IQVIA fined €5M: pseudonymisation ≠ anonymisation

On 26 May 2026, the CNIL fined IQVIA Operations France €5,000,000 over shortcomings affecting two health data warehouses. Core message: “pseudonymised” data are not anonymous; GDPR obligations (information, data subject rights, privacy by design) still apply.

The case

The decision concerns the LRX (authorised in 2018) and EMR (authorised in 2021) warehouses, used for in‑house and client studies. Inspections followed a TV report and several complaints. The CNIL found infringements of information duties (Art. 14 GDPR), data protection by design (Art. 25 GDPR) — notably no MFA for EMR access and no regular log analysis — and non‑compliance with conditions set in authorisations granted under Article 66 of the French Data Protection Act. The CNIL also rejected IQVIA’s claim that the datasets were “anonymous” in light of the CJEU SRB judgment of 4 September 2025: they remained pseudonymised and reasonably re‑identifiable, thus subject to the GDPR. Source: CNIL, “Données de santé: sanction de 5 M€ à l’encontre d’IQVIA”, 28/05/2026; SAN‑2026‑008 of 26/05/2026 on Légifrance. (cnil.fr)

Legal reasoning

• Sensitive data and legal basis. Health data fall under Article 9(1) GDPR; processing is allowed only under a 9(2) exception, commonly combined with an Article 6(1) basis and national conditions (in France, Art. 66: CNIL authorisation or compliance with a reference framework). Once granted, safeguards must be strictly observed (information, objection, security). (cnil.fr)
• Pseudonymisation vs anonymisation. The decision cites the CJEU judgment of 4 September 2025 (EDPS v. SRB, C‑413/23 P). The Court explains that pseudonymised data may not be personal data for a third party without realistic means of identification; however, for a controller holding the key, or where dataset structure/depth and unique identifiers raise risk, they remain personal. Applied to IQVIA, the re‑identification risk was “too high”. References: CJEU press release and EUR‑Lex judgment. (curia.europa.eu; eur-lex.europa.eu)
• Transparency and indirect information (Art. 14). For LRX (~14,000 pharmacies), information was not effectively provided to patients. Delegating to pharmacies does not discharge the controller: it must ensure delivery (evidence, audits, clauses). (cnil.fr)
• Privacy by design (Art. 25) and security (Art. 32). Lack of MFA for EMR and no regular log review across both warehouses are serious gaps given the data sensitivity. CNIL points to its MFA and logging guidance. (cnil.fr)
• EDPB interpretation. For higher‑risk processing, the EDPB stresses proportionality, two‑layer transparency and accountability (Guidelines 3/2019 on video processing, applied by analogy). (edpb.europa.eu)
• CNPD (Luxembourg) view. In May 2026, the CNPD flagged “ineffective anonymisation” techniques used as a substitute for erasure. Takeaway: weak “pseudo‑anonymisation” does not remove rights or obligations. (cnpd.public.lu)

What this changes in practice

• For Luxembourg players (hospitals, PSF santé, insurtech, labs, CROs, EHR/warehouse vendors, pharmacists, practice networks): labelling pseudonymised data as “anonymous” exposes you to:
  • full GDPR application (Arts. 5, 6, 9, 12‑14, 25, 32);
  • inspections by the competent authority (CNPD/CNIL);
  • orders and penalties if sectoral authorisations are breached.
  To reinforce governance and controls, consider structured cyber leadership aligned with state‑of‑the‑art security.
• Typical high‑risk use cases.
  • Pharmacy aggregation: retail flows → analytics warehouse; robust information (in‑store notice, dedicated leaflet, pharmacy software messaging) and effective objection handling.
  • Observational study platforms: persistent pseudonyms, deep history, varied sources; document re‑identification risk (internal/external linkages) and, if claiming anonymisation, substantiate it technically and legally.
  • Internal analytics/partnerships: verify “own‑purpose” use fits the legal/national perimeter (specific authorisation, sector reference framework).
• Security by design is now non‑negotiable.
  • Phishing‑resistant MFA (FIDO2/WebAuthn) for operator access;
  • comprehensive logging with regular analysis and anomaly detection;
  • environment segregation, encryption in transit/at rest, strict key management;
  • data minimisation and fine‑grained access controls (RBAC/ABAC), logged break‑glass.

Common pitfalls

1. “Our data are anonymous because they’re hashed” — Generally false. Stable pseudonyms, unique identifiers, deep datasets and public linkages make re‑identification “reasonably possible.” The burden to prove anonymity is on you. See CJEU SRB (04/09/2025). (eur-lex.europa.eu)
2. Delegating information duties without effective control — Article 14 requires you to ensure information is actually delivered (evidence, audits, clauses). This was a finding against LRX. (cnil.fr)
3. Reducing privacy by design to a policy — Without MFA and log review, compliance with Arts. 25/32 fails. CNIL sanctioned these gaps. (cnil.fr)
4. Extending use beyond the authorised perimeter — In France, Art. 66 LIL strictly frames purposes; in Luxembourg, check Art. 9(2) GDPR bases and applicable sectoral frameworks.
5. Equating pseudonymisation with the end of rights — Pseudonymisation does not remove rights (access, objection, erasure) or obligations (information, security). The CNPD highlighted this in 2026. (cnpd.public.lu)

Official sources

• CNIL — “Données de santé: sanction de 5 millions d’euros à l’encontre de la société IQVIA” (28 May 2026) and SAN‑2026‑008 (26 May 2026). https://www.cnil.fr/fr/donnees-sante-sanction-5-millions-iqvia
• CJEU — 4 Sept 2025, C‑413/23 P, EDPS v. SRB: press release and full text. curia.europa.eu ; eur-lex.europa.eu
• EDPB — Guidelines 3/2019 (video processing): two‑layer transparency; necessity/proportionality. edpb.europa.eu
• CNPD (Luxembourg) — CEF 2025 review (right to erasure): warning on “ineffective anonymisation.” cnpd.public.lu

Need support to structure registers, DPIAs and technical controls in Luxembourg? Speak with a GDPR and security expert or reach out via our contact page. Our Luxembourg GDPR compliance offering complements technical safeguards and cyber leadership.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.