A company cannot invoke an infringement of its employees’ privacy to challenge a seizure carried out by the French Competition Authority.
The Criminal Chamber of the Court of Cassation states this in a ruling dated January 13, 2026, reaffirming a decision from 2024.
The applicant underwent a search and seizure in November 2022, as did several other firms. The aim was to uncover evidence of anticompetitive practices in the dairy supply sector.
The appeal in cassation had been unsuccessful. The court had excluded any application of the GDPR to the seizure of personal data in such operations. More precisely, once the juge des libertés et de la détention (the judge in charge of liberties and detention) had given its blessing to the procedure, supervised its execution, and the matter remained subject to potential cassation. These conclusions, however, were based on a 2011 line of jurisprudence, which left room for a potential opening.
The argument was in any event invoked in cassation: that jurisprudence could not be applied to the GDPR, as it concerned the law as it stood prior to the Regulation’s transposition (which occurred in 2018).
By referring to its 2024 ruling, the Court of Cassation effectively rejected the argument. It further held that only the employee may challenge a seizure that infringes on privacy or personal data. Indeed, the employee is the sole holder of the rights guaranteed by the GDPR in this regard.
To consult in addition:
The professional emails are accessible to (former) employees under the GDPR
AI and GDPR: the CNIL plays the genealogist
Digital regulation: in 2025, the EU has eased up
Why the CJEU did not invalidate the Data Privacy Framework
