France's data protection authority yesterday sanctioned IQVIA OPERATIONS FRANCE with a €5 million administrative fine for multiple violations tied to the management of two health data warehouses holding records on tens of millions of patients. The decision, published on Légifrance on May 28, 2026, follows a formal hearing held on March 26, 2026, and was issued under deliberation SAN-2026-008 dated May 26, 2026.

The case closes a regulatory proceeding that began with on-site inspections at the company's Courbevoie headquarters and six Parisian pharmacies in July and autumn 2021, triggered by a broadcast investigation into how patient data flows through private pharmaceutical analytics networks. It is one of the larger health data enforcement actions the CNIL has taken against a private sector actor, and it arrives as European regulators are still processing the consequences of a September 2025 European Court of Justice ruling on pseudonymized data - a ruling IQVIA had tried, and failed, to use as a shield.

Who is IQVIA and what are the warehouses

IQVIA OPERATIONS FRANCE is a subsidiary of the US-listed group IQVIA, which presents itself on its website as the global leader in clinical research and health data. According to the formal deliberation, the French entity recorded revenue of 152.6 million euros in 2023, with a net profit of 23.3 million euros. Its parent, IQVIA HOLDINGS INC., reported revenue of 15 billion dollars for the same year - approximately 12.9 billion euros - and a net profit of 1.3 billion dollars.

The company's French operations centre on two authorized health data warehouses. The first, called LRX (Longitudinal prescription data), was authorized by the CNIL on July 12, 2018, under deliberation 2018-289. It is fed by data collected from approximately 14,000 partner pharmacies. The second, called EMR (Electronic medical records), was authorized on February 4, 2021, under deliberation 2021-015, and draws on data from approximately 2,000 to 3,000 partner physicians. Both were authorized under article 66 of the French Data Protection Act (loi Informatique et Libertes), which requires prior CNIL authorization for health data processing not conforming to a standard reference methodology.

According to IQVIA's own promotional materials cited in the deliberation, the LRX warehouse tracks 20 million patients over time. The EMR warehouse covers general practice and specialist consultation data. The combined scope - tens of millions of people whose prescription and clinical records flow into private research infrastructure without their awareness - is central to why the formation restreinte, the CNIL's enforcement chamber, treated the violations as serious.

How the LRX data pipeline works

The technical architecture of the LRX system is detailed in the deliberation and is worth examining. When a pharmacist records a medication sale in their pharmacy management software (logiciel de gestion d'officine, or LGO), a data extraction module embedded in that software - developed by the LGO publisher for IQVIA, under specifications set by IQVIA - extracts a data package and generates what the company calls a "Pharmastat flow." This flow includes the patient's year of birth, sex, and a unique code derived from the INS-C (the national health insurance identifier), generated using a hashing function. It also includes prescription details.

That flow is sent to a first trusted third party, which performs an additional hash to further obscure the patient identifier, before passing data to a second trusted third party for a further transformation. The resulting pseudonymized records enter the LRX warehouse. In exchange for supplying the data, pharmacies receive sales dashboards from IQVIA.

Crucially, the extraction module runs even at pharmacies that have opted out of the LRX panel - roughly 4,000 of the 14,000 pharmacies under contract. Their patient data was still being extracted and transmitted to the first trusted third party, where it was supposed to be filtered out. The formation restreinte found this violated article 25 of the GDPR, which requires data protection by design and by default. According to the deliberation, IQVIA had full control over the module's specifications and should have ensured the software did not extract patient data where the pharmacist refused transmission.

The EMR warehouse and its access controls

The EMR warehouse aggregates data from two streams. One, called the Z+ flow, comes from physicians using software published by a named third party. The other, called the DA (disease analysis) flow, comes from physicians in the "Medical 21" network who have contracted directly with IQVIA. Both flows pass through a platform called Hub EMR, hosted by a certified health data hosting provider, before entering the warehouse.

Patient records in EMR contain year of birth, sex, marital status, number of children, socioeconomic category, diagnosis, symptoms, allergies, weight, height, pulse, prescriptions, vaccinations, medical examinations, and sick leave records. Each patient receives a unique identifier per physician, meaning cross-physician tracking is not possible within the EMR warehouse's current design - but longitudinal tracking within a single physician's panel is.

According to the deliberation, the CNIL's 2021 authorization for EMR explicitly required multi-factor authentication for all accounts accessing both the Hub EMR and the warehouse itself. The specification was an identifier and password coupled with a token generating a one-time password. During inspections, the delegation found no such mechanism in place for the warehouse itself. Users were authenticating with a username and password only. The company acknowledged during the inspection that multi-factor rollout was underway but incomplete. It was not completed until March 2026, when IQVIA confirmed the change in a letter to the CNIL.

