Lessons from Recent French Case Law on Data Access Requests
Authoritative legal analysis for executives and legal departments
Executive Summary
Recent French case law has clarified an increasingly important question for employers operating under the General Data Protection Regulation (GDPR):
Can a former employee demand access to their entire professional email history under the GDPR right of access?
Two recent decisions help answer that question:
- A ruling of the French Court of Cassation (Social Chamber, June 18, 2025, No. 23-19.022)
- A later decision of the Paris Court of Appeal (December 18, 2025)
Together, these decisions establish an important legal balance:
- Work emails can constitute personal data under GDPR
- But the right of access does not automatically entitle employees to obtain complete copies of all professional communications
This distinction has significant implications for companies responding to employee Data Subject Access Requests (DSARs).
Understanding the GDPR Right of Access
Under Article 15 of the General Data Protection Regulation (GDPR), individuals have the right to obtain confirmation from a data controller as to whether their personal data is being processed and, if so, to access that data.
The right of access allows individuals to:
- Verify the lawfulness of data processing
- Confirm the accuracy of personal data
- Request rectification or deletion where appropriate
However, the GDPR right of access concerns personal data, not necessarily the documents in which that data appears.
This distinction is central to recent French case law.
Are Professional Emails Personal Data?
In its decision of June 18, 2025, the French Court of Cassation (Social Chamber) addressed whether emails sent or received by an employee through a professional mailbox qualify as personal data.
The Court held that:
- Emails sent or received through a professional email account may constitute personal data within the meaning of Article 4(1) GDPR.
- Employees may therefore exercise their right of access regarding those emails.
- Employers may need to provide metadata (such as timestamps or recipients) and content, unless disclosure would infringe the rights and freedoms of others.
This decision confirmed that workplace communications can fall within the scope of GDPR when they relate to an identifiable employee.
However, the ruling did not establish an unlimited right to access entire email archives.
The Strategic Use of Data Access Requests in Employment Disputes
In practice, many employee access requests arise in sensitive contexts such as:
- termination disputes
- severance negotiations
- labor litigation
In these situations, employees may request access to large volumes of corporate communications.
This strategy aims to obtain potential evidence for litigation by relying on GDPR data rights rather than procedural disclosure rules.
Some practitioners refer to this phenomenon as “GDPR-based discovery.”
This growing trend has forced courts to clarify the limits of Article 15 GDPR in the employment context.
The Paris Court of Appeal Clarifies the Limits of Email Access
A later decision from the Paris Court of Appeal on December 18, 2025 addressed the scope of such requests.
The case involved an employee dismissed for professional insufficiency who requested:
- the complete contents of his professional mailbox, and
- the files stored on his work computer.
The employee argued that because his name and email address appeared in these communications, they necessarily constituted his personal data.
The Court rejected this argument.
According to the ruling, the purpose of the GDPR right of access is to allow individuals to verify the legality and accuracy of personal data processing not to obtain copies of all professional correspondence.
The Court emphasized an important principle:
The mere presence of an employee’s name or email address in a message does not transform the entire document into personal data belonging to that employee.
In many cases, the only personal data involved is simply the employee’s identification.
As a result, employees cannot demand the disclosure of entire corporate communications solely because they appear as sender or recipient.
Reconciling the Two Decisions
At first glance, the two rulings may appear contradictory.
In reality, they address different aspects of the GDPR right of access.
What the Court of Cassation established
- Work emails can contain personal data
- Employees may request access to those data elements.
What the Paris Court of Appeal clarified
- The right of access concerns personal data, not necessarily the documents themselves
- Employers are not required to disclose complete email archives simply because they contain identifiers.
Together, these decisions establish a balanced interpretation of Article 15 GDPR.
Practical Implications for Companies
The decisions provide important guidance for organizations responding to employee data access requests.
Companies should remember that:
1. Not every professional document is personal data
The presence of an employee’s name in a communication does not automatically transform the entire document into personal data.
2. The obligation concerns personal data, not necessarily documents
Employers may provide the relevant personal data extracted from documents, rather than the entire documents themselves.
3. The rights of third parties must be protected
Disclosure may be limited where it would affect:
- trade secrets
- confidential business information
- other employees’ personal data
This limitation is explicitly recognized by the GDPR.
4. Responses to DSAR requests must be documented
Even when refusing to disclose documents, employers should be able to demonstrate that they:
- identified the relevant personal data
- assessed the request
- responded in compliance with GDPR obligations.
Why Data Governance Matters More Than Ever
These cases illustrate a broader reality for modern organizations.
Employee data access requests are increasing across Europe, particularly in the context of employment disputes.
Companies that respond effectively typically have:
- a clear data governance framework
- documented GDPR compliance procedures
- structured DSAR response processes
Organizations without such systems often face significant operational and legal challenges when responding to large-scale data access requests.
Key Takeaways
For employers operating under GDPR:
- Professional emails can qualify as personal data
- Employees may request access to personal data contained in those emails
- However, Article 15 GDPR does not grant a general right to obtain entire email archives
- Employers must balance data access rights with the protection of third-party rights and corporate confidentiality
The evolving case law highlights the importance of structured data governance and legally sound DSAR response procedures.
Sources : https://www.courdecassation.fr/decision/69450ecb75782d5f06ade99c
