On May 26, 2026, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €5 million fine on IQVIA Operations France in decision SAN-2026-008, made public two days later on May 28. IQVIA is one of the world’s largest aggregators of health and pharmaceutical data, and the warehouses at the center of this case were not rogue or unauthorized — the CNIL itself had authorized both of them. That is precisely what makes the decision worth close reading. The fine is not about whether IQVIA could build health data warehouses. It is about whether the company honored the specific conditions attached to that permission, and about a foundational legal classification that determines whether the GDPR applies at all: the line between pseudonymized data and anonymous data.

IQVIA’s central defense was that the data in its warehouses was anonymous, placing it outside the scope of the GDPR entirely. The CNIL rejected that argument squarely. For any organization that has convinced itself that hashing identifiers, stripping names, or holding the re-identification key separately moves its datasets out of regulatory scope, this decision is a direct warning.

The Two Warehouses

IQVIA operated two health data warehouses (entrepôts de données de santé) under formal CNIL authorizations, each fed by a different segment of the French healthcare system.

The LRX warehouse, authorized in 2018, was supplied with data collected from approximately 14,000 pharmacies. As patients filled prescriptions, dispensing data flowed from pharmacy management software into IQVIA’s warehouse.

The EMR warehouse, authorized in 2021, drew on electronic medical record data collected from several thousand physicians.

Both authorizations came with conditions — the guarantees the CNIL attaches when it permits the large-scale processing of sensitive health data. Those guarantees exist to limit the risks such processing creates for the individuals whose lives are documented in the records. The CNIL’s restricted committee (formation restreinte), the body that decides sanctions, concluded that IQVIA did not respect the terms of the authorizations it had been granted, particularly regarding the information provided to individuals, the exercise of their rights, and data security.

The Violations

Patients were never told their data was being transferred

When the CNIL inspected pharmacies supplying the LRX warehouse, investigators found that customers were not being informed that their dispensing data would be transferred to IQVIA. The transparency obligations under Articles 13 and 14 of the GDPR are not satisfied by a contract between IQVIA and the pharmacy; the data subject — the patient at the counter — must receive the required information. That link in the chain was broken.

The software transmitted data even when patients refused

The more striking finding concerned the design of the pharmacy management software used to feed the warehouse. The CNIL determined that the software transmitted customer data to IQVIA even in cases where customers had refused. A refusal that the system ignores is not a choice. When the technical architecture overrides the individual’s expressed objection, the controller cannot claim to have honored data subject rights — and a privacy-by-design failure of this kind implicates Article 25 as well as the lawfulness and transparency principles of Article 5.

Security and the terms of authorization

Beyond transparency and rights, the committee found that IQVIA fell short of the data security guarantees built into the warehouse authorizations. Authorized processing of sensitive data is a conditional permission, not a blank check; failing to maintain the agreed safeguards is itself a breach of the authorization.

The Heart of the Case: Pseudonymization Is Not Anonymization

The most consequential part of SAN-2026-008 is the classification fight. IQVIA argued that the data held in its warehouses was anonymous. If true, that argument would have been close to dispositive: truly anonymous data falls outside the GDPR, and where there is no personal data, there is no Article 9 special-category regime, no transparency duty, and no data subject rights to violate.

The CNIL rejected the characterization. The data, it held, was pseudonymized, not anonymized. The distinction is defined in the GDPR itself and reinforced across European guidance:

  • Anonymous data has been irreversibly stripped of any reasonable means of linking it back to an individual. Once data is genuinely anonymous, it is no longer personal data, and the GDPR does not apply (Recital 26).
  • Pseudonymized data can no longer be attributed to a specific individual without the use of additional information — but that additional information exists, and re-identification remains possible by reasonable means. Pseudonymized data remains personal data and stays fully within the GDPR.

