France's CNIL fines IQVIA 5 million euros over health data

France's data protection regulator, the CNIL, has fined IQVIA Operations France 5 million euros over failures in how it safeguarded a health data warehouse. Issued on 26 May, it stands as the largest single GDPR fine of 2026 so far, and it lands in one of the most sensitive categories of data there is.

GDPR, the EU's data protection law, treats health data as a special category that demands stronger safeguards than ordinary personal information. The maximum penalty under the regulation is 20 million euros or 4 percent of global annual turnover, whichever is higher, so 5 million is far from the ceiling. It is still a clear signal about where regulators are looking.

Why this matters beyond France

Enforcement is accelerating. More than 2,500 GDPR fines totalling over 7 billion euros have been issued since 2018, and regulators handed out more between early 2023 and 2026 than in the previous five years combined. France has overtaken Luxembourg to become the second-largest enforcer after Ireland, the only two countries to have crossed a billion euros in fines.

The pattern in 2026 is worth noting for anyone who handles personal data: AI processing, consent interfaces and vendor management are the three fastest-growing triggers for fines. Regulators are increasingly interested not just in what you collect, but in how you obtained consent, how you handle the data downstream, and which third parties you passed it to. That last point connects directly to the supply chain risk playing out elsewhere in security right now.

For individuals, fines like this are a reminder that GDPR has teeth and that you have rights worth using: the right to see what an organisation holds on you, to have it corrected, and to have it deleted. For anyone running a business that touches EU residents' data, the message is blunt. The basics, lawful basis, real consent, proper safeguards and tight vendor controls, are exactly what the expensive fines keep coming back to.