Emails sent or received through a professional messaging system are personal data… and a former employee has the right to access them under the GDPR.
A Cassation ruling establishes this jurisprudence. It grants the employer a possible refusal, but only when providing access would infringe the rights and freedoms of others.
The Court of Appeal Had Paved the Way
At the origin of the matter is a dismissal for sexist or sexually suggestive behavior. The person concerned had been hired in 2001 as development director at Duke, a marketing agency that would eventually come under Publicis. Most recently, he held the position of associate director.
In August 2018, a few months after his dismissal, the individual brought an action before the labor court. The latter ruled against him in November 2019, confirming the existence of a “real and serious cause.”
His appeal technically succeeded: in May 2023, the labor court decision was overturned. Among other reasons, on the grounds that the employer’s investigation was not sufficiently probative (abridged minutes, facts not corroborated by witnesses, elements produced without, however, proving that this resulted from employees’ desire to preserve anonymity, etc.).
The Court of Appeal had also condemned Duke/Publicis for GDPR non-compliance. More precisely, it addressed the right of access to processed personal data (Article 15). It held that emails sent or received by the employee through his professional mailbox constituted personal data. And, as such, the employer was required to provide both the metadata and the content, unless the elements to be communicated would be of a nature to infringe the rights and freedoms of others.
The former employee had indeed requested, in January 2019, the communication of all emails exchanged in the course of the execution of his employment contract. According to him, the employer had only partially complied with the request: only his contractual, health, and financial documents had been transmitted, with no justification for refusing the remainder.
In his appeal to the Court of Cassation in July 2023, Publicis primarily advanced that:
- The emails in question could not constitute personal data.
- The right of access to data did not entail a right of access to the documents containing those data.
- The Court of Appeal had deprived its decision of a legal basis by relying solely on the absence of transmission of the requested emails.
Responses in a 2022 CNIL Thematic Note
Until then, the Court of Cassation had not yet ruled on the interpretation of Article 15 of the GDPR in the context of a professional email.
Among other interesting elements, it referred to a CNIL thematic note from January 2022: “The Right of Employees to Access Their Data and to Professional Emails.” It states that:
- The right of access notably allows verifying the accuracy of data and, if necessary, correcting or erasing them.
- It applies only to personal data and not to the documents (which does not, however, bar communicating those documents).
- Its exercise must not disproportionately infringe the rights of others (trade secrets and intellectual property, the right to privacy, secrecy of correspondence, etc.).
- When the employee has already known the information contained in the messages in question, their communication is presumed to respect the rights of third parties. Anonymization or pseudonymization of the data is good practice, but not a prerequisite.
- If there is a risk to the rights of third parties, the employer must first attempt to delete, anonymize, or pseudonymize the concerned data. If that is insufficient, it must refrain from granting the access request, with justification.
- Emails identified as personal or whose content proves private even in the absence of an indication of personal nature are subject to special protection. The employer is not authorized to access them. They must be provided as is to the requester, provided that he is the sender or the recipient.
The specter of a Misuse of the Access Right
Several lines of case law have reinforced the Court of Cassation in the need to balance the protection of personal data with the safeguarding of other fundamental rights. Among them, a ruling delivered in 2023 in a case concerning the exercise of the right to proof of discrimination (a request for payroll slips of other employees).
In 2024, the Paris labor court ruled on the application of Article 15 of the GDPR. The case involved Opensee, which had, in the name of trade secret and correspondence, refused to communicate emails and Slack messages to a former employee dismissed for gross misconduct.
On that occasion, the court recalled that the right guaranteed by Article 15 aims to “provide the individual with sufficient, transparent, and readily accessible information about the processing of data.” But it does not aim to provide access to information for evidentiary purposes.
The Court of Cassation considered the analysis offered by a jurist—currently employed by Generali—of this decision. And, above all, her view on this “now fairly common” practice whereby a employee, most often dismissed, “diverts” the right of access to obtain evidence to document a labor-law case.
The Advocate General Was Not of This View
On this question of professional emails, the Advocate General recommended a partial cassation of the Court of Appeal’s ruling.
She did not challenge the idea that professional emails do contain personal data once they identify the recipient or sender. Nor that the right of access does not extend to the documents containing them.
For the rest, her reasoning diverges from that of the Court. The magistrate argues that the purpose of the GDPR is not to obtain a copy of the electronic correspondence which the employee has, by definition, accessed in full, and which contains as personal data only the identifying information (unless proven otherwise). She continues that one cannot, under Article 15, allow an employee to demand the entire scope of their professional mailbox for all years of employment—especially when the employee holds a senior position in a company, as in this case.
“We clearly see the interest that an unscrupulous employee could derive from obtaining a copy of all commercial or technical correspondence,” the Advocate General stated. She thus concludes that the Court of Appeal, in addition to failing to specify what harm the absence of access to this correspondence would have caused, violated Article 15…
Illustration
