Access to professional email accounts: the struggle between GDPR data subject access rights and the right to evidence before French courts

Nicolas Moreau
Bignon Lebray, Paris
nmoreau@bignonlebray.com

French employment law has recently seen the General Data Protection Regulation (GDPR) emerge as a procedural lever in labour disputes. Since becoming applicable on 25 May 2018, the Regulation has required employers, as data controllers, to respond to requests made by data subjects. Among the rights it grants is the right of access under Article 15: the right to obtain confirmation that personal data are being processed and to receive a copy thereof, including the content of the messages and their technical metadata. Initially intended to enable individuals to verify the lawfulness of data processing, this right has become a tool for employees seeking to build a case against their employer.

The mechanism is simple: the employee invokes the GDPR to obtain access to their professional mailbox without having to justify a specific purpose or meet the procedural requirements of Article 145 of the French Code of Civil Procedure, under which a party seeking a pre-trial measure must establish a legitimate purpose and show that the measure is necessary and proportionate. The GDPR, thus, appears, at first sight, to bypass those safeguards.

This shift followed a major ruling by the French Supreme Court (Cour de Cassation) on 18 June 2025, which held that the content of professional emails constitutes personal data and, therefore, falls within the scope of the GDPR. Lower courts then sought to contain this instrumentalisation of the GDPR by reintroducing necessity and proportionality. The Paris Court of Appeal went further in a landmark decision issued on 18 December 2025, which openly diverged from the Supreme Court’s reasoning and attempted to end the use of the GDPR as a procedural weapon in employment disputes.

The opening of the right of access: the GDPR as a new evidentiary instrument

The ruling delivered by the Cour de Cassation on 18 June 2025^[1] significantly altered French employment litigation. By recognising a broad right of access to professional emails on the basis of the GDPR, the Cour de Cassation opened a new evidentiary avenue for employees.

The recognition of a near-absolute right to disclosure by the Cour de Cassation

Under the GDPR, personal data is any information relating to an identified or identifiable natural person. On that basis, the Cour de Cassation held that emails sent or received through a professional email account are, by their nature, personal data. The employer must therefore respond comprehensively to access requests, and the right of access extends not only to metadata but also to the full content of the messages. The only possible limitation is where disclosure would adversely affect the rights and freedoms of others. Even then, such concerns cannot justify a total and unreasoned refusal.

The implications for employers and human resources departments are substantial. The professional mailbox is no longer merely a company tool, but a repository of personal data to which the employee has a right of access. A failure to respond, or an incomplete response, may engage the employer’s liability. Confidentiality concerns involving clients, trade secrets or strategic information may still justify restrictions, but only if expressly invoked and substantiated.

The initial case law’s indifference to the purpose of the request

The significance of the ruling also lies in the absence of any condition relating to the employee’s purpose. Yet the right of access was designed primarily to allow data subjects to verify the lawfulness of the data processing, not to gather evidence for litigation. By refusing to make the exercise of that right dependent on such a purpose, the Court validated a use of the GDPR that departs from its original rationale.

Relying on the case law of the Court of Justice of the European Union, the Cour de Cassation recalled that the right of access is not conditional upon the requester’s motive, even where the request is unrelated to verifying the lawfulness of the data processing.

This indifference to purpose altered the balance between the parties. Employers could be required to disclose exchanges involving trade secrets, confidential client information or strategic company data, without prior judicial review of the scope, relevance or necessity of the request. It was this shortcut that prompted the lower courts to react.

Regulating the right of access: in search of a proportionate balance

Faced with this broad interpretation by the Cour de Cassation, the lower courts quickly sought to regulate the use of the right of access by reintroducing proportionality and necessity.

The rejection of blanket and indiscriminate disclosure

A first major response came from the Paris Court of Appeal on 13 November 2025.^[2] In this case, a dismissed employee sought disclosure of his entire professional mailbox over a three-year period, his connection logs and a disputed recording, relying both on Article 145 of the French Code of Civil Procedure and on Article 15 of the GDPR.

The Court of Appeal rejected the idea that the GDPR could be used to obtain documents already known to the employee in the course of his work. In its view, the Regulation is not intended to allow the wholesale copying of professional correspondence in which the employee participated. Within a professional mailbox, only identifying elements, such as the employee’s name and professional email address are personal by default. The content of exchanges is not automatically personal data unless the employee establishes their personal nature. In the absence of evidence of unlawful or inaccurate processing, the employer’s refusal to disclose the full mailbox did not amount to a breach of the GDPR.

