M. [E] – Court Ruling (France, 2025)

The controller, IGC, a French construction company, hired the data subject, M. [E], as a branch manager on 8 July 2004. The controller dismissed the data subject for gross misconduct on 16 December 2019. The controller relied upon an IP address captured in IT log files as evidence of serious misconduct. The data subject contested the dismissal. The Agen Court of Appeal accepted the controller’s evidence and upheld the data subject’s dismissal on 10 January 2023. The data subject appealed the Agen Court’s judgment to the Court of Cassation (highest appeal court for civil and criminal cases in France). The Court analysed whether an IP address captured in IT log files is personal data within the meaning of Article 4(1) GDPR and whether a controller's use of those logs to identify an employee for disciplinary control is lawful under Articles 5 and 6 GDPR. On 9 April 2025, the Court of Cassation firstly reaffirmed that IP addresses are personal data as they allow the indirect identification of a natural person within the meaning of Article 4(1) GDPR. Secondly, the Court of Cassation noted that processing must be lawful, fair and transparent as per Article 5(1)(a) and purpose bound as per Article 5(1)(b) GDPR. In this case, the Court found that the controller processed the IP address in the IT logs for the purpose of individual discipline measures and that the data subject did not consent to the controller using the IP address in the IT logs for that purpose. The Court of Cassation deemed the processing not to be in compliance with Article 5(1)(a) GDPR and Article 5(1)(b) GDPR. Therefore, the Court quashed and annulled the Agen decision in full. The Court referred the case back to the Pau Court of Appeal. Finally, the Court of Cassation ordered the controller to pay €2,000 to the data subject.