Learn in 30 minutes how Dipeeo helps you ensure compliance with GDPR the AI Act.
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.
-
Article at a glance: What is a health data warehouse, who can create one, the regulatory requirements to be met (CNIL (National Commission for Information Technology and Civil Liberties), GDPR, HDS, AIPD, DPO), and the practical steps to ensure your project is compliant.
Every day, thousands of medical procedures generate valuable data: consultations, hospitalizations, test results, and prescriptions. In most healthcare facilities, this data remains locked away in siloed systems, never put to good use.
A health data warehouse makes it possible to transform this information into a true strategic and medical asset. However, its implementation falls under a demanding regulatory framework that is still poorly understood by many industry players: hospitals, clinics, startups, and research teams.
This guide is for you if you are a healthcare facility director, a physician leading a data project, a CIO, a founder of an e-health startup, or a digital health investor. In less than 10 minutes, you’ll know exactly what a health data warehouse is, whether it applies to you, what you’re allowed to do, and how to build your project without exposing yourself to risk.
A health data warehouse is a centralized, secure database designed to collect, store, and organize large volumes of health data over the long term (generally at least 10 years). According to the definition adopted by the CNIL (National Commission for Information Technology and Civil Liberties), a health data warehouse is a database intended for use primarily for research, studies, or evaluations in the field of health.
The distinctive feature of an EDS is that it aggregates data from multiple sources: electronic health records (EHRs), prescriptions, laboratory tests, medical imaging, administrative data, and sometimes data from connected devices or previous research. This data is organized to enable secondary uses: medical research, hospital management, development of artificial intelligence algorithms, pharmacovigilance, etc.
But it is not just a simple database. It is a fully-fledged system, with its own governance structure, specific access rules, and a rigorous regulatory framework. It differs from a one-off research study in that it is designed to be reused over the long term by different teams for a variety of purposes in the field of health.
Key figures: As ofSeptember 1, 2025, the CNIL (National Commission for Information Technology and Civil Liberties) 125 health data repositories in France, operated by 102 different entities: 45 public, 32 private nonprofit, and 25 private. This figure has been growing rapidly since 2017, driven by the challenges of innovation in the healthcare sector in France.
The CNIL (National Commission for Information Technology and Civil Liberties) and regularly updates a map of authorized health data repositories in France. It lists the 125 active or currently being implemented health data repositories, indicating for each entity the sector to which it belongs and the status of the initiative. This is the go-to resource for identifying who operates a health data warehouse in France and under which regulatory framework.
An EDS goes far beyond the realm of academic research. It paves the way for what some doctors are already calling “ 4P medicine ”: predictive, preventive, personalized, and participatory.
The most common uses among organizations that have deployed an EDS in France:
The difference between a data warehouse and a standard hospital information system lies precisely in this ability to reuse data: the data is not collected for a single use; rather, it is structured to support multiple, successive projects.
The distinction between an EDS and a health research project is one of the most frequently asked questions in organizations launching a health data project.
| EDS | One-time study/research | |
| Objective | Store data for reuse in multiple projects | Answer a specific scientific question |
| Duration | Lasting at least 10 years | Limited and predetermined |
| Data | Collected continuously throughout the treatment | Collected specifically for the study |
| Reuse | Yes, through a series of projects | No, one study = one approval |
Key Point: Project leaders who wish to reuse data from an EDS for research purposes must submit a specific request to the Scientific and Ethics Committee. This is separate from the initial formalities involved in creating the data warehouse.
Creating an EDS does not, therefore, exempt you from separately declaring each research project that will subsequently use this data: these are two distinct processes, each with its own data controller and regulatory obligations.
Health data warehouses are often associated with large university hospitals and research institutes. However, their implementation now involves a wide range of stakeholders in the healthcare sector: The following entities can create a health data warehouse:
Yes, but with stricter rules. A private company that does not perform a public interest mission is not eligible for the simplified framework provided by the CNIL (National Commission for Information Technology and Civil Liberties). It must either obtain individual authorization from the CNIL (National Commission for Information Technology and Civil Liberties) or obtain the explicit consent of each affected patient.
It is also strictly prohibited to collect patient data for the sole purpose of creating a data repository without Purpose defined Purpose from the outset. The consequences can be severe: formal notice, fines, and the requirement to delete data that has already been collected.
Health data is considered “sensitive” data within the meaning of Article 9 of GDPR. As a general rule, its processing is prohibited, except in specific cases defined by law.
