CNIL (France) - SAN-2026-008

Summary

France's CNIL issued a €5 million fine to IQVIA Operations France for violations of GDPR Articles 14 and 25, finding that patients could be re-identified despite pseudonymisation of pharmacy and medical records data, and were not properly informed of data processing. The breaches involved two health data repositories (LRX pharmacy data and EMR physician consultation data) containing information on approximately 20 million patients, where pseudonymisation and consent mechanisms were deemed inadequate.

Full text

Help CNIL (France) - SAN-2026-008: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 11:51, 29 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators49 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 11:51, 29 May 2026 CNIL - SAN-2026-008 Authority: CNIL (France) Jurisdiction: France Relevant Law: Article 14 GDPR Article 25 GDPR Article 66 of Act n°78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties Type: Investigation Outcome: Violation Found Started: 29.06.2021 Decided: 26.04.2026 Published: 28.04.2026 Fine: 5.000.000 EUR Parties: IQVIA Operations France National Case Number/Name: SAN-2026-008 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): French Original Source: CNIL (in FR) Initial Contributor: bms The CNIL fined IQVIA €5 million for breaches of GDPR and French health-data rules in its pharmacy and medical-record data warehouses, finding that patients could still be singled out despite pseudonymisation and were not properly informed. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts IQVIA Operations France, the controller, is a consulting firm conducting studies either on its own behalf or on behalf of pharmaceutical companies. The controller was authorised by the CNIL, the DPA, to establish two health data repositories for research, study and evaluation purposes: the LRX repository, based on pharmacy data, and the EMR repository, based on physicians’ consultation data. The LRX repository was intended to enable non-interventional studies on the real-world use of medicines, including persistence, adherence, compliance with prescriptions and contraindications. To build this repository, the controller collected medication sales data from approximately 14,000 partner pharmacies. Where the pharmacist agreed, the controller also collected a unique identification code enabling the longitudinal tracking of patients’ care pathways. According to the controller’s materials, this concerned “20 million anonymized patients tracked over time.” In practice, when a pharmacist recorded a medicine sale in pharmacy management software, an integrated module developed on behalf of the controller extracted the data and generated a “Pharmastat” data stream. This stream included medication sales data and a patient identification code generated through a hash function based on the INS-C, together with the patient’s first name, year of birth and gender. The code, combined with dispensing data, was transmitted to two trusted third parties designated by the controller, each of which re-hashed the identifier. The resulting pseudonymised data was stored in the LRX warehouse. The EMR repository was intended to support studies on the evaluation and analysis of general medical care practices. It was fed by two data streams derived from physicians’ consultation data. These streams were transferred to the “Hub EMR”, hosted by a certified health data hosting provider and trusted third party. One stream underwent pseudonymisation within the physician’s software and then by the trusted third party, while the other passed through the Hub EMR without any change to its format. The EMR repository contained patient identification-related data, such as year of birth, gender, marital status, number of children and socio-professional category, as well as health data from consultations, including visit date, diagnosis, symptoms, allergies, weight, height, pulse, prescriptions, vaccinations, tests and sick leave. Each patient had a unique identifier for each doctor consulted, although the controller stated that no correlation was possible between different medical practices. The EMR warehouse contained data from approximately 2,000 physicians, while the controller’s brochure referred to 3,000 partner physicians. Following media reports and several complaints, the DPA carried out inspections at the controller’s premises and at several partner pharmacies. During the proceedings, the controller argued, among other things, that the data contained in the LRX and EMR repositories was anonymous and that it was not responsible for the initial collection and transmission of data by pharmacies and physicians. Holding The DPA first held that the controller was responsible for the processing operations used to create both the LRX and EMR repositories. It considered that the different technical steps carried out by pharmacists, physicians, software providers and trusted third parties were not independent processing operations, but formed part of a single processing chain designed to create and populate the controller’s repositories. The DPA therefore held that the controller determined the purposes and means of the processing, starting from the collection of data at pharmacy or physician level. The DPA also rejected the controller’s argument that the data in the LRX and EMR repositories was anonymous. It found that the data was pseudonymised, but still constituted personal data. In particular, the repositories enabled longitudinal tracking of patients through unique identifiers and contained rich health and identification-related data. The DPA considered that individuals could be isolated within the datasets and that re-identification could be possible by reasonable means, including by cross-referencing the data with external information. The DPA also noted that the controller’s intention or lack of intention to re-identify individuals was irrelevant for determining whether the data was personal data. Regarding the EMR repository, the DPA found a breach of Article 66 of the French Data Protection Act. The controller had been authorised to create the EMR repository subject to specific conditions. However, the information notices provided to patients stated that their data would be retained for the duration of the studies and analyses conducted by the controller and its contractual partners, whereas the authorisation provided for retention in an active database for ten years before anonymisation or deletion. The DPA therefore considered that the information provided to patients was inaccurate. It also found that the controller had not ensured the effective exercise of patients’ right to object regarding data already collected in the EMR repository. Regarding the LRX repository, the DPA found a breach of Article 14 GDPR. The controller relied on partner pharmacists to inform patients about the processing of their data. However, inspections at four pharmacies showed that patients were not provided with the required information notices and that the relevant information was not properly displayed. The DPA held that, irrespective of the practical channel used to provide the information, the obligation under Article 14 GDPR remained with the controller. The failure was particularly serious because patients had their health data processed without being aware of it and were therefore unable to exercise their rights. The DPA further found a breach of Article 66 of the French Data Protection Act concerning studies carried out by the controller using the LRX warehouse. The DPA held that the authorisation granted for the LRX repository covered the creation of the warehouse only, and not the subsequent studies conducted using that warehouse. Those studies constituted separate processing operations involving personal health data. Since they had not been specifically authorised and did not validly comply with the MR-004 reference methodology, in particular due to the lack of prior and individual information to patients, the DPA found that they were unlawful. Finally, the DPA found a breach of Article 25 GDPR. The pharmacy software modules systematically extracted and transmitted patient data to the first trusted third party even w

Entities