GDPR information obligation hit by a knife

Date :

By a judgment handed down on February 14, 2024 (Social Chamber, No. 22-23.073), the Court of Cassation undermined the supposedly absolute nature of the right of individuals to be informed of the processing of personal data concerning them.

In this case, video surveillance installed in a store allowed the employer to highlight thefts from the cash registers carried out by an employee.

The surveillance process was clearly unlawful: no prior information of employees in accordance with the Labor Code, no declaration to the prefecture, and insufficiently detailed information of employees with regard to the legislation protecting personal data (in force at the time of the events but substantially identical to what the GDPR now provides).

The Court of Cassation points out that just because evidence has been obtained unlawfully does not necessarily mean that it must be excluded from the proceedings in a civil case, provided that the production in question is essential to the exercise of the right of evidence and that the infringement of the rights of the person is strictly proportionate to the aim pursued. In this case, the High Court considers that these conditions were met, balancing the legitimate aim of the company (ensuring the production of its assets) and the employee's right to respect for her private life (which in this case suffered a modest and circumstantial infringement).

The scope of this ruling is significant. In the sphere of labor law, the means of employee surveillance are now varied and powerful: cybersurveillance, geolocation, etc. An employer could therefore, if the conditions are met, rely on the traces thus collected to justify a dismissal even if the employee was not fully and completely informed of said surveillance in accordance with the GDPR.

But this weapon will have to be handled with caution by the employer, because just because the evidence in question can be produced to the industrial tribunal does not mean that he will escape the fines provided for by the GDPR for failure to inform the persons concerned...

To go further, see our article in EXPERTISES, MAY 2024 p.32 "Illicit evidence and private life: the confrontation"

Also read

Date :
Digital accessibility is an obligation for all e_commerce sites for new services from June 28, 2025. Existing "similar" services have an additional 5 years to comply with these obligations. But what is a "similar" service really?
Read more
Date :
the Court of Appeal of Pau (CA Pau, February 12, 2026, RG n°25/01900) has just issued a very interesting decision relating to the place of conclusion of an electronically signed contract. In that judgment, which concerned an employment contract, it considered that opting for the place of physical location of one or the other of the parties to designate the place of conclusion of the contract does not make sense, because that alleged location results from an IP address, which can be changed or falsified, and adopting that position would lead to a high degree of legal uncertainty.
The impact of this decision is directly related to the question of the law applicable to the contract and/or the competent court when, in the event that the parties had the freedom to choose them, they did not do so.
This is a first, and a very interesting one!
Read more
Date :
The rulings handed down in early September 2020 by the Toulouse (CA Toulouse, 3rd Ch., 4 September 2020, RG n°19/01990) and Lyon (CA Lyon, 6th Ch., 3 September 2020, RG n°19/06466) Courts of Appeal place a significant emphasis on the certification of the signature solutions implemented. However, it is still necessary to understand the scope of these certifications and their real impact on the reliability of the electronic signature.
Read more