Conseil d’État, 30 July 2025, No. 495234
A “salarié protégé” (an employee with statutory protection against dismissal), employed as a data manager, had temporarily set up an automatic redirection of all emails from his professional account to his personal addresses.
The employer treated this as a breach of contractual duties and of the company’s security rules for safeguarding personal and sensitive data. Disciplinary proceedings were initiated, and authorization to dismiss the protected employee was obtained from the labor inspectorate and later confirmed by the Minister of Labor.
The administrative tribunal, followed by the court of appeal, annulled that authorization. The appeal court found that the employer had failed to show any attempt by the employee to misappropriate sensitive data for third parties or illicit purposes, or that the conduct had caused actual harm to the company. The court further noted that the employee’s stated aim was to “ensure the integrity of his electronic communications” in a context of “serious internal tensions and distrust of certain union representatives,” and highlighted his long service and clean disciplinary record.
The Conseil d’État disagreed. It held that, even absent any intent to misappropriate data, the redirection “was liable to compromise personal data,” a risk of which the employee, given his functions, was fully aware. The court emphasized that contractual amendments expressly recorded his acknowledgment of “the confidentiality of the personal data to which his position gave him access” and his undertaking “to take all necessary precautions (…) in the exercise of his duties to protect the confidentiality of the information to which he had access.”