← All articles

consultant

IQVIA: €5m fine and health data — Article 9 GDPR under strain

CNIL fines IQVIA France €5m for failings in health data warehouses. Key takeaway for Luxembourg: “pseudonymised” data remains health data (Art. 9 GDPR) and requires a strict legal basis and effective safeguards.

Excerpt — On 26 May 2026, CNIL fined IQVIA France €5m for failings linked to its health data warehouses. Key takeaway for Luxembourg: “pseudonymised” data remains health data under Article 9 GDPR and requires a strict legal basis and effective safeguards.

The case

On 26 May 2026, CNIL’s restricted committee sanctioned IQVIA Operations France with a €5m fine and issued injunctions with a daily penalty (€10,000) concerning two health data warehouses (LRX and EMR) fed by pharmacies and physicians. Findings include: failure to comply with CNIL health authorisations, lack of patient information (Art. 14 GDPR), security shortcomings (logs not regularly reviewed, no MFA), and non‑compliance with privacy by design (Art. 25 GDPR). Crucially, CNIL rejected the claim that the data was “anonymous”: it is “pseudonymised”, hence still personal data — and here, health data under Article 9. See the detailed decision (SAN‑2026‑008) on Légifrance and CNIL’s public analysis: Decision SAN‑2026‑008 of 26 May 2026; “Health data: €5m fine against IQVIA” (CNIL, 28 May 2026) (Légifrance link; CNIL link). (legifrance.gouv.fr)

Key point: CNIL relies on the CJEU ruling of 4 September 2025 (C‑413/23 P, EDPS v SRB) to recall that the decisive criterion is not the presence of a “neutral” identifier, but the reasonable possibility of re‑identification, considering data depth and available means. (infocuria.curia.europa.eu)

Legal reasoning

  • Special categories — Article 9 GDPR. Processing health data is in principle prohibited (Art. 9(1)), save for limited exceptions (Art. 9(2): preventive/occupational medicine, public interest in public health, scientific research under a legal framework, etc.). A warehouse combining diagnoses, prescriptions, functional identifiers and other clinical attributes falls within Art. 9 — even if a hashed ID replaces the name. Official text: Regulation (EU) 2016/679, Art. 9. (eur-lex.europa.eu)
  • Pseudonymisation ≠ anonymisation. The CJEU clarified that pseudonymised data may remain personal data for a third‑party recipient where reasonable legal or practical means exist to re‑identify (C‑413/23 P, 4 September 2025). Echoing this, CNIL found that a unique identifier, variable granularity and possible linkages sustain a re‑identification risk incompatible with anonymity. (infocuria.curia.europa.eu)
  • Information for indirect collection — Article 14 GDPR. Where data comes from a third party (e.g., pharmacy), the controller must ensure information is effectively delivered to individuals (Art. 14). Delegating the hand‑out of a notice to pharmacists does not relieve IQVIA from verifying the effectiveness of the information. Official text: Art. 14 GDPR (EUR‑Lex). (eur-lex.europa.eu)
  • Privacy by design — Article 25 GDPR. The architecture of warehouses and pharmacy data flows must embed safeguards by default (e.g., do not transmit where there is an objection; strict minimisation; logged mechanisms that are actually reviewed). Decision SAN‑2026‑008 records breaches of these duties. Official text: Art. 25 GDPR (EUR‑Lex). (eur-lex.europa.eu)
  • EDPB complementary references. In 2025, the EDPB adopted Guidelines 01/2025 on pseudonymisation, recalling that pseudonymisation raises security but does not turn health data into “anonymous data”. The guidelines help document technical choices and “reasonable means” re‑identification analysis. (edpb.europa.eu)

In Luxembourg, the CNPD refers to GDPR provisions on special categories and stresses that Art. 9(2) exceptions are interpreted strictly and backed by specific safeguards (professional secrecy, national legal basis, etc.). (cnpd.public.lu)

