Written by: Haim Ravia, Dotan Hammer
France’s data protection authority, the CNIL, fined IQVIA Operations France EUR 5 million, principally because the company failed to respect the safeguards intended to limit risks to individuals in the management of health-data warehouses. IQVIA relies on two warehouses that the CNIL had authorized it to establish: the LRX warehouse, supplied with data collected from around 14,000 pharmacies, and the EMR warehouse, supplied with data collected from several thousand doctors.
Responding to the proceedings, IQVIA argued—citing the Court of Justice of the European Union’s September 2025 “SRB” judgment—that the data in the warehouses was anonymous and therefore outside the data-protection rules. The restricted committee disagreed, holding that the data was only pseudonymous because re-identification of individuals was possible by reasonable means, given the existence of a unique per-patient identifier, the depth of the data collected, and the possibility of combining IQVIA’s data with publicly available information.
The committee found that the company had not complied with the conditions of its authorizations: for both warehouses there was no measure to regularly analyze connection logs and detect abnormal activity, and for the EMR warehouse there was no multi-factor authentication, inaccuracies in the patient information sheet, and no effective procedure for individuals to exercise their right to object. In relation to the LRX warehouse, none of four inspected pharmacies informed customers that their data was transferred to IQVIA, in breach of Article 14 GDPR; the committee also identified studies conducted outside any legal framework and management software that transmitted customer data even where customers had refused, in breach of Article 25 GDPR. Alongside the fine—which reflected the seriousness of the breaches, the sensitive nature of the health data, the tens of millions of individuals affected, and the company’s market position and financial capacity—the committee issued orders to remedy certain breaches within six months, subject to a penalty of EUR 10,000 per day of delay.
Click here to read the CNIL’s announcement.
