France
IQVIA OPERATIONS FRANCE
GDPR enforcement action by French Data Protection Authority (CNIL) on 2026-05-26.
Case details
- Authority
- French Data Protection Authority (CNIL)
- Date
- 2026-05-26
- Controller / Processor
- IQVIA OPERATIONS FRANCE
- Sector
- Health Care
- Quoted Articles
- Art. 14 GDPR, Art. 25 GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The French DPA has imposed a fine of EUR 5,000,000 on IQVIA OPERATIONS FRANCE. The controller, which is active in health research, is operating two health data repositories with the necessary authorisation by the DPA. Following the broadcast of a television show about the controller's data processing, multiple complaints were brought forward to the DPA. The DPA found that the controller had falsely assumed that the data had been anonymised when it had only been pseudonymised. The DPA also found that the controller had failed to ensure that data subjects had been informed regarding the processing of their data. Furthermore, the controller failed to implement data protection by design, as they did not filter the data until after it had been transmitted to the repositories. This meant that unnecessary patient data was transmitted. Lastly, the controller failed to implement a sufficient procedure for data subjects to exercise their rights.
Related fines