On April 9, 2025, the Social Chamber of the French Supreme Court (Cour de cassation) issued two significant rulings clarifying the place of the General Data Protection Regulation (GDPR) within the evidentiary framework of employment law disputes.
While the judges rejected evidence – deemed unlawful - provided by log files in the context of a dismissal in the first case, they granted a request to disclose documents containing the personal data of third-party employees in the second case.
The Cour de cassation confirms the importance of the GDPR in labor litigation, urging employers to exercise extra caution when processing personal data for disciplinary or litigation purposes. We take stock in this article.
Cour de cassation, April 9, 2025, Social Chamber, 23-13.159
While a branch manager and their employer had agreed in principle to a contractual termination, internal alerts from the company's IT department revealed the deletion of over 4,000 files and folders, as well as around a hundred emails sent to the branch manager's professional email address.
Following a bailiff's report, cross-checking information from the log files with messages sent from the IP address assigned to the employee, the company dismissed the branch manager for gross misconduct.
The branch manager then challenged this decision and the lawfulness of the bailiff's evidence before the Angers Court of Appeal, on the grounds that using of a log file constitutes the processing of personal data, which requires prior declaration to the French Data Protection Authority (the CNIL).
The Court of Appeal rejected this argument and ruled that the evidence was admissible.
However, the Cour de cassation, referred to by the branch manager, took a different view, reiterating its earlier position that IP addresses are personal data as they make it possible to identify a natural person indirectly. The Court further ruled that collecting an IP address through the use of a log file constitutes a processing of personal data, which requires the consent of the data subject. The French Supreme Court judges therefore concluded that the evidence provided by the bailiff's report was unlawful.
With this decision, the Cour de cassation de facto excludes any other legal basis that could justify the processing of IP addresses and log files by an employer, and directly contradicts the established CNIL position that such processing can be based on the employer's legitimate interest (Article 6§1, f) of the GDPR).
Indeed, the CNIL clearly states in its Référentiel relatif à la gestion des ressources humaines that processing intended to ensure the security and proper operation of IT applications and networks is based on the employer's legitimate interests.
Furthermore, the legal basis of consent is ill-suited to labor law, as employers seeking to obtain their employees' consent hold a position of strength, thereby obstructing the freedom of consent. Additionally, obtaining the consent of each individual employee entails is a lengthy and complex process for an employer, exposing them to the risk of seeing their processing being devoid of any legal basis if employees withdrawing their consent.
This decision is therefore highly questionable from a personal data protection law perspective.
Since the case has been referred, the decision of the Pau Court of Appeal remains to be seen, as a dissenting position could bring the matter before the plenary assembly of the Court of Cassation.
Cour de cassation, April 9, 2025, Social Chamber, 22-23.639
In the second case, which concerned a discrimination action, the judge presiding over the pre-trial proceedings ordered the Caisse d'épargne et de prévoyance Ile-de-France (CEIDF) to provide a list of the names of all employees hired under the same classification for each of the eight employees concerned, as well as a certain amount of personal data for each of these employees (in particular, date of birth, gross monthly salary for each year, breaking down base salary, fixed bonuses and variable remuneration of all kinds, December pay slips since their hiring date, etc.).).
The case having been brought before the Cour de cassation, the judges of the French Supreme Court clarified that a request for the compulsory disclosure of documents containing personal data must necessarily be examined prior to any execution of the measure, as the harm it could cause to the data subjects can no longer be usefully remedied by a subsequent control once the documents have been communicated.
In line with the Court of Justice of the European Union (CJEU) position, the Cour de cassation's ruling sets out the framework for assessing requests for disclosure. The Cour de Cassation specifies that it is up to the judge to determine whether the communication of documents is necessary for the exercise of the right of proof of the alleged discrimination and proportionate to the alleged aim and, to verify that there is a legitimate reason to preserve or establish the evidence before any trial. Furthermore, when the requested communication is likely to infringe on the privacy of other employees, judges must verify which measures are indispensable for exercising the right of proof, while preserving the fundamental rights at stake.
With this final point, the Cour de cassation places the principle of data minimization at the heart of the debate and establishes the possibility of using the personal data of comparison employees solely for the purposes of the discrimination action. Also, and if necessary, all personal data of comparison employees that are not essential to the exercise of the right of proof and proportionate to the aim pursued, should be concealed on the documents to be communicated. With this ruling, the Cour de cassation reinforces evidentiary requirements, establishing the control of proportionality between the need for proof and the protection of personal data as a fundamental imperative.
This decision forms part of the ongoing discussion surrounding the use of the right of access granted by the GDPR for evidentiary purposes, particularly when massive requests for access to employees' emails are made with a view to constituting evidence in matters of dismissal. For more information, please see our article "Employee right of access: lever or drift?".
These rulings call on employers to strengthen compliance with the GDPR in processing their employees' personal data, particularly by:
The firm's IT/Data team will be happy to answer any questions you may have or assist you!
Jeannie Mongouachon, avocate associée et Juliette Lobstein, avocate collaboratrice chez Squair