Health data: €5M fine against IQVIA — what GDPR Article 9 really requires

Excerpt — On May 26, 2026, the CNIL fined IQVIA Operations France €5M for shortcomings in its health data warehouses. The case tangibly illustrates the general prohibition in GDPR Article 9 and the strict conditions of its exceptions.

The case

On May 26, 2026, the CNIL imposed a €5 million fine on IQVIA Operations France, which operates health data warehouses. The restricted committee notably found failure to respect safeguards governing such processing: incomplete information to data subjects, shortcomings in rights handling and security, and non‑compliance with certain CNIL authorizations. Official decision and reasons: “Données de santé: sanction de 5 millions d’euros à l’encontre de la société IQVIA” (26/05/2026). See CNIL decision and release: https://www.cnil.fr/fr/donnees-sante-sanction-5-millions-iqvia.

• Use of “special categories” of data (health) without sufficient safeguards for the stated purposes.
• Lack of information compliant with GDPR Articles 12–14 and difficulties exercising data subject rights.
• Security measures deemed inadequate under Article 32 GDPR.
• Non‑compliance with certain sectoral authorizations governing data warehouses.

This decision is part of a 2026 series by the CNIL on data security and governance (2025 overview and 2026 decisions: https://www.cnil.fr/en/investigation-powers-cnil/sanctions-issued-cnil).

Legal reasoning

1. General prohibition and strict exceptions (GDPR Article 9). GDPR prohibits processing health data (Art. 9(1)) unless a condition in Art. 9(2) applies (notably 9(2)(h) care/health system management, 9(2)(i) public health, 9(2)(j) scientific research with Art. 89(1) safeguards). These special bases come in addition to an Article 6 legal basis (e.g., 6(1)(c), 6(1)(e), or 6(1)(a) when relying on explicit consent under 9(2)(a)). Official text: GDPR Arts. 6, 9, 12–14, 25, 32, 35, 89 on EUR‑Lex: https://eur-lex.europa.eu/eli/reg/2016/679/oj. For a practical reminder of obligations and records, see our GDPR overview.
2. Enhanced safeguards and documentation. Beyond the dual legal basis (Art. 6 + Art. 9(2) exception), information duties (Arts. 12–14), data minimization (Art. 5(1)(c)), storage limitation (Art. 5(1)(e)), and security (Art. 32) must be adapted to risk. Health data warehouses almost always trigger a DPIA (Art. 35), privacy by design (Art. 25), and auditable access controls/authorizations.
3. Authorities’ interpretation and sectoral framework.

• In IQVIA, the CNIL reiterates that “adequate safeguards” are substantial: clear purpose governance, technical traceability, accessible and accurate information, effective rights handling, and compliance with authorizations/commitments. Source: IQVIA decision (26/05/2026): https://www.cnil.fr/fr/donnees-sante-sanction-5-millions-iqvia.
• The EDPB’s 2020 guidance on health data for scientific research requires an Art. 6 basis and an Art. 9(2) exception, appropriate measures (pseudonymization, access control, DPIA, documentation), and tailored transparency. See: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health-purpose_en.
• In Luxembourg, the CNPD stresses that processing “sensitive data” is generally prohibited and only possible within the strict Art. 9(2) exceptions; specific national conditions apply, notably for genetic data (Law of 1 August 2018). CNPD references: https://cnpd.public.lu/fr/support/glossaire/d/def_donnees_sensibles.html and https://cnpd.public.lu/fr/professionnels/obligations/liceite/donnees-sensibles.html.

In short, IQVIA confirms a steady line: the broader and more industrialized the health perimeter (warehouses, data sharing, enrichments), the tighter the expected demonstration of legal bases, technical/organizational safeguards, and transparency.