The CNIL found that individuals in IQVIA’s warehouses could still be re-identified using reasonable additional information. The test is not whether IQVIA intended to re-identify anyone, nor whether re-identification was easy. It is whether re-identification remains reasonably possible, accounting for the means likely to be used. Because it was, the data was personal data, the full weight of the GDPR — including the heightened Article 9 protections for health data — applied, and IQVIA’s foundational defense collapsed.

This holding matters far beyond IQVIA. A great deal of “anonymized” analytics, secondary-use research, and data-monetization activity rests on the assumption that pseudonymization is enough to escape the regulation. SAN-2026-008 is an authoritative statement that, where a key or other linking information exists for those who hold it, the data remains regulated for everyone in the processing chain. Pseudonymization is a valuable security and data-minimization measure — the GDPR explicitly encourages it — but it is a safeguard within the regime, not an exit from it.

The Remediation Order and the Daily Penalty

The €5 million fine is only part of the order. The CNIL gave IQVIA six months to bring the remaining breaches into compliance. If the company fails to remediate within that window, it faces an additional penalty of €10,000 per day. This injunction-plus-astreinte structure has become a signature of CNIL enforcement: the monetary penalty addresses past conduct, while the daily accruing penalty converts the deadline into a continuing financial exposure that grows every day the violation persists. For a deadline measured in months, the per-day figure is designed to make sustained non-compliance more expensive than the fix.

Why This Decision Lands Now

Health data is the most heavily protected category under the GDPR, and the secondary use of health data — for research, pharmacovigilance, market analytics, and AI training — is one of the fastest-growing and most contested areas of European data protection. Regulators are acutely aware that the commercial value of large health datasets creates pressure to classify them as anonymous and move them outside the regime. The IQVIA decision draws a firm line on that classification at the precise moment the secondary-use market is expanding. It also fits a broader pattern of intensifying CNIL enforcement; cumulative GDPR fines across the EU now exceed €7.1 billion, with France among the most active enforcers.

What to Do Now

Organizations that build, operate, or buy from health data warehouses — and any organization relying on “anonymization” to take datasets out of GDPR scope — should treat SAN-2026-008 as a prompt to re-examine the following:

  1. Re-test your anonymization claims against the re-identification standard. If a key, mapping table, or other additional information exists anywhere that could link records back to individuals by reasonable means, the data is pseudonymized and remains personal data. Document the test, the assumptions, and the residual re-identification risk — do not assert “anonymous” as a conclusion without analysis.

  2. Verify transparency at the point of collection. A contract with an upstream data source does not discharge your Article 13/14 obligations to the data subject. Confirm that individuals are actually informed — at the pharmacy counter, in the clinic, in the app — that their data will be transferred to a warehouse, by whom, and for what purpose.

  3. Audit whether refusals are technically honored. Test the systems that feed your warehouse. If a patient or user objects, opts out, or refuses, confirm the data genuinely stops flowing. A consent or objection mechanism that the architecture ignores is a privacy-by-design failure under Article 25.

  4. Treat authorization conditions as binding controls. Where processing rests on a regulator’s authorization or a documented legal basis with attached safeguards, map each condition to an owned, monitored control. Authorized processing that drifts from its conditions is unauthorized processing.

  5. Hold the security guarantees you promised. The safeguards described in a warehouse authorization or DPIA are commitments, not aspirations. Maintain them, evidence them, and review them as systems change.

Conclusion

The CNIL’s IQVIA decision is, at bottom, a classification ruling with enforcement teeth. By holding that re-identifiable warehouse data is pseudonymized rather than anonymous, the regulator kept one of the largest health data operations in Europe squarely within the GDPR — and then penalized it for failing to inform patients, for software that overrode refusals, and for falling short of the security guarantees built into its authorizations. The €5 million fine and the €10,000-per-day remediation clock are the consequences. The durable lesson is the one in the title: pseudonymized is not anonymous, and treating it as a way out of the regulation is a position regulators are now prepared to reject in writing.

This article is provided for informational purposes only and does not constitute legal advice.