Health data: Any information relating to a person’s physical or mental health, whether past, present, or future, including genetic and biometric data when such data can be used to identify an individual. The processing of such data is subject to specific rules that are stricter than those applicable to ordinary data.
These uses must be consistent with a recognized and documented standard methodology; this is one of the conditions set by the CNIL (National Commission for Information Technology and Civil Liberties) validating the compliance of an EDS project. For an EDS, the authorized uses are:
| Approved | Prohibited |
| Medical Research and Health Studies | Marketing of drugs or medical devices |
| Evaluation of Health Practices and Policies | Adjustment of insurance coverage or premiums |
| Development of performance metrics and management of an institution’s operations | Any use for purely commercial or marketing purposes |
| Improving the quality and safety of care | Sale of data to third parties |
Personal data in general (contact information, login credentials, administrative data) collected as part of an EDS is also subject to GDPR and falls under the obligations of the data controller, just like health data in the strict sense. It is precisely for this reason that GDPR compliance GDPR the essential foundation of any EDS project: without it, none of the subsequent steps can be validly completed.
This is a question that project leaders always ask themselves when launching a project, and confusion between the two concepts has direct implications for the legal basis of your project and the obligations of the data controller.
Pseudonymized data, in which the patient’s name is replaced by an identifier, remains personal data subject to GDPR: re-identification remains theoretically possible. Anonymized data no longer allows for re-identification and falls outside the scope of GDPR.
In an EDS, data is generally pseudonymized, not anonymized. This means that all GDPR requirements GDPR to apply in full. As a data controller, you must explicitly document the pseudonymization measures you have chosen in your Data Protection Impact Assessment (DPIA) and explain why full anonymization is not possible or appropriate for your project.
An EDS is not based on a single document. Its legal framework consists of a set of standards that must be understood in their entirety:
Mastering this framework is the starting point for any GDPR compliance, and that is exactly what Dipeeo handles for you.
Regardless of the applicable regime, an EDS must comply with the fundamental principles of GDPR. These are the same principles that underpin any GDPR compliance effort, GDPR here to a particularly demanding context:
In its role as a regulator, the CNIL (National Commission for Information Technology and Civil Liberties) the effective implementation of these obligations; it may at any time request additional information, conduct an Onsite investigations issue a formal notice if the documentation is incomplete or if practices deviate from the declared framework. There are two options available depending on your situation, and choosing the wrong one exposes your organization to direct penalties.
| Statement of Compliance with the Standard | Individual authorization from the CNIL (National Commission for Information Technology and Civil Liberties) | |
| Condition | Project compliant with the guidelines on health data processing + public interest mission | A project that deviates from the guidelines; an EDS using data from the National Health Data System; or a private company without a public interest mission |
| Deadline | Immediately after filing | 2 to 4 months for processing by CNIL (National Commission for Information Technology and Civil Liberties) |
| Required documents | AIPD, registry, complete documentation | Complete application package, including the AIPD and authorization form |
| Constraint | Compliance with mandatory standards; any deviations must be identified and justified to the CNIL (National Commission for Information Technology and Civil Liberties) | No data collection is permitted without prior authorization. The CNIL (National Commission for Information Technology and Civil Liberties) compliance with the guidelines in all cases, or, failing that, an explicit justification for each instance of non-compliance. |
Special case regarding the National Health Data System (SNDS ): Any use of data from the National Health Data System requires individual authorization, even if consent has already been obtained from the individuals concerned.
Yes, and this is often the step that organizations overlook the most. The legal basis determines everything else: the regulatory approach chosen, the content of the privacy notice, the procedures for informing patients, and the obligations of the data controller. An ill-defined legal basis is the primary reason for a rejection or a request for additional information by the CNIL (National Commission for Information Technology and Civil Liberties).
Yes, and this is often the step that organizations overlook the most. The legal basis determines everything else: the regulatory approach chosen, the content of the privacy notice, the procedures for informing patients, and the obligations of the data controller. An ill-defined legal basis is the primary reason for a rejection or a request for additional information by the CNIL (National Commission for Information Technology and Civil Liberties).
Yes, the appointment of a Data Protection Officer (DPO) is legally required for all public healthcare institutions and for any organization that processes health data on a large scale.
For an EDS, the DPO must be involved from the design phase, not just when drafting the CNIL (National Commission for Information Technology and Civil Liberties) filing. If your organization does not have an in-house DPO, this is exactly where an outsourced DPO outsourced with the CNIL (National Commission for Information Technology and Civil Liberties) Dipeeo, comes in.