What changes in practice

• Health data warehouses/analytics platforms: plan a DPIA (Art. 35) and formalize the pairing of an Art. 6 basis with the relevant Art. 9(2) exception. “Scientific research” grounds (Art. 9(2)(j), Art. 89(1)) demand concrete safeguards: strong pseudonymization, environment separation, access traceability, and lifecycle governance. Refer to the EDPB guidance above.
• Data subject information: prepare specific “data warehouse” notices clearly listing purposes, Art. 6 basis, Art. 9(2) exception, recipients, retention, rights (including objection/limitation when applicable), and transfers. Generic privacy pages are not sufficient.
• Security: need‑to‑know access controls, admin logging, encryption at rest/in transit, secrets management, regular pentests, and access right reviews. Under Art. 32, measures must be “appropriate” to risk; for health data, the CNIL’s bar is high. To reinforce these areas, consider a targeted cybersecurity audit for warehouses and sensitive data protection.
• Compliance with authorizations/commitments: if you operate under sectoral authorization or a written commitment to an authority, verify real‑world alignment (sources, variables processed, re‑uses, timelines, recipients). Formal non‑compliance weighed in IQVIA.
• Luxembourg: check local constraints (e.g., genetic data in employment/insurance) and document the relevant Art. 9(2)(h)/(i)/(j) grounds. A useful starting point is our GDPR in Luxembourg page.

Common pitfalls

1. Confusing “anonymization” with “pseudonymization”. Many warehouses remain “personal” because re‑identification is possible via keys or linkage. Without effective anonymization, Article 9 applies in full and requires an Art. 9(2)/89(1) exception and safeguards. Reference: GDPR Arts. 4(5), 9, 89 on EUR‑Lex: https://eur-lex.europa.eu/eli/reg/2016/679/oj.
2. Relying on non‑explicit consent. Consent must be explicit (Art. 9(2)(a)), freely given and specific to the actual warehouse purposes. Otherwise, prefer a statutory/public legal basis (Art. 6(1)(c)/(e)) where available, or the “research” route (Art. 9(2)(j)) with strong safeguards.
3. Overly generic notices. Corporate privacy notices often omit analytical purposes and actual recipients; the CNIL flagged similar shortcomings in several 2026 cases. Overview: https://www.cnIL.fr/en/investigation-powers-cnil/sanctions-issued-cnil.
4. Thin DPIAs. Analyses may cover IT risks but omit specific risks of re‑identification, purpose creep, or reuse bias. Art. 35 requires assessing risks to “rights and freedoms,” not just availability/confidentiality.
5. “Shadow scope” and authorization drift. Continuous addition of flows, tables or columns can deviate from initial authorization or DPIA. In IQVIA, non‑compliance with authorization terms weighed in. Source: IQVIA decision (26/05/2026): https://www.cnil.fr/fr/donnees-sante-sanction-5-millions-iqvia.

Official sources

• CNIL — Données de santé: sanction de 5 millions d’euros à l’encontre d’IQVIA (26 May 2026): https://www.cnil.fr/fr/donnees-sante-sanction-5-millions-iqvia
• CNIL — Sanctions issued in 2026 (overview and case files): https://www.cnil.fr/en/investigation-powers-cnil/sanctions-issued-cnil
• GDPR (consolidated text): Arts. 5, 6, 9, 12–14, 25, 32, 35, 89 — EUR‑Lex: https://eur-lex.europa.eu/eli/reg/2016/679/oj
• EDPB — Guidelines 03/2020 on processing of data concerning health for scientific research: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health-purpose_en
• CNPD (Luxembourg) — Sensitive data (definition and national regime): https://cnpd.public.lu/fr/support/glossaire/d/def_donnees_sensibles.html and “Processing of sensitive personal data”: https://cnpd.public.lu/fr/professionnels/obligations/liceite/donnees-sensibles.html

Takeaway for May 2026: IQVIA shows Article 9 GDPR is not a box‑ticking exercise. Executives should demand robust legal and technical files for every health data warehouse: documented Art. 6 basis + Art. 9(2) exception, serious DPIA, dedicated transparency, risk‑appropriate security, and strict compliance with authorizations and commitments. This holds in Luxembourg and across the border.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.