Pseudonymisation Clinical Trials: CNIL's Enforcement Clarifications and What They Mean for Life Sciences Organisations

If a vendor tells you that the health data it processes is anonymous, that statement is now a compliance risk to be tested, not a reassurance to be accepted. In May 2026 the CNIL fined IQVIA Operations France €5 million for relying on pseudonymisation while presenting the data as outside the scope of the GDPR. For sponsors, CROs and data-warehouse operators, the operational message is blunt: pseudonymised data is still personal data, the GDPR applies in full, and an organisation that holds, or can reach, the re-identification key cannot claim otherwise.

This article sets out the legal distinction, what the decision changes in practice, and the concrete steps that clinical-trial sponsors and CROs should take to keep their data classification audit-ready.

What did the CNIL decide in the IQVIA case?

On 26 May 2026 the CNIL adopted decision SAN-2026-008, made public on 28 May 2026, imposing a €5 million fine on IQVIA Operations France. The procedure concerned two health-data warehouses operated for secondary use: LRX, authorised in 2018 and fed by roughly 14,000 French pharmacies, and EMR, authorised in 2021 and fed by several thousand physicians. Together they covered the data of tens of millions of people, including year of birth, gender, prescriptions, diagnoses and care-pathway identifiers.

IQVIA argued that the data had been rendered anonymous through pseudonymisation. The CNIL rejected that characterisation. Because the operator (and others in the chain) could still re-identify individuals, the data remained personal data under Article 4(1) of the GDPR, and the full framework applied. The reasoning targets an architectural feature shared across the sector, not a quirk of one operator: pseudonymisation does not equal anonymisation for the entity that holds the keys.

This was not an isolated reading. A few months earlier, on 13 February 2026, the Conseil d’État upheld the same principle when it rejected appeals by the Cegedim group entities (GERS, Santestat and Cegedim Santé) against CNIL fines first imposed in 2024. The supervisory authority and France’s highest administrative court are now aligned: re-identifiable data is personal data, and the organisation’s own self-assessment does not settle the question.

The operational takeaway is the part that should reach your data-governance team. The regulator applies an objective re-identification test, having regard to all means reasonably likely to be used by any party in the processing chain. The fact that your organisation does not personally hold the code-break key is necessary but not sufficient: if the investigative site, the sponsor or any other processor does, the data is pseudonymised, and the GDPR applies.

What is the difference between pseudonymisation and anonymisation under the GDPR?

In short: pseudonymised data is still personal data and the GDPR applies in full, whereas anonymised data falls outside the GDPR, but only if re-identification is not reasonably possible by any party.

Pseudonymisation is defined in Article 4(5) of the GDPR as processing personal data so that it can no longer be attributed to a specific individual without additional information, provided that this additional information is kept separately and protected by technical and organisational measures. Crucially, pseudonymised data remains personal data. Recital 26 and Article 25 acknowledge it as such, and Article 89(1) treats it as a safeguard for scientific research, not as an exemption.

Anonymisation is not defined in the GDPR articles. Recital 26 indicates that the principles do not apply to data rendered anonymous so that the individual is no longer identifiable. The Article 29 Working Party (now the EDPB) confirmed in Opinion 05/2014 that data is genuinely anonymous only if three tests are met: it must not be possible to single out an individual, to link records relating to the same individual, or to infer information about an individual.

The table below summarises the regulatory differences. The final row is the one the IQVIA decision illustrates: an operator over-claimed anonymisation, and the authority applied the objective legal test rather than accepting the self-assessment.

‍

Why the distinction matters in clinical trials

The IQVIA and Cegedim cases concerned secondary-use health-data warehouses rather than interventional trials, but the legal test reads across directly to clinical research, where coded participant data is the norm. The same misclassification exposes clinical-trial sponsors and CROs on four fronts.

1. Legal basis and Article 9 compliance

If trial data is pseudonymised rather than anonymous, a valid Article 6 legal basis must exist alongside a specific Article 9(2) condition for special-category health data, typically Article 9(2)(j) for scientific research subject to Article 89 safeguards, or Article 9(2)(i) for public health. An organisation that wrongly treats the data as anonymous, and therefore documents no legal basis, is exposed to a finding of infringement.

2. The EU Clinical Trials Regulation 536/2014

Under Regulation (EU) 536/2014, sponsors must comply with EU data-protection law throughout the conduct of a trial. Informed consent under the EU CTR does not replace the need for a valid GDPR legal basis. Where a CRO or data-management vendor mislabels coded data as anonymous, the error can undermine the entire data-governance structure the sponsor relies on.

3. MR-001 and the French framework

France’s MR-001, issued by the CNIL under Article 40-I of the Loi Informatique et Libertés, sets the conditions for processing health data in interventional research and expressly contemplates coded (pseudonymised) data. An organisation that processes under MR-001 yet describes its data as anonymous is, by definition, outside the conditions of the methodology, and therefore exposed to standard enforcement under the Article 83 penalty regime.

4. Cross-border data transfers

Pseudonymised data leaving the EEA remains subject to Chapter V of the GDPR. Standard Contractual Clauses (Commission Decision 2021/914) must be in place, and a transfer impact assessment may be required where the destination does not offer equivalent protection. Organisations that believe they are transferring anonymous data often fail to put these mechanisms in place, which compounds the exposure. This is also where an EU Data Protection Representative and proper transfer documentation earn their keep.

How does the UK position compare?

The UK GDPR, retained by the European Union (Withdrawal) Act 2018, mirrors the EU position. The ICO’s Anonymisation, Pseudonymisation and Privacy Enhancing Technologies guidance (2022) applies a substantially equivalent functional test. A UK-based clinical-research organisation processing data that can be linked back to an individual, even through a third party holding a code-break list, must treat that data as personal data under the UK GDPR.

What should sponsors and CROs do?

The following operational steps follow directly from the enforcement rationale and applicable guidance.

1. Apply the objective re-identification test, not internal assertions. Assess whether re-identification is reasonably possible using all means likely to be used by any party in the chain, including your vendors and any third party with access to auxiliary datasets. Not holding the key yourself is not enough.
2. Document the classification in the RoPA and DPIA. Your Article 30 records and any Article 35 DPIA must state that coded trial data is pseudonymised, not anonymous, and record the safeguards applied to the subject identification list.
3. Keep a valid legal basis and special-category condition at all times. Confirm the Article 6 basis and the Article 9(2) condition before processing begins, and where MR-001 applies, confirm purpose limitation, data minimisation (Article 5(1)(c)) and storage limitation (Article 5(1)(e)).
4. Ensure transfer mechanisms cover pseudonymised data. Do not assume coded data can leave the EEA freely. Put SCCs in place and run a transfer impact assessment where required, regardless of the pseudonymisation applied.
5. Train the data-governance, clinical-operations and vendor-oversight teams. Much of the misclassification risk comes from a shaky grasp of the definitions. Targeted training on Article 4(5), Recital 26 and supervisory-authority guidance closes that gap.
6. Scrutinise vendor classification claims. As controller, you are accountable under Article 5(2) across the chain. Where a CRO or vendor asserts that data is anonymous, require documentary evidence assessed against the objective test, and reflect the agreed classification in the Article 28 data-processing agreement.

‍