In a case that the Court de cassation (the highest court in the French judicial system) had to adjudicate on April 9, 2025 (No. 23-13.159), an employee was dismissed for gross misconduct after his employer discovered that he had carried out a mass deletion of professional files and folders and transferred a considerable amount of confidential information and documents to his personal email box. He was caught based on the analyze of the log files of the company IT system.
The Court de cassation reversed the appeal judgment which had found out that the IP address used to evidence the misconduct was not a personal data. The court further – succinctly – stated that 'the use of the log file constitutes a processing of personal data, which is lawful only if the person concerned has consented to it.'
Subject to procedural specifics, it is difficult to believe that the court could have misunderstood the interpretation of the GDPR to such an extent, for at least two reasons.
- Firstly, in that case, the data subject is an employee, and the doctrine of the French supervisory authorith (the CNIL) and of the European Data Protection Board (EDPB) has long established that consent can only very rarely constitute a valid legal basis for the processing of personal data concerning employees, due to the imbalance that exists between them and their employer. Few employees would take the chance to refuse to grand their consent because they would fear negative consequences. Moreover, if the employer wanted to rely on the consent of its employees before monitoring their activities, it would then have to collect the consent of each employee (and take the risk that certain warmongers may refuse) and allow those who had consented to withdraw their consent at any time. Each employee would therefore be able, just before committing unlawful acts leaving tracks on the IT system, to withdraw their consent so that the employer could no longer demonstrate them!
- Secondly, and most importantly, the GDPR provides for five other lawful basis, aside from consent. And one of them appears perfectly suitable in this case. Log files are traditionally used by organizations to secure their IT systems and keep track of fraudulent acts on them. According to the CNIL itself, logs can 'be used ex post when a data breach [...] is identified and the data controller seeks to establish liability' (Deliberation No. 2021-122 of October 14, 2021, recommendation on logging). Securing IT systems therefore contributes to the pursuit of an interest that is undoubtedly legitimate. Subject to the conditions for implementing the processing on this basis (transparency in particular, for example in a well-drafted IT charter), the lawful basis for such data processing can be that of the legitimate interest of Article 6, 1. f) of the GDPR.
Such a position by the French Court de cassation is therefore neither logical nor relevant in the context in which logs are collected and processed. However, in our view, the scope of this decision – which remains quite laconic – should be considerably tempered, especially since it was neither published nor rendered in a plenary session. Therefore, it is not a landmark ruling.
Hopefully the referral back to the court of appeal following the annulment of the initial appeal decision may help clarify the doubts the Cour de cassation has raised.
Article provided by INPLP member: Charlotte Barraco-David and Marie-Hélène Tonnellier
co-author: Clyde Coutellier (OYAT, France)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
