Logo Poggi Avocats IT
Logo Poggi Avocats IT
Comment on the Court of Cassation ruling of 9 April 2025: does collecting an employee's IP address require their consent?
  • Poggi Avocats IT
  • 16 May 2025
  • 14h54
  • 0 comments

A recent decision by the Labour Division of the French Supreme Court on 9 April 2025, ruling on the lawfulness of an employer's use of an employee's logs as grounds for dismissal, is causing concern among CISOs and CIOs. (Appeal 23-13.159, Unpublished).

Le Monde Informatique echoed this with the headline " Collecting an employee's IP address requires their consent ".

What lessons can we learn from this decision?

Citing the provisions of Article 6(1) of the RGPD, the Court wrote that processing is lawful only if, and insofar as, at least one of the following conditions is met, in particular:

  1. the data subject has consented to the processing of his/her personal data for one or more specific purposes.

This reference to the law is piecemeal.

Under the aforementioned article of the RGPD, there is not just one but six legal bases for collecting personal data: consent, contract, legal obligation, public interest mission, legitimate interest and safeguarding vital interests.

The Court went on to point out in its judgment that ". It follows that IP addresses, which make it possible to identify a natural person indirectly, are personal data within the meaning of Article 4 of the GDPR".

This question is not open to debate and had already been decided by the Social Division of the Court of Cassation (25 November 2020 - appeal no. 17-19.523) in line with the position taken by the CNIL in a note dated 6 January 2016.

The Court concludes "so that their collection through the use of the log file constitutes processing of personal data which is only lawful if the data subject has given his or her consent. ".

The syllogism raises questions.

Firstly, it is not up to the Supreme Court to determine the legal basis for a processing operation. This is the prerogative and responsibility of the data controller with regard to each of the purposes of the processing, under the a posteriori supervision of the CNIL (in France), whose decisions may be appealed.

Secondly, "consent" implies that it must be free, specific, informed and unambiguous (Articles 4 & 7 of the RGPD). This means that the data subject has control over his or her data and must be able to:

  • understand how their data will be used;
  • to choose without constraint whether or not to accept this treatment;
  • to change their mind freely.

In its Deliberation No. 2022-126 of 23 May 2022 adopting a reference framework for the processing of personal data implemented for the purposes of personnel management, the CNIL recognised that the employer cannot use consent as a legal basis.

This is because employees are very rarely in a position to freely give, refuse or revoke their consent, given the dependency that arises from the employer/employee relationship.

Finally, the CNIL has already given its opinion on the treatment of logging within companies, in contrast to the position taken by the Cour de cassation.

In its Deliberation No. 2021-122 of 14 October 2021, the CNIL gives the definition of logging which are " systems that ensure traceability of the accesses and actions of the various users authorised to access the information systems (and therefore the processing of personal data that these systems are likely to constitute)".

While it argues that the retention of this traceability data is primarily justified by the objective of ensuring the security of the processing, it acknowledges that ". This data may also be used ex post when a data breach (in particular through unlawful consultation, transmission or use of data) is detected and the data controller is seeking to establish responsibility. ".

The counterpart to this is the employer's obligation to inform users authorised to access the processing operation that the logging system has been set up, the nature of the data collected and how long it will be kept. It provides an example of how this information can be provided via information provided at the time of authentication when accessing the data processing system.

In conclusion, the decision of 9 April 2025 by the Social Division of the Court of Cassation is incomprehensible.

The decision of the Agen Court of Appeal, overturned by the Court of Cassation, shows that the concepts of the RGPD were already poorly understood.

With regard to the concept of personal data, the Court of Appeal gave inadequate reasons for its decision, stating that ". a class B IP address which corresponds to a local network address [which] only identifies devices in the local network and not a physical person ". It did not apply the RGPD by stating that " no declaration to the CNIL is required "Without addressing the question of the legal basis for the processing.

It should be noted that the Court of Cassation's decision of 9 April 2025 has not been published in the Bulletin, which does not make it a ruling of principle. It creates a legal uncertainty that the Plenary Assembly will have to rectify. Unless the matter is referred to the CJEU. Following this ruling, the case will be retried by the Pau Court of Appeal.

From an operational point of view, our advice to companies is to check that their IT charter is up to date, as well as the way in which they inform their employees about the individual control of their activity and their process for seeking and using digital evidence. The IT charter remains a key document and should be drawn up in collaboration with the IT Department, the CISO, the DPO and the Human Resources Department. In this case, the employer's IT charter dated from 2015 and had not been updated.

Share this article

Tailor-made website created with passion by LeWeboskop