Similarly, neither the LRX nor the EMR warehouse had implemented network segmentation as required by both authorizations. Without segmentation, a compromised workstation connected to the internal network - or accessed remotely via VPN - could reach the warehouse servers directly, enabling a lateral attack to bypass authentication. The formation restreinte cited guidance from France's cybersecurity agency ANSSI on the importance of network zoning, noting that an unsegmented network allows attackers to pivot from a compromised user machine to critical servers. IQVIA confirmed it had remediated both issues by March 2026, moving each warehouse into a separate secured enclave on an isolated domain with mandatory double-factor authentication at connection.

Log analysis was another deficient area. Both authorizations required regular automated analysis of connection logs and application-level activity traces. What existed was a security information and event management system that detected technical anomalies, plus a monthly manual check verifying that only authorized personnel were connecting. According to the deliberation, these measures were insufficient: they did not cover business-level activity, meaning an authorized employee could query sensitive patient records at scale without triggering any alert. The formation restreinte used a concrete example - an employee who, starting with minimal background knowledge, could reconstruct the full treatment history of a relative using access they were legitimately granted. IQVIA confirmed audit trail logging and automated alerts were deployed in March 2026.

The information failures at pharmacies

The authorization for the LRX warehouse required pharmacists to individually hand each patient a notice explaining IQVIA's data collection and to display a general information poster in the pharmacy. In autumn 2021, CNIL inspectors visited four Paris pharmacies participating in the LRX panel. None of the four was handing out the IQVIA notice. None was displaying a general information poster.

The formation restreinte rejected IQVIA's argument that this was the pharmacists' fault. Because IQVIA is the data controller - responsible for defining both the purpose and the means of the processing - compliance with the article 14 GDPR transparency obligation rests with IQVIA, regardless of the delivery channel it chose. The company's own notice stated that IQVIA processed the data "on the basis of its legitimate interest as data controller." It was IQVIA's obligation to verify the information was actually reaching patients. The deliberation noted that people buy medication under circumstances of illness, stress, or urgency that reduce their attention to data-related disclosures, making the information obligation particularly important in this context.

A separate but related violation concerned the EMR patient notice. That notice described the retention period as "the duration of the studies and analyses carried out by IQVIA and its contractual partners," followed by archiving in accordance with applicable regulations. The actual retention period authorized by the CNIL was ten years in active storage, after which data was to be anonymized or deleted. The two descriptions are materially different: the first is indefinite and uninformative; the second is concrete and bounded. The formation restreinte found this constituted a failure to comply with the EMR authorization's requirement to communicate all mandatory GDPR article 14 information.

IQVIA conducts studies for its own account using LRX data - analyses of patient treatment paths for specific conditions, such as spinal muscular atrophy, arterial hypertension, or antipsychotic prescribing patterns. The LRX authorization explicitly excludes these downstream studies from its scope, stating separately that any subsequent research must go through its own CNIL formality.

IQVIA argued it was covered by a conformity declaration to reference methodology MR-004, filed with the CNIL on July 31, 2018. MR-004 allows data reuse without fresh individual consent, but only when patients have already been individually and specifically informed. Because the pharmacy inspections established that patients were not being given the IQVIA notice, that precondition was not met - at least for the four pharmacies inspected. The formation restreinte concluded the studies amounted to processing without a valid legal basis under article 66 of the Data Protection Act, for data collected via those four pharmacies.

IQVIA's pseudonymization argument and why it failed

What makes this case technically significant beyond its enforcement specifics is IQVIA's attempt to argue that the data was not personal data at all. In October 2025 - after the case had already been before the formation restreinte and was scheduled for a hearing - IQVIA submitted a new document arguing that the LRX and EMR data should be considered anonymous under the September 4, 2025, ruling of the CJEU in case C-413/23 P, known as the SRB ruling.

That ruling established that pseudonymized data transferred to a recipient who has no reasonable means of re-identification might not constitute personal data for that recipient. IQVIA argued that it could not, in practice, re-identify the patients in its warehouses without means that were either impractical or unlawful.

The formation restreinte disagreed on multiple grounds. First, IQVIA is not a mere recipient of pseudonymized data: it is the data controller that designed and controls the entire pseudonymization pipeline from the moment data enters a pharmacist's or physician's management software. The SRB ruling itself explicitly distinguished between data controllers - who possess the keys to re-identification - and downstream recipients who do not. As IQVIA itself acknowledged in its own earlier submissions, it had "defined a global flow and pseudonymization process, via multiple processes and multiple trusted third parties." A controller who designs the pseudonymization system cannot then claim the data is anonymous by virtue of that same pseudonymization.

