Decision SAN-2026-008 of 26 May 2026
On May 26th,2026, the CNIL imposed a fine of five million euros on the company IQVIA OPERATIONS France.
The supervisory authority found that the company, which specialises in medical research, had failed to comply with the safeguards designed to limit risks in the management of health data warehouses.
Initially, the company had been authorised by the CNIL to set up two health data warehouses in order to carry out its research. In practice, the first of these warehouses was populated with data collected from pharmacies, whilst the second was populated with data collected from doctors.
This health data, which is particularly sensitive by its very nature, required enhanced protection in accordance with Article 9 of the GDPR.
However, following inspections, the CNIL identified several breaches of the terms set out in the authorisations granted. These breaches related in particular to:
- Data security,
- Informing individuals,
- The exercise of individuals’ rights.
As the application of the GDPR is conditional upon the processing of personal data, the Commission first sought to determine whether such processing took place (which is, by its very nature, excluded in the case of anonymous data) in order to then rule on any breaches of these obligations.
On the non-anonymous nature of the data
The company argued that the data contained in the data warehouses had been anonymised, which ruled out the application of the GDPR.
In support of its defence, the company relied on the CJEU’s ‘SRB’ judgment of September 4th, 2025. It argued that the concept of personal data was relative rather than absolute. According to that judgment, pseudonymised data may not constitute personal data, provided that effective technical and organisational measures prevent any access to identifying information by the recipient, who, unlike the data controller, cannot override those measures.
The restricted commitee rejected this argument: it considered that, unlike the situation examined in the SRB judgment, the company was not merely a recipient of the pseudonymised data. The company was, in fact, responsible for all the processing operations concerned, from collection to pseudonymisation, as well as for the storage of the data in data warehouses. This factor alone, according to the CNIL, is sufficient to rule out the possibility that the data could be considered anonymous.
Furthermore, in this case, each data was linked to a unique identifier for each patient, regardless of the pharmacy from which the patient’s data was collected. It was therefore possible, by reasonable means, to re-identify the data subjects. Moreover, the data was extensive and detailed, which made the risk of re-identification from external sources all the more likely. In particular, this data as a whole made it possible to trace the course of treatment and to identify individual customers and their medical conditions.
Consequently, the restricted committee considered that the data could not be regarded as anonymous, and constituted pseudonymised data within the meaning of Article 4(5) of the GDPR. As things stood, the processing of this pseudonymised data therefore remained subject to the GDPR.
On the breach of the obligation to comply with authorisations issued by the CNIL
In accordance with the requirements of Article 66-III of the Data Protection Act, authorisation from the CNIL is required to process health data where such processing does not comply with the framework adopted by the CNIL.
This authorisation was granted to the company in 2018 and 2021. It was subject to safeguards relating, in particular, to the information and rights of data subjects, as well as to the security of the data processed.
In this case, the Commission identified four breaches of the commitments on which the authorisations initially granted were conditional.
- Network segmentation: the data warehouse was not isolated within a dedicated network zone, which facilitated bounce attacks – a risk exacerbated by the absence of multi-factor authentication;
- Access traceability: no measures, such as the analysis of connection logs, were in place to effectively detect access anomalies;
- Patient information: the information leaflet provided to patients contained inaccuracies regarding the data retention period, which contravened Article 66 of the French Data Protection Act;
- Exercise of rights: it was not possible for data subjects to effectively exercise their right to object, which contravened Article 21 of the GDPR.
Finally, the CNIL identified a breach under Article 25 of the GDPR. It found that the data extraction modules were transmitting patients’ data even when pharmacists had refused to participate in the scheme. The Commission considered that this situation revealed a configuration error and, consequently, a breach of the ‘privacy by default’ requirement.
Regarding the breach of the obligation to provide information
The defendant company also failed to comply with the obligation of transparency guaranteed by Article 14 of the GDPR. This article requires the data controller to inform an individual when their personal data has not been collected directly from them.
However, in this case, customers’ personal data was collected via pharmacies, with the company being regarded as the controller for the entire processing operation, from collection at the pharmacy to the supply of stock to the warehouse.
However, none of the pharmacies inspected informed customers of this processing.
Regarding the sanctions imposed
The CNIL has issued an injunction requiring the company to bring itself into compliance with certain points within six months, subject to penalties of 10,000 euros per day of delay.
As regards the fine set at five million euros, the CNIL stated that it had based its decision on several criteria:
- The seriousness of the breaches, given the sensitive nature of the data;
- The number of data subjects, which ran into tens of millions;
- The company’s market position as a ‘world leader in clinical research and health data’;
- The company’s financial capacity, based on its global turnover.
This first major sanction imposed by the CNIL in relation to a health data warehouse serves as a reminder that authorisation from the CNIL is always conditional upon the data controller’s effective compliance with its obligations, and that monitoring of these obligations must be planned in advance. Finally, through this decision, the CNIL provides a concrete application of the criteria set out in the ‘SRB’ judgment, which it interprets strictly.