Yes, without exception. Health data must be hosted by an HDS-certified provider (Health Data Host), in accordance with Article L.1111-8 of the Public Health Code. Before selecting any infrastructure, verify the validity of your provider’s HDS certification with the Digital Health Agency (ANS), which issues and maintains the list of certified hosts.
Do not confuse: EDS ≠ HDS: EDS refers to the data processing and governance framework. HDS certification pertains to the technical infrastructure that hosts this data. Both are mandatory, but they address different requirements.
The guidelines on the processing of health data issued by the CNIL (National Commission for Information Technology and Civil Liberties) two separate bodies:
An EDS requires robust governance:
Your patients have rights regarding their data in the EHR: the right to information, the right of access, the right to correction, and the right to object, which must be easily exercised from the very first contact. The CNIL (National Commission for Information Technology and Civil Liberties) that these rights are effectively implemented; these rights are not optional.
A compliant EDS is not based solely on a well-prepared regulatory dossier. It also rests on a robust technical foundation, every element of which stems directly from the security principles mandated by the GDPR the CNIL (National Commission for Information Technology and Civil Liberties) guidelines.
📌 Actual case of a CNIL (National Commission for Information Technology and Civil Liberties) sanction CNIL (National Commission for Information Technology and Civil Liberties) IQVIA (2025)
IQVIA is an American multinational company specializing in health data and technologies. As part of its operations in France, the company had established a health data warehouse fed by data from partner pharmacies for the purpose of analyzing and commercially exploiting patient data. In 2025, the CNIL (National Commission for Information Technology and Civil Liberties) a penalty on the company, citing two major violations:
At Dipeeo, we systematically verify that the obligations delegated to your partners are not only contractually stipulated but also effectively carried out and traceable.
Because the GDPR distinguish between the two. Article 32 of GDPR the data controller to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. In the context of an EDS that processes health data on a large scale, this standard is particularly high.
A CNIL (National Commission for Information Technology and Civil Liberties) record is not enough if the underlying infrastructure has vulnerabilities. That is why Dipeeo addresses both regulatory compliance and the assessment of security measures, ensuring that the two are aligned.
What is the purpose, for whom, and for how long? The answers to these questions directly determine your regulatory path, the content of your Privacy Impact Assessment (PIA), and the obligations of the data controller.
In practice: list the intended use cases, identify the relevant data categories, and verify that each use case complies with CNIL (National Commission for Information Technology and Civil Liberties) . An Purpose formulated Purpose is the leading cause of rejection or requests for additional information.
The data protection impact assessment is the foundational document. It identifies risks to patients’ rights, outlines the planned technical and organizational measures (including pseudonymization), and demonstrates that the processing is proportionate. It is mandatory without exception and must be completed before any data is collected.
In practice: An EDS’s AIPD covers the entire system; expect it to take several weeks of work, involving a DPO and technical teams.
Establish the steering committee and the scientific and ethics committee; draft the access policies; and define the traceability rules and authorization procedures. This governance structure must be in place before the first data is uploaded.
In practice: Setting up an independent and credible scientific and ethics committee takes time, so it’s important to plan ahead.
The infrastructure must be HDS-certified by an accredited body. Verify the validity and exact scope of the certification with the French Digital Health Agency (ANS); some providers are certified only for certain hosting activities. Do not choose your infrastructure until you have defined your objectives and data architecture. Also verify exposure to the Cloud Act if your provider is a U.S. company or a subsidiary of a U.S. group.
Submit a declaration of compliance with the guidelines for the processing of health data, or file an application for individual authorization, depending on your situation. In either case, the application must be complete before any data collection begins. An application for individual authorization takes 2 to 4 months to process; be sure to factor this into your schedule from the outset.
Establish information systems and procedures that allow patients to easily exercise their right to object. The CNIL (National Commission for Information Technology and Civil Liberties) systematically CNIL (National Commission for Information Technology and Civil Liberties) this point. The information must be clear and accessible; have it reviewed by an experienced DPO before it is distributed.
An EDS has no expiration date. Compliance must be maintained: keep the register up to date, revise the AIPD whenever there is a significant change, and follow specific procedures for each new data reuse project. Schedule an annual review with your DPO and regular training sessions for your teams, as regulatory requirements in the healthcare sector are constantly evolving, and handling errors remain one of the leading causes of non-compliance.
Key takeaway: Organizations that skip steps 1 through 3 will either be blocked by the CNIL (National Commission for Information Technology and Civil Liberties) or forced to delete data they have already collected, with the resulting operational and legal consequences for the data controller.
