[Publication] Protection of privacy at work in France

BANNER-PAGE

April 16th, 2021 – Protection of privacy at work in France

Article 9 of the French civil code guarantees everyone respect for their private life and article L. 1121-1 of the French labor code further states that “No one may restrict the rights of individuals and individual and collective freedoms in a way that is not justified by the nature of the task to be performed or proportionate to the goal sought.

Given this legal framework, how much leeway does the employer have at the different stages of the employment relationship: during the hiring and the recruitment process, during the performance of the employment agreement and in respect of the termination of the employment agreement?

  1. Respect for privacy during the hiring and recruitment process

In France, every potential employer must respect the following principles:

  • the information requested from the applicant, in any form whatsoever, must be for the sole purpose of assessing his or her ability to carry out the proposed job or to assess his or her professional skills. In other words, no information that is of a private nature  must be requested;
  • the applicant must be informed of the recruitment methods and techniques used before their implementation;
  • no candidate can be excluded from a hiring process for discriminatory reasons (g. sex, sexual orientation, age, family status or pregnancy, genetic characteristics, political opinions, trade union, religious beliefs, etc.)

Given the above, it is possible to:

  • consult publicly available resources (social media accounts, blogs and/or other information available through a search engine). In theory, only information relevant to the position must be accessed and the applicant must be informed prior to such consultation. However, in our internet age, it is not uncommon for candidates to be “Googled” and their profiles examined, including their personal social media without the applicant being informed – in theory this is unlawful;
  • check references with the applicant’s prior consent. All references/enquiries should be relevant to the position;
  • conduct candidate testing (personality & other aptitude) as long as tests are relevant for the job;
  • check the applicant’s driving licence should it be necessary for the position applied for;
  • check the applicant’s criminal record (e. review of criminal convictions and offences) which can be provided by the candidate upon request of the employer, as a criminal record can only be requested by the person to whom it relates. Such request must be justified by the nature of the job and/or the context in which it is carried out. However, a prior conviction does not necessarily prevent a person from holding a position unless the conviction is incompatible with the job for which the person is applying. The applicant has no obligation to provide his or her criminal record it being specified that, in theory, refusal to provide it cannot exclude the applicant from the hiring process. For positions subject to specific accreditation (agrément) from the administration, the employer does not have to request the criminal record as the necessary checks are carried out by the administration before the approval is issued.

Conversely, it is not possible to:

  • require the candidate to undergo a medical examination at the recruitment stage. A medical examination is possible only after recruitment in compliance with applicable rules. For certain categories of employees (employees assigned to night shifts, employees under 18 years of age, employees exposed to specific biological agents, etc.), the visit must take place before their assignment to the position;
  • conduct alcohol or drug testing prior to the hiring. It would however be possible to conduct such testing after hiring if provision for testing is required by the employer’s internal regulations but only for those employees for whom drug use constitutes a major danger for their or other employees’ safety (g. employees who drive vehicles, handle hazardous materials, etc.). The prior consent of the employee is required. In any case, such tests should be restricted to those employees occupying positions at risk or whose behaviour suggests the use of drugs or alcohol.

For the purposes of recruitment, the employer is entitled to collect additional information to comply with its legal obligations (e.g. the applicant’s social security number for mandatory social security declarations) or for the smooth functioning of human resources services  (e.g. identification of  beneficiaries of employees for health pension benefits, contact information in case of emergency, etc.).

In any case, processing of personal data during the hiring and recruitment process should be included in the personal data privacy policy for job applicants/employees and registered in the record of processing activities in compliance with the General Data Protection Regulation (GDPR). All information collected about the applicant/employee must be treated as confidential which means that access must only be granted to people who are so authorized for the performance of their duties and also, strictly within the limits of their employment responsibilities (e.g. human resources services).

  1. Respect for privacy during the performance of the employment agreement

The employer has the right to control and monitor employees’ activity during working hours providing that the monitoring system and techniques (e.g. badging, geolocation, video camera, tracking of the internet connections, etc.) implemented are proportionate to the intended purpose. So, for example, the use of video cameras in the workplace must be justified by the need to protect persons and goods.

Such implementation is subject to the following procedure:

  • prior information to, and consultation with, the staff representatives (Social and Economic Committee);
  • prior information to each of the employees concerned. In accordance with GDPR provisions, employees must be informed of the objectives, the legal basis of the system, the recipients of the personal data, the length of time the data will be kept, their right to object on legitimate grounds, their rights of access and rectification and their right to file a complaint with the French data protection authority (CNIL).

In addition, certain of these measures should be included in the internal regulations, if non-compliance may lead to disciplinary actions.

Failure to implement the abovementioned procedure does not allow the employer to use the information illegally obtained as evidence against the employees. In other words, disciplinary measures taken on this basis are unlawful.

Here again, any monitoring device which allows the employer to access the activity of the employees must be registered by the employer in the GDPR records of processing activities and when appropriate, be the subject of a data protection impact assessment.

The employer is also entitled, for compelling reasons (such as health and safety or if several objects/materials have gone missing from the workplace), to organize a search:

  • of employees’ bags or even carry out body searches. Searches require the prior consent of the employee other than in exceptional circumstances (such as regular bomb threats against the company following a sequence of terrorists’ attacks). The employee must also be informed that he or she can demand a witness. If the employee refuses to be or to have his or her belongings searched, the employer may call in the police;
  • of employees’ individual lockers in their presence in those cases (and subject to  the conditions) provided for in the internal regulations. Employees must be informed prior to the search and the opening must be done in the presence of the employee concerned. However, the French Supreme court has ruled that the locker can be opened in the absence of the employee if the latter has been informed sufficiently in advance.

