GDPR information obligation hit by a knife

Date :

By a judgment handed down on February 14, 2024 (Social Chamber, No. 22-23.073), the Court of Cassation undermined the supposedly absolute nature of the right of individuals to be informed of the processing of personal data concerning them.

In this case, video surveillance installed in a store allowed the employer to highlight thefts from the cash registers carried out by an employee.

The surveillance process was clearly unlawful: no prior information of employees in accordance with the Labor Code, no declaration to the prefecture, and insufficiently detailed information of employees with regard to the legislation protecting personal data (in force at the time of the events but substantially identical to what the GDPR now provides).

The Court of Cassation points out that just because evidence has been obtained unlawfully does not necessarily mean that it must be excluded from the proceedings in a civil case, provided that the production in question is essential to the exercise of the right of evidence and that the infringement of the rights of the person is strictly proportionate to the aim pursued. In this case, the High Court considers that these conditions were met, balancing the legitimate aim of the company (ensuring the production of its assets) and the employee's right to respect for her private life (which in this case suffered a modest and circumstantial infringement).

The scope of this ruling is significant. In the sphere of labor law, the means of employee surveillance are now varied and powerful: cybersurveillance, geolocation, etc. An employer could therefore, if the conditions are met, rely on the traces thus collected to justify a dismissal even if the employee was not fully and completely informed of said surveillance in accordance with the GDPR.

But this weapon will have to be handled with caution by the employer, because just because the evidence in question can be produced to the industrial tribunal does not mean that he will escape the fines provided for by the GDPR for failure to inform the persons concerned...

To go further, see our article in EXPERTISES, MAY 2024 p.32 "Illicit evidence and private life: the confrontation"

Also read

Date :
Digital accessibility is an obligation for all e_commerce sites for new services from June 28, 2025. Existing "similar" services have an additional 5 years to comply with these obligations. But what is a "similar" service really?
Read more
Date :
The Social Chamber of the Court of Cassation issued a judgment on March 8, 2023 (Social Chamber No. 21-12.492) recalling, in reference to point (4) of the introduction to the GDPR, that "the right to the protection of personal data is not an absolute right and must be considered in relation to its function in society and balanced against other fundamental rights, in accordance with the principle of proportionality."
Read more
Date :
The Data Act has been applicable since September 12, 2025, and it does not only apply to connected data from the IoT. It also targets all European added service providers in SaaS mode, for example in the field of EDM, accounting, invoicing, archiving, etc. which will now have to allow their customers to terminate for convenience at any time and a reversibility whose scope is difficult to apprehend. It is not just a tool for digital sovereignty. It is also a text with dangerous side effects for national European suppliers, sometimes fragile, whose customers are offered on a platter the possibility of switching to competition, why not American...
The Data Act does not apply to ongoing contracts, which some companies, and even their lawyers, seem to be unaware of, as they see this text as a free and perfect opportunity to terminate a contract or to require the provision of information not provided for in the contract. They must moderate themselves, because the Data Act only applies to contracts concluded after September 12, 2025, which must now include clauses that make it possible to best adjust the provisions of the text.
Read more