What this changes in practice

  • For Luxembourg actors (hospitals, pharmacy networks, health insurtech, CROs, EHR/vertical software vendors, data brokers operating in Luxembourg, cross‑border groups BE/FR/DE), a “pseudonymised” warehouse still falls under Art. 9 GDPR. You must identify a valid exception (Art. 9(2)), typically supported by a sectoral text and safeguards (secrecy, CNPD/CNIL/APD oversight), and be ready to evidence it. A certified DPO mandate helps steer compliance and documentation.
  • Art. 14 information is not a box‑ticking exercise: if collection runs via partners (pharmacies, practitioners), you remain responsible for effective information (materials, display, talk‑tracks, traceability) and an operational objection channel. Your notices and procedures should restate the Articles 9, 14 and 25 GDPR.
  • “Appropriate” security (Art. 32) and Art. 25 require concrete controls: MFA for sensitive access, logging and regular review, technical blocking of flows upon objection, minimisation (data schemas and permissions), re‑identification testing and robustness checks of pseudonymisation. The IQVIA decision shows that missing log review or MFA suffices to establish non‑compliance. (cnil.fr) A security audit helps objectify these controls.
  • True anonymisation is a project of its own: quasi‑identifier governance, re‑identification risk metrics, countermeasures (generalisation, suppression, controlled noise), and independent audits. Otherwise, assume you process health data and apply Art. 9.

Common pitfalls

  1. “Our data is anonymous because we removed names.” False. An internal identifier plus enough variable depth (age, conditions, treatments, care pathway) makes re‑identification plausible “by reasonable means” per the CJEU (C‑413/23 P). (infocuria.curia.europa.eu)
  2. Relying on legitimate interests for health data. Art. 6(1)(f) does not lift the Art. 9(1) prohibition. You need an applicable and documented Art. 9(2) exception (e.g., 9(2)(h) or (i)) — and, where relevant, a national legal basis. Text: Art. 9 GDPR. (eur-lex.europa.eu)
  3. Delegating information to partners without control. For indirect collection (Art. 14), the controller remains accountable: without proof of effective display or delivery of a compliant, understandable notice, non‑compliance is established. Text: Art. 14 GDPR; CNIL IQVIA findings. (eur-lex.europa.eu)
  4. Neglecting “privacy by design”. Pharmacy software that transmits “despite refusal” breaches Art. 25; the architecture must enforce technical safeguards, not just internal procedures. Text: Art. 25 GDPR; IQVIA decision. (eur-lex.europa.eu)
  5. Equating pseudonymisation with a “cosmetic measure”. The EDPB (Guidelines 01/2025) requires a methodology and evidence (key scheme, separation, threat evaluation). Without this, pseudonymisation neither reduces your obligations nor your risks. (edpb.europa.eu)

Official sources

  • CNIL — “Health data: €5m fine against IQVIA” (28 May 2026) and detailed grounds (Art. 14 information, security, Art. 25, pseudonymisation) (cnil.fr). (cnil.fr)
  • Deliberation SAN‑2026‑008 (26 May 2026), decision published on Légifrance (CNIL) (legifrance.gouv.fr). (legifrance.gouv.fr)
  • GDPR (Regulation 2016/679) — Articles 9 (special categories), 14 (indirect collection information), 25 (data protection by design) on EUR‑Lex (eur-lex.europa.eu). (eur-lex.europa.eu)
  • CJEU — Judgment of 4 September 2025, C‑413/23 P, EDPS v SRB (scope of personal data and pseudonymisation) (curia.europa.eu). (infocuria.curia.europa.eu)
  • EDPB — Guidelines 01/2025 on pseudonymisation (adopted for consultation then finalised in 2025) (edpb.europa.eu). (edpb.europa.eu)

In short, IQVIA forces Luxembourg executives and DPOs to choose: either truly anonymise with a verifiable methodology, or fully embrace the demanding regime of Article 9 GDPR — legal basis, effective information, and demonstrable security. To speak with our team, get in touch.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →