← All articles

consultant

GDPR rights at work: only the individual has standing (Cass. crim., Jan 13, 2026)

France’s Supreme Court held that a company cannot invoke employees’ GDPR rights to challenge a seizure: only the data subjects themselves have standing. A key takeaway for DSAR and DPO response workflows.

At a glance — On 13 January 2026, France’s Supreme Court (Criminal Chamber) held that a company cannot rely on employees’ GDPR rights to challenge a seizure: only the data subject has standing. A key lesson for access requests (Art. 15) and DPO response.

The case

On 13 January 2026, the Criminal Chamber ruled on several appeals concerning dawn raids and seizures carried out under the supervision of the liberty and custody judge in antitrust investigations. Central question: may a company invoke its employees’ data‑protection rights to obtain annulment or return of seized documents (mailboxes, files) relating to them? Answer: no. The Court held that “only the employee has standing” to invoke an interference with privacy and GDPR rights; the employer cannot do so in their stead (Cass. crim., 13 Jan 2026, No. 24‑82.422, published). The companion rulings reiterate judicial control over the lawfulness, necessity and proportionality of digital seizures (Cass. crim., 13 Jan 2026, No. 24‑82.390, published).

Legal reasoning

  • GDPR basis. Data subject rights (Arts. 12–22 GDPR) belong to the natural person, not the employer. The controller must respond “to the data subject” within one month (Art. 12(3)), with limited refusal grounds (Art. 12(5)). Luxembourg’s CNPD reiterates these rules (Chapter III; access right guidance). Sources: CNPD — Chapter III and CNPD — Access right. For a broader framework, see Chapter III of the GDPR.
  • Standing. The Court ties standing to the data subject themself. In No. 24‑82.422, it dismissed a company’s claim based on alleged interference with employees’ data‑protection rights to challenge the seizure. Source: Legifrance — 24‑82.422.
  • Balancing with public interests. No. 24‑82.390 clarifies that review must balance fundamental rights (data protection, privacy) against antitrust enforcement needs; mailbox seizures are permissible subject to necessity and proportionality. Source: Legifrance — 24‑82.390.
  • Authorities’ stance. CNPD: requester identification, one‑month deadline, channels and limits, complaint options. EDPB: updated (25 June 2026) digest on objection (Art. 21) and erasure (Art. 17): traceability, timelines, propagation to processors. Source: EDPB.

What this changes in practice

  • DSARs and litigation. An employer cannot invoke employees’ access/objection rights to block a court‑authorised seizure; only the data subject may act via their own remedies. Source: Legifrance — 24‑82.422.
  • Internal workflows. Design “data subject rights” processes for employees and alumni: authentication, scope of copies, third‑party redaction, decision logs, timelines (Art. 12(2)–(5)). To structure these workflows, support from a certified DPO can accelerate compliance.
  • Mail and HR repositories. Seizures may target corporate mailboxes/files; document inventories, legal bases and retention, and prepare selective exports aligned with data minimisation — proportionality is assessed by the judge, not via an employer’s proxy objection. Source: Legifrance — 24‑82.390.
  • Luxembourg. GDPR rules are uniform; CNPD confirms one‑month timelines, identification and traceability. Ensure you handle requests directly from employees/former employees without routing through the employer. Source: CNPD — Access right.
  • Processor chain. Contractually define assistance with rights (Art. 28): forwarding, timelines, evidence; rights exercise remains personal — answer the employee requester unless you have an explicit mandate. EDPB best practices: traceability and propagation. Source: EDPB.

Common pitfalls

  1. Undocumented proxy. Responding to an access request sent by a line manager “on behalf of” an employee, without a verifiable mandate. Solution: require a mandate or reply directly after ID verification. Source: CNPD — Chapter III.
  2. One‑month deadline missed. Late replies due to unclear workflows and intake points (HR, DPO, helpdesk). Solution: a single channel, internal SLAs, documented extensions (+2 months max). Source: CNPD — Chapter III.
  3. Insufficient redaction. Providing emails with third‑party data without minimisation. Solution: extract, filter, anonymise/pseudonymise where needed; justify redactions.
  4. “Employer as representative” confusion. Trying to block a seizure by invoking “employees’ rights” as if the company held them. The 13/01/2026 ruling excludes this. Source: Legifrance — 24‑82.422.
  5. Unaligned processors. Failing to propagate erasure/objection to vendors (SaaS, payroll, HRIS). Solution: assistance clauses (Art. 28), sync registry, evidence, DPO checks. Source: EDPB.

Official sources

Practical note

Facing a seizure or DSARs from employees/alumni? Align procedures: requester identification, direct reply within one month, full traceability, and refusals only under Art. 12(5). The 13 Jan 2026 ruling bars employers from pleading “employees’ GDPR rights” to challenge a measure — the rights are theirs, not yours. For operational support, consider a DPO mandate and DSAR coordination, and feel free to contact us.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →