The Court of Appeal in Aix-en-Provence (the “Court”) held in a judgement of 6 September 2011 that the refusal of an employee to use the new version of a software program which had not been notified with the French Data Protection Authority (the “CNIL”) did not give his employer grounds to terminate his employment contract.
In this case, the claimant was employed by the Association for the Protection of Children, Adolescents and Adults (the “Association”). The Association used a piece of software called EVA3 to encrypt data which had been collected from people who had received assistance from the Association. A new version of this software, EVA4, was installed in January 2007. The claimant refused to use this new version because (i) it no longer guaranteed the anonymity of people who had received assistance from the Association and (ii) the Association had not notified the CNIL of this modification to the software program.
The claimant was issued with two warnings about his refusal to use the new software program and was then dismissed from his position at the Association. The company stated that this was because of gross misconduct. The dismissed employee took his case to the Employment Tribunal (the “Tribunal”) in Nice. Amongst other things, he argued that his refusal to complete a task which was not his contractual responsibility and did not have appropriate legal and ethical safeguards did not amount to gross misconduct. The Tribunal disagreed with Mr Carton. The decision from Nice stated that his dismissal for misconduct was well founded. The Tribunal also noted that the considerations about whether or not the new software should have been notified to the CNIL were not relevant to the facts in issue.
The Court of Appeal disagreed with this analysis. In its decision, the Court held that such considerations did have a place in the discussion about whether there were real and serious grounds for the dismissal. The Court also stated that the Association was obliged to notify the CNIL of the modification to the software program which affected the treatment of personal data.
The Court of Appeal therefore declared that the refusal of the employee to input into the software program identifiable information concerning people who had benefitted from protection measures did not constitute a valid reason for dismissal. As a result, the dismissal of the claimant was without real and serious cause and, as such, should not have occurred.
This decision echoes with previous case-law, where it has been held that personal data processing cannot be used as a ground for dismissal or other disciplinary actions against an employee if the data processing is not compliant with data protection requirements (see for an illustration: Cour de Cassation Ch. Soc. 6 April 2004 N 01-45227 and the use of timekeepers which were installed in breach of data protection rules against an employee).
Recommendation: Unless exemptions apply pursuant to the French Data Protection Act, companies are required to notify (i.e. register) their data processing activities. Employees cannot be sanctioned or dismissed on the grounds that they refuse to use a system which is not compliant with the French data protection requirements.