In its decision of 1 December 20251, the French Conseil d’État reiterated that the existence of an internal investigation does not suspend the right of access provided for in Article 15 of the General Data Protection Regulation (GDPR). It stressed that the controller must respond to the request—subject to the exceptions set out in the Regulation—and comply with the applicable time limits. This solution, which is consistent with the European approach, has already been confirmed by the Court of Justice of the European Union (CJEU) in Addiko Bank (C-312/23, 27 May 2024), which requires personal data to be disclosed even where the request pursues an objective other than verifying the lawfulness of the processing.
I. The impossibility of issuing a blanket refusal to an access request where an internal investigation is ongoing
Article 15 GDPR guarantees any data subject access to their personal data. The Conseil d’État confirmed that the controller cannot simply refuse a request on the ground that an internal investigation is under way within the company.
According to the Conseil d’État, “the fact that personal data relating to an employee are processed by their employer in the context of an internal investigation does not, in principle, prevent the employee from exercising their right of access to those data, unless the employer demonstrates that the request is manifestly unfounded or excessive, or that the manner in which the right is exercised would adversely affect the rights and freedoms of others” (paragraph 11).
The employer must therefore:
- Acknowledge receipt and comply with the statutory time limits: pursuant to Article 12(3) GDPR, the controller must inform the data subject of the action taken within one month of receipt of the request. That period may be extended by two additional months where necessary, taking into account the complexity or number of requests, but only if the controller informs the data subject within the first month and provides reasons for the extension. In its decision of 1 December 2025, the Conseil d’État specified that the controller cannot rely on national provisions (in this case, the provisions of the Ordinance of 25 March 2020 extending time limits during the public health emergency) to lengthen this period.
- Identify the personal data contained in documents linked to the investigation (notes, emails, minutes) and determine whether providing a copy of the entire document, rather than only the personal data, is necessary to ensure the effectiveness of the right of access.
Redact or pseudonymise, where appropriate, information relating to third parties or protected by confidentiality (trade secrets, defence secrecy) or by intellectual property rights. For example, the employer may argue that certain business emails requested by the data subject refer to the company’s strategy, its commercial practices, a manufacturing secret, etc.
II. The influence of EU case law on the scope of employees’ right of access to their personal data
It is noteworthy that the Conseil d’État referred on several occasions to the case law of the CJEU on the right of access, which has provided key clarifications as to how that right should be interpreted.
In particular, the Conseil d’État cited the judgment of 27 May 2024 (Addiko Bank, C-312/23), which states that “the obligation to provide the data subject who so requests with a copy of the personal data concerning them that are being processed applies to the controller, even where that request is motivated by a purpose other than becoming aware of the processing and verifying its lawfulness.” In that case, bank customers had requested their data in order to obtain copies of loan agreements and repayment schedules.
The employer therefore cannot refuse to comply with a right-of-access request merely because an internal investigation is ongoing.
The CJEU has also delivered other major decisions on the right of access, more specifically concerning former employees’ access to their professional mailbox, in particular judgments C-487/21 and C-307/22. These decisions reiterate that the right of access is intended to enable the data subject to verify the lawfulness of the processing, and that the controller is not required to provide the document as such, but must at least disclose the personal data contained in it. Full disclosure of the document is required only where it is necessary to ensure that the data are intelligible.This European approach differs somewhat from the position taken by the French Cour de cassation in its decision of 18 June 2025 (No. 23-19.022), which confirms that professional emails constitute personal data that must be disclosed and requires the employer to provide a full copy, unless doing so would disproportionately infringe the rights of third parties.
III. Practical takeaways for controllers and employers
The Conseil d’État’s decision of 1 December 2025 should lead controllers to implement precise and structured procedures for handling data subjects’ rights, so as to provide employees and former employees with a GDPR-compliant response within the time limits set by the Regulation. Such documentation is intended to allocate responsibilities across the relevant teams and/or departments with sufficient granularity to ensure that requests are processed on time (HR, legal, DPO, etc.).
It is also recommended to define data governance rules and a data retention policy, together with effective deletion procedures. Where a personal data item has been deleted by the employer, it would fall outside the scope of the access request and could therefore no longer be disclosed to the data subject.
More generally, it is important to raise awareness and train teams on personal data protection issues, and in particular on the rules governing access requests. Litigation relating to the exercise of this right is becoming a major strategic issue for businesses, both in terms of compliance and risk management. An inadequate response to an access request may lead to administrative sanctions (CNIL) and may also weaken the employer’s position in employment or criminal proceedings.
Aumans Avocats: specialists in IT/Data, data protection and DPO outsourcing
As a law firm specialising in IT/Data and data protection, Aumans Avocats assists companies with GDPR compliance and the operational handling of data subjects’ rights.
