Home

Internal

Global

Contact

de|en|it

Five new Associate Partners for Rödl & Partner Italy |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

Can employers monitor and process employees’ IP addresses? The French Supreme Court casts doubt

published on 30 May 2025 | reading time approx. 8 minutes

In a widely discussed and already criticized ruling dated 9 April 2025, the French Supreme Court (“Cour de cassation”) held that collecting an employee's IP address via a logging system should be regarded as a processing of personal data, and that the legal basis for such processing is the consent of the employee.

This decision, which breaks with accepted practices in cybersecurity and IT system monitoring in employer-employees relationships, reflects a misinterpretation of the General Data Protection Regulation (GDPR) and raises significant concerns.

The case arose from a dispute between an employer and a former employee who was dismissed for gross misconduct after it was discovered that over 4,000 files had been deleted and professional emails transferred to personal accounts shortly before and after a preliminary agreement for a mutual termination.

The internal investigation, conducted by the IT manager and confirmed by a bailiff's report, relied on logging files that identified an internal IP address assigned to the employee's workstation. The employee challenged the validity of the bailiff's report, citing the absence of a prior declaration to the CNIL (French data protection authority), lack of consultation with the Social and Economic Committee (CSE), and failure to inform employees in advance.

The employer countered by referring to the existence of the company’s IT charter annexed to the internal regulations, which explicitly provided for activity logging within the information system.

The Court of Appeal had examined the nature of the IP address in question and concluded that, as an internal local network address, it only identified network-connected devices, not an individual. It had therefore ruled that the IP address should not be regarded as personal data, rendering the evidence admissible.

The French Supreme Court overturned this decision, correctly finding that an internal IP address, although assigned to equipment, indirectly identifies a natural person and thus qualifies as personal data.

However, it surprisingly also ruled that using this IP address without the employee's consent, and for purposes different from those originally foreseen, rendered the evidence non admissible.

By making such processing conditional upon the employee's explicit consent, the Court adopts a highly questionable approach, disconnected from the realities of IT monitoring in the workplace and from labor law and good practices. The Court appears to have ignored the legitimate legal bases usually applied to the monitoring of employees' activities. This ruling raises sensitive questions at the intersection of cybersecurity, labor law and the legal framework for personal data processing in employment relationships.

This case invites renewed reflection on certain notions previously thought to be well-established, including:

Whether a piece of data qualifies as personal – a question that remains uncertain, even for courts – apparently;
The appropriate legal basis for processing data collected through information systems.

1. Qualifying an IP address as personal data

This ruling provides an opportunity to revisit a long-debated question: is an IP address personal data? The differing analyses of the Agen Court of Appeal and the French Supreme Court illustrate the persistence of legal uncertainty, even among judges.

An IP address – an identifier assigned to a terminal within a computer network – does not, by itself, refer to a specifically named individual. Based on this reasoning, the Court of Appeal held that an internal IP address assigned to a workstation only identified equipment and not a natural person, thus ruling it out as personal data.

However, this interpretation, long supported by some practitioners, posed several problems: it contradicted the broad definition adopted by the CNIL, significantly curtailed data protection by excluding contextually identifying elements, and conflicted with both Constitutional Council and Court of Justice of the European Union (CJEU) case law.

The French Supreme Court, by contrast, aligns itself with the CJEU's position in the Breyer case (CJEU, 19 Oct. 2016, Case C-582/14), which held that an IP address constitutes personal data if it can be used to identify a person, even indirectly.

This position is consistent with civil chamber case law since 2016 and with the social chamber's stance since 2020. It is therefore unsurprising that the social chamber, acting ex officio, ruled that logging files, by enabling indirect identification of the employee, indeed constituted personal data processing under the GDPR.

But qualifying an IP address as personal data triggers the application of the GDPR, and thus the need for a valid legal basis for processing and the application of technical, organizational and legal measures. It is precisely here that the Court’s reasoning, initially on solid footing, becomes problematic: it identifies employee consent as the legal basis – a highly debatable choice in the context of labor law.

