GDPR information obligation hit by a knife

Date :

By a judgment handed down on February 14, 2024 (Social Chamber, No. 22-23.073), the Court of Cassation undermined the supposedly absolute nature of the right of individuals to be informed of the processing of personal data concerning them.

In this case, video surveillance installed in a store allowed the employer to highlight thefts from the cash registers carried out by an employee.

The surveillance process was clearly unlawful: no prior information of employees in accordance with the Labor Code, no declaration to the prefecture, and insufficiently detailed information of employees with regard to the legislation protecting personal data (in force at the time of the events but substantially identical to what the GDPR now provides).

The Court of Cassation points out that just because evidence has been obtained unlawfully does not necessarily mean that it must be excluded from the proceedings in a civil case, provided that the production in question is essential to the exercise of the right of evidence and that the infringement of the rights of the person is strictly proportionate to the aim pursued. In this case, the High Court considers that these conditions were met, balancing the legitimate aim of the company (ensuring the production of its assets) and the employee's right to respect for her private life (which in this case suffered a modest and circumstantial infringement).

The scope of this ruling is significant. In the sphere of labor law, the means of employee surveillance are now varied and powerful: cybersurveillance, geolocation, etc. An employer could therefore, if the conditions are met, rely on the traces thus collected to justify a dismissal even if the employee was not fully and completely informed of said surveillance in accordance with the GDPR.

But this weapon will have to be handled with caution by the employer, because just because the evidence in question can be produced to the industrial tribunal does not mean that he will escape the fines provided for by the GDPR for failure to inform the persons concerned...

To go further, see our article in EXPERTISES, MAY 2024 p.32 "Illicit evidence and private life: the confrontation"

Also read

Date :
Under French law, the definition of an electronic signature (Art. 1367 Al.2 Civil Code) implies a "link" between the act and the signature identifying its author. This notion of link is also found in the definition of the advanced signature in the European eIDAS Regulation (Art. 26) which states that the advanced signature must be "unequivocally linked to the signatory". But the meaning of this link is not obvious. We believe that it can be understood according to three approaches: a conceptual approach that projects onto the electronic signature a characteristic of the handwritten signature; a technical approach defining it via the electronic signature technology; and finally an opportunistic approach linked to the development of the on-the-fly certificate and the notion of evidence file, widely adopted by French judges.
Read more
Date :
Most contracts concluded by banking institutions are now signed electronically. And this has many advantages: speed of execution, optimized process and document management, close customer experience... But identity fraud is on the rise in the field of consumer credit, and in four recent cases, the courts of appeal have pointed out some weaknesses in the current procedures.
Read more
Date :
The NIS2 directive soon to be transposed in France, the CRA regulation on cybersecurity, and the DORA regulation on the cyber resilience of the financial sector are either already in force or in the process of being in force. They organize a cybersecurity ecosystem that almost all SaaS publishers must comply with, at the cost of a fairly considerable compliance effort: complex texts to decode, notification obligations in all directions, documentation, operational implementation, etc. To begin with, we give you what you need to know about their applicability to your service
Read more