On 26 May 2026, France's data protection authority (CNIL) imposed a €5 million fine on IQVIA Operations France, a subsidiary of the IQVIA group, for failures in the management of two authorised health data warehouses. The decision was published on 28 May 2026 and made public, with a compliance deadline of six months - after which the company faces an additional penalty of €10,000 per day for any remaining breaches.

IQVIA operates two health data warehouses authorised by the CNIL: the LRX warehouse, authorised in 2018 and supplied by data collected from approximately 14,000 pharmacies, and the EMR warehouse, authorised in 2021 and supplied with data from several thousand doctors. The CNIL's restricted committee found that the company failed to comply with the terms of those authorisations across several areas: inadequate information provided to data subjects, failures in enabling the exercise of individual rights, and deficiencies in data security - including the absence of regular log analysis and multi-factor authentication.

A central element of the decision was the dispute over data classification. IQVIA argued that the data in its warehouses was anonymous and therefore fell outside the scope of the GDPR. The CNIL's restricted committee rejected this position, concluding that the data was pseudonymous, not anonymous, on the basis that re-identification of data subjects remained possible using reasonable means. The distinction is critical: pseudonymous data remains personal data under the GDPR, subject to the full range of data protection obligations - including the requirement for a lawful basis, data subject rights, and appropriate security measures.

The decision is significant beyond IQVIA itself. Health data processing - particularly at scale, for research and commercial purposes - is under increasing regulatory scrutiny across Europe. The EDPB's recently adopted Guidelines 1/2026 on scientific research reinforce the expectation that organisations processing health data must conduct DPIAs, maintain transparent information practices, and document their legal basis with precision.

Acompli perspective: The IQVIA decision is a case study in what happens when an organisation's characterisation of its own data does not survive regulatory scrutiny. Calling data "anonymous" does not make it so - and the CNIL's finding that re-identification was possible using reasonable means is a reminder that pseudonymisation is a security measure, not a basis for exemption. Organisations processing health or sensitive data should review their data mapping to ensure they have accurately classified the data they hold, confirm their assessment processes cover the specific risks of large-scale health data processing, and maintain records of processing that reflect the actual legal basis relied upon - not an aspirational one.