2. Misjudging the appropriate legal basis for data processing

While the French Supreme Court emphasizes the necessity of a lawful basis for data processing under the GDPR, its reasoning is ambiguous and ultimately flawed.

The Court limits its analysis to consent, overlooking other legal grounds, and holds that the processing was unlawful because the employer processed the data without the employee’s consent for a different purpose, namely the individual monitoring of the employee’s activity, which was distinct from the original purpose for which the data had been collected. As a result, the evidence derived from this processing was deemed inadmissible.

Yet consent is neither the only nor the most appropriate legal basis in such an employer/employee relationship and context.

To begin with, further processing can be lawful if the new purpose is the same or compatible with the original purpose.

Here, the Court appears to assume that the new purpose — namely, monitoring the employee’s activity — was different from or incompatible with the initial purpose, yet it never specifies what that alleged original purpose actually was.

Further, even if the purposes are neither identical nor compatible, the new processing may still be lawful if it is based on a distinct legal basis and complies with GDPR requirements.

Despite this, the Court inexplicably treats consent as the only available legal basis, without examining other alternatives.

This reasoning is flawed for several reasons:

First, the legal bases for processing listed in Article 6(1) GDPR (namely consent, contract performance, legal obligation, vital interests, public interest, and legitimate interest) form a complete and indivisible framework. Neither national courts nor domestic law may restrict their application by arbitrarily elevating one ground — such as consent — over the others. Each legal basis has equal standing and must be assessed in light of the context;
Second, this approach contradicts both CJEU and national case law, which consistently recognize that, in the context of an employment relationship — marked by a power imbalance — consent is unlikely to be freely given and is therefore generally unsuitable as a lawful basis;
Third, it disregards the CNIL’s own guidance: its practical guide on data security recommends implementing logging mechanisms to track user activity, technical interventions, anomalies, and security-related events — specifically to detect misuse or demonstrate compliance. In its guidelines on HR processing, the CNIL expressly states that processing operations designed to ensure the security and proper functioning of IT systems can rely on the employer’s legitimate interest as a lawful basis;
Lastly, relying on consent in an employment context poses major operational difficulties: it is burdensome to manage and, if refused or withdrawn, may render monitoring tools inoperative or unenforceable.

In short, not only is the French Supreme Court wrong to highlight just one of the GDPR’s six legal bases, it also errs by insisting on the one that is least suitable for the employment context.

Legitimate interest appears to have been the great absentee from this otherwise highly questionable decision, which one can only hope will remain isolated.

Key takeaways for employers

Given the presumably limited scope of this decision, employers should avoid rushing to change their legal basis for data processing, given the practical and legal consequences such a shift would entail.

Nonetheless, the ruling underscores the need to reinforce and document compliance, particularly by:

Conducting a legitimate interest assessment to ensure the processing does not override employees’ rights and interests;
Informing employees about the possibility of individual monitoring, the tools used, and the applicable legal basis (typically legitimate interest in detecting anomalies or enforcing discipline), through an information notice and an IT charter annexed to the internal regulations to give it binding effect;
Informing and consulting the CSE before introducing any employee monitoring tools (in companies with more than 50 employees);
Defining clear access rules for connection logs, retention periods, and response procedures in the event of an incident, in line with CNIL guidance;
Updating the data processing register to include this processing.

Provided the employer complies with legal and regulatory requirements, including informing employees of the processing and its purpose, and documenting compliance efforts, the admissibility of logging files collected and processed lawfully appears difficult to challenge in litigation.

Finally, employers should bear in mind that, beyond the specific labor law context of this case, the actions attributed to the employee — namely, the deletion of 4,000 files and the exfiltration of emails — are increasingly encountered in practice.

Such conduct may also constitute serious criminal offenses, including unauthorized access to or fraudulent retention in an automated data processing system (STAD), as well as fraudulent extraction, deletion, or modification of data.

Given the gravity of these potential violations, it is essential for employers to remain vigilant and ensure that appropriate legal and technical measures are in place.

Should you require further advice or assistance in navigating these complex issues, we are at your disposal to support you.