In any case, these searches must be carried out under conditions that preserve human dignity and integrity.

Regarding correspondence via the work e-mail address and files stored on the employee’s work computer, specific rules apply as follows:

  • emails identified as “personal” or “private”, stored on the work computer or received at the work email address are qualified as private correspondence and as such cannot be viewed by the employer, even in the presence of the employee. Recently the French Supreme Court ruled on messages exchanged by an employee via an instant messaging system provided by the employer which were forwarded to another employee’s mailbox, to which the latter’s secretary had access. For the Court, these messages which included insulting and degrading remarks towards superiors and subordinates, as well as numerous criticisms of the company’s organization, strategy and methods were related to the business of the workplace. Thus, such messages can lead to disciplinary actions if they are not identified as “personal” which in practice can be a trap for employees who are unlikely to identify every message they send as “personal” or “private”;
  • all files, documents and folders stored in the workplace, whether on paper or on a computer, are presumed to be of a business nature. They may therefore be freely accessed by the employer unless they are expressly identified as “private” or as “personal” files, in which case they may only be accessed by the employer in the presence of the employee.

However, in the event of a legitimate reason (e.g. suspicion of unfair competition), the employer may take legal action to have a judge order investigative measures and appoint a bailiff to allow the employer to review messages or documents identified as “personal” or “private” in the presence of the employee. This legal action can be brought by the employer without prior notice to the employee to avoid the risk of evidence destruction.

  1. Respect for privacy and termination of the employment agreement

In theory, an event occurring outside working hours and the workplace and relating as such to an employee’s private life cannot constitute misconduct for which disciplinary measures may be imposed by an employer unless such an event generates a disruption within the company, or constitutes a breach of a contractual duty, or is work-related.

(i) Disruption within the company

In order to assess the level of disruption, the position of the employee as well as the corporate purpose of the company and the impact the event in question may have for the latter must be taken into account.

Examples of disruptions deemed sufficiently real and serious cause to justify dismissal are:

  • an employee unable to perform his duties due to the withdrawal/suspension of his driver’s license;
  • an executive sales employee in a bank (and bound, as such, by a particular probity obligation) being prosecuted for recognized offences of infringement of other people’s property;
  • an employee convicted for the rape of a minor whose mother was also an employee, which conviction had aroused strong emotions amongst his colleagues. A psychological unit had been set up by the employer to provide support for the employees in the department of the convicted employee.

It should be noted that, in the cases referred to above, the employees were not dismissed for the actual event or misconduct and the employer did not take any disciplinary actions for these behaviors which were only related to private life. The employees were dismissed for real and serious cause given the impact of such behaviors/events had on the company’s employees or reputation and more generally on the smooth running of the business.

(ii) Breach of a contractual duty

Employers have been found to be able to dismiss an employee:

  • who performs during paid holidays similar tasks for a competitor which operates in the same field of business and in the same geographical area as the employer, as this constituted a breach of the duty of loyalty involved in any employment relationship;
  • whose position is safety sensitive at an airline company and takes drugs during stopovers, as such conduct constitutes a breach of the security obligation;
  • who breaches her confidentiality obligation by sharing on her Facebook page confidential commercial data, namely the photograph of the future clothing collection of her employer’s brand although the access to this page was restricted to her friends, since some of these friends could have worked for a competing company. Although the employer cannot access the private Facebook page of an employee, the employer was tipped off by one of the employee’s colleagues who was also a friend on Facebook. In this case, there was no invasion of privacy by the employer so that disciplinary measures could be taken.

(iii) Work-related events

The dismissal of an employee can also be justified for facts/events committed outside working hours and the workplace that do not disrupt the company or constitute a contractual breach.

Employers have been found to be able to dismiss an employee who:

  • uses the truck provided by the company to commit a burglary during the week-end;
  • threatens and insults colleagues during a trip organized by the employer in order to reward the winning employees of a national challenge organized within the company;
  • sent messages to another colleague via the instant messaging system of the company which included insulting and degrading remarks towards superiors and subordinates, as well as numerous criticisms of the company’s organization, strategy and methods.

It appears from the decisions of the French Supreme Court that employees are no longer totally secure in their privacy and that their actions outside of working time and the workplace can have an impact on their work life.

In particular, the rise in the use of social networks requires great vigilance by employees who need to clearly separate their private and work life to avoid any impact on their career, such as limiting access to their accounts on social networks to their friends only, and excluding their work colleagues who could forward their comments to the employer. Written criticism of the employer addressed to their colleagues should be avoided and use of a personal email account or a private instant messaging system or even their own personal phone is recommended to ensure that private exchanges will be kept private.

For its part, the employer must also be careful when dismissing an employee for events that relate to their private life. The employee could argue that the dismissal is null and void either on the basis it violated a fundamental right or was discriminatory, in which case, the employee could request damages as well as a reinstatement of his or her position and payment of lost wages between the dismissal and the reinstatement. This could have a significant financial impact given the usual length of the procedure before the French labor jurisdictions.

Joëlle Hannelais, partner,

and Sarah Machrhoul Lhotellier, associate.

Download the PDF here: VA – Protection of privacy at work in France