France, but the control lessons travel. Transparency duties under Article 14 GDPR, privacy by design under Article 25 GDPR, and the obligation to respect the legal conditions for health data processing are not niche requirements. They are the mechanism regulators use to test whether a sensitive-data programme works in the real world.
If your team needs the basics in place before tackling specialist health-data projects, the courses page is the starting point for GDPR and PECR training that covers transparency, data subject rights, accountability, and operational controls.
Sources
- CNIL notice: Health data: fine of 5 million euros against IQVIA
- Légifrance: Deliberation SAN-2026-008 of 26 May 2026
- French Data Protection Act, Article 66
- GDPR Article 14
- GDPR Article 25