The European regulation on the European Health Data Space (EHDS) entered into force on March 26, 2025. This marks a major development for all stakeholders involved in managing health data in France and across Europe.
To learn more about the EHDS and its practical implications for your GDPR compliance, check out the full recording of the Dipeeo webinar
No. The EHDS does not replace national data protection laws or the CNIL (National Commission for Information Technology and Civil Liberties) framework. Instead, it integrates them into a harmonized European ecosystem. Its implementation is phased:
For data holders (including EDS managers), the EHDS means that, eventually, some of their data will need to be made available within a European framework for reuse for the purposes of research, innovation, and public policy.
In practical terms, preparing for the EHDS now means:
The EHDS does not impose any immediate requirements on your EDS at this time. However, organizations that build their EDS without taking it into account will likely have to revise their architecture and documentation in the coming years. This is a cost that can be avoided if steps are taken now.
An EDS project triggers a series of interconnected obligations. Each of the steps mentioned above has its own requirements, deadlines, and risks. And that is exactly what Dipeeo handles for you.
Dipeeo has already supported healthcare facilities, clinics, and healthcare project leaders through every stage of an EHR project—from defining objectives to obtaining approval from CNIL (National Commission for Information Technology and Civil Liberties) utilizing data within the EHR. We understand the potential roadblocks, the questions raised by the CNIL (National Commission for Information Technology and Civil Liberties), and what it takes to move forward quickly without taking risks or wasting time.
In practice, here’s what we do for you:
In other words: If your organization is already working on GDPR compliance GDPR Dipeeo, you’ve already come a long way. We build on that work to move your EDS project forward more quickly without having to start from scratch.
Yes, under certain conditions. Health data is sensitive data, and its processing is strictly regulated. To reuse it in the context of an EDS, your project must be based on a valid legal basis (public interest mission or explicit consent), comply with the CNIL (National Commission for Information Technology and Civil Liberties) guidelines, CNIL (National Commission for Information Technology and Civil Liberties) be subject to individual authorization, and must safeguard patients’ rights.
Yes, but with stricter requirements. A startup that does not serve the public interest cannot benefit from the simplified framework of the CNIL (National Commission for Information Technology and Civil Liberties) guidelines. It must obtain individual authorization or secure the explicit consent of each patient. Specialized expertise is essential before launching the project; project leaders who underestimate the regulatory framework risk costly setbacks.
These are two complementary but distinct concepts. The EDS is the system for processing and managing health data. HDS certification pertains to the technical infrastructure that physically hosts this data. Every EDS must be hosted by an HDS-certified provider, but HDS certification alone does not make an EDS compliant.
No. Any commercial use of health data—including the promotion of medications, the adjustment of insurance premiums, or the resale of data to third parties—is strictly prohibited by the CNIL (National Commission for Information Technology and Civil Liberties) guidelines CNIL (National Commission for Information Technology and Civil Liberties) the Public Health Code.
Yes, in almost all cases. All public healthcare institutions are legally required to appoint a DPO. For other organizations, if the EDS involves large-scale processing of health data, appointing a DPO is mandatory. If you do not have one in-house, an outsourced DPO outsourced Dipeeo can fill this role.
It depends on your current situation. If your project complies with the CNIL (National Commission for Information Technology and Civil Liberties) guidelines, the filing process may be quick, but compiling the compliance dossier (AIPD, governance, documentation) takes several months. If individual authorization is required, allow an additional 2 to 4 months for processing by the CNIL (National Commission for Information Technology and Civil Liberties), during which time no data collection may begin.
Not yet in its entirety. The EHDS Regulation entered into force on March 26, 2025, but its implementation is phased. The rules regarding the secondary use of health data will apply starting March 26, 2029. It is nevertheless recommended to start preparing now, particularly by ensuring that your GDPR compliance GDPR robust, as it forms the foundation of EHDS compliance.
A health data warehouse represents a real opportunity for your healthcare organization in France, provided it is built on a solid foundation. In this context, GDPR compliance GDPR an obstacle: it already covers a large portion of the regulatory requirements for a health data warehouse, and this is often where the most foundational work has already been done.
At Dipeeo, we handle all your compliance needs, from the initial assessment to ongoing monitoring, so you can focus on your core business.
Schedule an appointment with a Dipeeo expert → If your organization is considering an EDS project, contact us: we’ll quickly let you know where you stand and what needs to be done.