Second, the formation restreinte examined the actual re-identification risk. The rapporteur demonstrated that by searching open Facebook groups for rare disease patient communities - specifically a spinal muscular atrophy support group - enough information was publicly available (treatment chronology, care locations, prescriptions, names) to isolate and identify a specific patient within the LRX database in a matter of minutes using only a standard internet connection. The combination of a unique patient identifier, year of birth, geographic zone (defined as clusters of nine pharmacies), sex, and prescription history meant the data failed the individualization risk test established in the Article 29 Working Party's 2014 opinion on anonymization techniques. The formation restreinte noted it is sufficient that a single person in the database can be re-identified by reasonable means for the entire dataset to qualify as personal data.

Third, the formation restreinte observed that until the SRB ruling in September 2025, IQVIA had never questioned whether its data was personal. It had itself sought and obtained CNIL authorizations in 2017 and 2019, explicitly declaring the data as personal, and had confirmed this characterization to inspectors in July 2021. Prior CNIL enforcement against a related company handling similar data - deliberation SAN-2024-013 of September 5, 2024, confirmed by the Conseil d'Etat on February 13, 2026 - reached the same conclusion: such data is personal.

The broader debate over what pseudonymization means for GDPR coverage has been active across European regulatory circles. EDPB guidelines on pseudonymization published in January 2025 confirmed that pseudonymized data remains personal data even when re-identification keys are held separately. Germany has separately called for GDPR amendments to clarify anonymization thresholds, citing legal uncertainty. The CNIL's decision in the IQVIA case reinforces that French regulators will apply a strict reading.

The fine calculation

The formation restreinte calculated the fine against the IQVIA group as an economic unit, not against IQVIA OPERATIONS FRANCE in isolation. Under the CJEU's December 2023 Deutsche Wohnen ruling (C-807/21), and confirmed by the February 2025 Ilva A/S ruling (C-383/23), a fine against a wholly-owned subsidiary must be assessed against the entire enterprise's financial capacity to ensure the penalty is effective, proportionate, and dissuasive. IQVIA HOLDINGS INC. owns 100 percent of the French entity, and the group presents itself as a single global entity. The formation restreinte therefore applied a presumption of decisive influence and used the group's 2023 revenue of 15 billion dollars as the financial reference, making the 5 million euro fine approximately 0.04 percent of group revenue.

According to the deliberation, the fine accounts for the sensitivity of health data under GDPR article 9, the large number of people affected (described as several tens of millions), IQVIA's market position as the self-described global leader in health data, the multiplicity and duration of the violations, and the company's negligence in failing to implement conditions it had formally accepted when seeking the authorizations. The formation restreinte noted IQVIA was the first private actor authorized by the CNIL to operate a health data warehouse under the public interest framework, and argued that this status should have led the company to hold itself to a higher standard of compliance.

The fine falls within CNIL's recent enforcement range. French regulators fined Google €325 million in September 2025for consent and cookie violations. A December 2025 decision cut Amazon's earlier €32 million workplace monitoring fine to €15 million. Across Europe, national data protection authorities issued a combined 1.15 billion euros in GDPR fines during 2025, according to the EDPB's 2025 annual report.

Injunctions and compliance timeline

Beyond the fine, the formation restreinte issued injunctions with a six-month deadline, enforceable at 10,000 euros per day of non-compliance after that period expires. The injunctions cover four areas.

For the EMR warehouse, IQVIA must deliver accurate and complete information to patients about data retention durations and must implement an effective mechanism for exercising the right to object - for example, allowing patients to register opposition directly with their physician, who would record it via a dedicated function in the medical software.

For the article 14 GDPR violation, IQVIA must verify that partner pharmacies comply with their contractual obligations to inform patients that their data flows to IQVIA.

For the LRX studies, IQVIA must stop conducting research from the LRX warehouse without either a specific CNIL authorization or full compliance with the MR-004 reference methodology, including individual prior patient information.

For the article 25 GDPR violation, IQVIA must ensure that pharmacy management software modules do not extract patient data where the pharmacist has refused transmission.

The security and confidentiality violations - network segmentation, multi-factor authentication, and log analysis - were found to have already been remediated and are not subject to ongoing injunctions. IQVIA notified the CNIL of these remediation measures on March 24, 2026.

