Health data: fine of 5 million euros against IQVIA

Background information

The company IQVIA OPERATIONS FRANCE, a subsidiary of the IQVIA group, provides consulting services and conducts studies for its own account or on behalf of pharmaceutical laboratories (studies that focus on some diseases or treatments administered).

To carry out these studies, it relies on two health data warehouses that the CNIL authorized it to establish:

• The LRX warehouse, authorized in 2018, supplied by data collected from about 14,000 pharmacies;
• The EMR warehouse, authorized in 2021, supplied with data collected from several thousand doctors.

As with all the health authorization applications it processes (539 cases in 2025), the CNIL had required a number of guarantees to limit risks for individuals and respect their rights. Indeed, health data covered by these warehouses is particularly sensitive and must benefit from enhanced protection.

Following the broadcast of a report by the magazine "Cash Investigation", the CNIL received several complaints from individuals and associations, notably regarding the lack of transparency of processing carried out for the patients. The CNIL therefore carried out several inspections, both of the company and of some partner pharmacies.

Based on the findings made during these inspections, the restricted committee – the body of the CNIL responsible for imposing sanctions – considered that the company didn't respect the terms of the authorizations issued, in particular regarding the information of individuals, the exercise of their rights and data security. 

For all of these breaches, the restricted committee imposed a fine of 5 million euros on IQVIA OPERATIONS FRANCE, taking into account the seriousness of the violations identified, which involved health data, and thus sensitive data, the large number of individuals affected (tens of millions), the company’s market position, and its financial capacity. This decision has been made public.

The CNIL also issued orders requiring the company to take measures to remedy certain breaches within six months, subject to a penalty of 10,000 euros per day of delay.

Data that was pseudonymous, and not anonymous

As part of the sanction procedure, and in response to a judgment issued by the Court of Justice of the European Union on September 4, 2025 (known as the “SRB judgment”), IQVIA argued that the data contained in the LRX and EMR data warehouses was anonymous and that, therefore, data protection rules did not apply.

The restricted committee, on the contrary, considered that this data was not anonymous, but only pseudonymous, as the re-identification of the data subjects was possible using reasonable means.

IQVIA collected a vast amount of data on the individuals concerned, such as year of birth, gender, information regarding the general practitioner and prescriptions issued, as well as—for the EMR data warehouse—marital status, number of children, socioeconomic status and various health-related details (diagnosis, symptoms, allergies, weight, height, pulse, vaccinations, tests, and sick leave).

In each data warehouse, this data was linked to a unique identifier for each patient, making it possible to track their care journey.

The restricted committee found that the risk of a person’s identity being identified was too high for the data processed by the company to be considered anonymous, given:

• the existence of a unique identifier;
• the depth of the data collected by the company;
• the possibility of identifying individuals by combining data held by IQVIA with publicly available data. 

Moreover, it recalled that, prior to the SRB judgment, the company had never disputed that it processed personal data, and that in this regard it had sought and obtained authorizations from the CNIL, which it had to respect.

Breaches sanctioned

Violations of the obligation to comply with the authorizations issued by the CNIL (Article 66 of the French Data Protection Act)

The French Data Protection Act (Article 66.III) provides that the processing of personal data in the health sector may only be carried out after authorization by the CNIL or on the condition that it complies with a reference framework (Article 66.II).

Although IQVIA was authorized by the CNIL to establish the LRX and EMR health data warehouses, the investigations carried out revealed that, in practice, the processing operations carried out did not comply with the conditions set in the authorizations issued.

The restricted committee thus noted that security requirements were not being met. For instance, for both data warehouses, no measure allowed to regularly analyze connection logs and thus effectively detect abnormal activities. For the EMR data warehouse, no multi-factor authentication was implemented to access data.

For this data warehouse as well, the restricted committee found:

•  inaccuracies in the information provided in the patient information sheet;
• the lack of implementation of a procedure allowing individuals to effectively exercise their right to object.

The company has demonstrated that, since the inspections were conducted, it has solved the breaches regarding data security and confidentiality. The breaches concerning the information contained in the EMR note and the exercise of the right to object were, however, subject to orders requiring the company to take corrective measures within a maximum of 6 months, failing which it would have to pay a penalty payment.

A failure to inform individuals regarding the LRX data warehouse (Article 14 of the GDPR) 

Investigations carried out at four pharmacies revealed that none of them informed their customers that their data was being transferred to IQVIA.

The restricted committee noted that, while the company entrusted the pharmacists, who were the only ones in direct contact with the data subjects, with the task of providing this information on its behalf, it is indeed up to IQVIA, as the data controller, to ensure compliance with this obligation.

The restricted committee also observed two other breaches:

• the first related to studies conducted by the company on its own behalf using this data warehouse outside any legal framework (Article 66 of the French Data Protection Act);
• the second concerned the design of the management software used in pharmacies that transmitted customer data to IQVIA, even in cases of refusals (Article 25 of the GDPR).