This ruling reflected a broader trend: other French labour courts likewise held that the GDPR could not be used to pre-constitute evidence and rejected excessive requests concerning email accounts and IT logs.

The requirement of a direct link between the data sought and the alleged dispute

However, the lower courts did not exclude access altogether, but confined it to the framework of the Code of Civil Procedure and to requests directly connected to a clearly identified dispute.

In the 13 November 2025 case, the employee alleged breaches relating to working time. The Court accepted that this could constitute a legitimate purpose, but subjected the request to a strict review. Only documents strictly indispensable to proving the claim could be disclosed. Any material lacking a direct connection had to be excluded. The Court also limited disclosure to the relevant period and protected third-party rights by requiring the anonymisation of personal data and excluding attachments. It further took account of technical constraints, refusing to order the production of connection logs beyond the 90-day retention period available to the employer’s provider.

Taken together, these decisions define a regulated conception of the right to evidence: the disclosure of a professional mailbox is neither automatic nor unconditional. It depends on the employee establishing a precise, necessary and proportionate evidentiary need.

The landmark ruling of 18 December 2025: putting an end to the use of the GDPR as a ‘weapon’

The Paris Court of Appeal’s decision of 18 December 2025^[3] marks the strongest judicial resistance to the expansive reading adopted by the Cour de Cassation. Widely noted in legal commentary, the ruling directly challenges two pillars of that approach: first, the existence of a legitimate purpose where the request is disproportionate and, second, the qualification of the content of a professional mailbox as personal data.

The rejection of legitimate purpose in the face of a disproportionate request

The case concerned an accounting inspector hired in 2024 and dismissed one year later for professional inadequacy. The employee sought compulsory disclosure of his entire professional mailbox, as well as folders labelled ‘private and personal’.

The Court of Appeal first examined whether the requested measure was truly necessary. It noted that the dismissal letter, which was seven pages long, set out in detail the errors attributed to the employee. In the Court’s view, this explanation was sufficient to enable the employee to prepare his defence without obtaining his entire mailbox. The requested measure was, therefore, not indispensable.

The Court also relied on the employee’s annual appraisal, conducted three months before his dismissal. That review had already identified shortcomings, yet the employee had not then complained of being subject to an excessive workload or irregular working hours. Another practical consideration reinforced the refusal: the employee had retained full access to his mailbox between the summons to the pre-dismissal meeting and the notification of his dismissal, a period of 19 days that the court considered sufficient for him to preserve useful material. Finally, the proportionality requirement weighed heavily because of the employee’s duties: as an accounting inspector, he had access to sensitive information. Blanket disclosure, therefore, risked exposing professional secrets.

The burden on the employee to prove the personal character of the emails

The 18 December 2025 ruling is especially striking because it challenges the very legal characterisation adopted by the Cour de Cassation. Whereas the Supreme Court had considered professional emails to be personal data by their very nature, the Court of Appeal took the opposite view.

It held that the content of electronic communications sent or received in the course of professional activity does not, in itself, constitute personal data within the meaning of the GDPR. Such content is, first and foremost, a work tool already known to the employee during the execution of the employment contract. The purpose of the right of access, allowing individuals to verify the accuracy of their data and the lawfulness of their processing, is not fulfilled by a request aimed at recovering an entire professional mailbox. In the absence of proof of unlawful or inaccurate processing, such a request falls outside the purpose of the Regulation.

The consequence is a major shift in the burden of proof. Rather than requiring the employer to disclose the full content of the mailbox, the Court of Appeal held that it is for the employee to establish the personal character of the emails or documents sought. Failing such proof, the only elements recognised by default as personal data are identifying data such as the employee’s name, surname and email address. The facts of the case illustrated this reasoning: the folders labelled ‘private and personal’ were found to contain backup files connected with professional assignments. A folder title such as ‘private’ was, therefore, insufficient to transform professional content into personal data.

Conclusion

For practitioners, the lessons from the ruling issued by the Paris Court of Appeal on 18 December 2025 are clear: employees can no longer expect broad and indiscriminate disclosure of entire mailboxes. They must define their requests precisely and demonstrate a direct, necessary and proportionate connection between the material sought and the dispute at hand. Employers, for their part, should anticipate such requests by documenting what has already been disclosed, by invoking trade secrecy and the protection of third-party rights where appropriate and by proposing credible, supervised alternatives to unrestricted disclosure.

This judicial resistance now calls for clarification from the Cour de Cassation. The question is whether the Supreme Court will maintain its broad conception of professional emails as personal data, or whether it will align itself with the pragmatic approach developed by lower courts in order to preserve a fair balance between privacy protection and the integrity of judicial proceedings.