The deliberation will remain publicly identified by name for two years from publication, after which references to IQVIA will be anonymized. The CNIL noted that all fines it imposes, including those against private companies, are collected by the French treasury (Direction generale des finances publiques) and paid into the state budget. The company has two months from notification to bring an appeal before the Conseil d'Etat.

According to the CNIL, it handled 539 health data authorization requests in 2025 alone. The IQVIA case is a public demonstration of what happens when the conditions attached to those authorizations are not met.

Timeline

  • July 12, 2018 - CNIL authorizes IQVIA to create the LRX health data warehouse (deliberation 2018-289)
  • May 17, 2021 - CNIL publishes a statement following a broadcast investigation, noting controls would be conducted on IQVIA
  • June 29, 2021 - CNIL president orders inspections of IQVIA OPERATIONS FRANCE, IQVIA HOLDINGS FRANCE, and IQVIA RDS FRANCE
  • July 6-7, 2021 - CNIL delegation conducts on-site inspection at IQVIA's Courbevoie headquarters
  • September-November 2021 - CNIL conducts inspections at six Parisian pharmacies in the LRX panel; the SRB pseudonymization ruling had not yet been issued
  • February 4, 2021 - CNIL authorizes IQVIA to create the EMR warehouse (deliberation 2021-015)
  • October 4, 2022 - IQVIA's last contact with the inspection delegation
  • July 18, 2024 - CNIL president designates rapporteur Claude Castelluccia
  • March 31, 2025 - Rapporteur notifies IQVIA of the sanction report detailing violations of article 66 of the Data Protection Act, articles 14 and 25 of the GDPR
  • April 30, 2025 - IQVIA submits written observations in response
  • June 26, 2025 - IQVIA submits second set of written observations
  • July 16, 2025 - Instruction formally closed; case placed on the agenda for October 16, 2025 hearing
  • September 4, 2025 - CJEU issues the SRB ruling (C-413/23 P), establishing recipient-perspective principles for pseudonymized data - covered by PPC Land
  • September 5, 2024 - CNIL sanctions a related company (deliberation SAN-2024-013) for similar health data violations
  • October 7, 2025 - IQVIA submits new analysis arguing LRX and EMR data is anonymous under the SRB ruling
  • October 10, 2025 - Formation restreinte president admits the new document and postpones hearing
  • November 24, 2025 - Rapporteur's response to IQVIA's new arguments notified to the company
  • December 23-January 8, 2026 - IQVIA submits final written observations
  • February 13, 2026 - Conseil d'Etat confirms earlier CNIL decision against a related company (cases 498628, 498629, 498749)
  • February 16, 2026 - Instruction formally closed again; case scheduled for March 26, 2026 hearing
  • March 24, 2026 - IQVIA notifies CNIL that security remediations (network segmentation, multi-factor authentication, audit trail logging) have been implemented for both LRX and EMR
  • March 26, 2026 - Hearing before the formation restreinte; oral arguments presented
  • May 26, 2026 - Formation restreinte adopts deliberation SAN-2026-008, imposing a €5 million fine and injunctions
  • May 28, 2026 - Decision published on the CNIL website and on Légifrance

Summary

Who: IQVIA OPERATIONS FRANCE, the French subsidiary of US-listed IQVIA HOLDINGS INC., sanctioned by the CNIL's formation restreinte under deliberation SAN-2026-008.

What: A €5 million administrative fine and four compliance injunctions, backed by a penalty of €10,000 per day after a six-month grace period, for violations of article 66 of the French Data Protection Act (failure to comply with authorization conditions), article 14 of the GDPR (failure to inform patients), and article 25 of the GDPR (failure to implement privacy by design and by default). The decision is public for two years.

When: The deliberation was adopted on May 26, 2026, published on May 28, 2026. The underlying inspections were conducted in July and autumn 2021. The formal sanction proceeding was opened in July 2024.

Where: IQVIA OPERATIONS FRANCE is headquartered at 17 bis place des Reflets, Courbevoie (92400), France. The violations affected patients and pharmacies across metropolitan France. The warehouses processed data from approximately 14,000 pharmacies and up to 3,000 physicians.

Why: IQVIA failed to comply with multiple conditions attached to CNIL authorizations for two health data warehouses covering tens of millions of French patients. Failures included absent patient information at pharmacies, inaccurate retention duration disclosures, missing multi-factor authentication, absent network segmentation, no regular log analysis, data extraction from non-consenting pharmacies, and studies conducted without a valid legal framework. The CNIL concluded these failures were negligent, citing the company's resources, its market position, and the sensitivity of health data under GDPR article 9.

Share this article
The link has been copied!