Category: Newsletter

• Equal treatment: meal vouchers also apply to teleworkers

 

Until now, the question of granting meal vouchers to teleworking employees has been contentious. While some judges favored the principle of equal treatment, others considered that an employer could refuse them in the absence of additional meal-related expenses.

 

In two rulings handed down on October 8, 2025, the Court of Cassation settled the matter: teleworking employees are entitled to meal vouchers under the same conditions as those working on-site.

 

Relying on Article L. 1222-9 of the French Labour Code, which provides that teleworkers enjoy the same rights as employees working within company premises, the Court clarified that the only criterion for granting meal vouchers is that the meal must fall within the employee’s working hours, regardless of the place or organization of work.

 

In a second ruling, the Court added that the practice of granting meal vouchers to employees located far from the company cafeteria cannot be suspended simply because they switch to telework.

 

💡 Key takeaway: The allocation of meal vouchers must now be identical for on-site and teleworking employees, provided their schedule includes a lunch break. Beyond this landmark decision, meal vouchers remain a useful tool for strengthening employees’ purchasing power, benefiting from favorable social and tax treatment (exemption from social contributions up to €7.26 per voucher issued since January 1, 2025).

 

• Dismissal and late delivery of end-of-contract documents

 

Under Articles L.1234-19, L.1234-20, and R.1234-9 of the French Labour Code, the employer must provide the employee’s end-of-contract documents upon termination.

 

In cases of dismissal for gross misconduct, the employment relationship ends immediately upon notification. The termination date is therefore the date the employer expresses the intent to end the employment — that is, the date the dismissal letter is sent by registered mail.

 

Relying on these provisions, the Court of Cassation overturned a Montpellier Court of Appeal decision, ruling that when a dismissal for gross misconduct is pronounced, the employer must provide the end-of-contract documents on the same date, given the absence of notice period.

 

In this case, the employee was dismissed on April 9, 2018, but received his end-of-contract documents on June 6, 2018. The Court of Appeal had rejected his claim for damages, reasoning that no harm could be proven given the hypothetical notice period.

 

The Court of Cassation logically quashed this decision, reaffirming that these documents must be delivered as of the dismissal date. Otherwise, the employee may claim damages, provided that harm can be demonstrated — for instance, delayed access to unemployment benefits. A short gap of a few days is, however, unlikely to cause prejudice, since unemployment benefits are deferred by a mandatory seven-day waiting period, in addition to any delay due to unused paid leave.

 

In light of this decision, companies must ensure that end-of-contract documents are sent promptly after dismissal for gross misconduct. This simultaneous issuance may raise logistical issues for employers who usually prepare such documents at month-end. To ensure legal security, practices may need adjusting.

 

• Adoption and medically assisted reproduction: strengthened protection and authorized absences

Adopted on June 19, 2025, and published in the Official Journal on July 1, 2025, Law No. 2025-595 strengthens the protection of individuals involved in a “parental project” through assisted reproduction (PMA/IVF) or adoption.

 

Henceforth, protection against discrimination linked to parental projects applies to all employees — men and women — engaged in a PMA or adoption process. Employers can no longer refuse hiring, terminate a contract, or transfer an employee on the basis of such participation. They are also prohibited from seeking or using related information.

 

Employees undertaking PMA treatments may now take paid leave to attend necessary medical appointments, procedures, or treatments. They may also accompany their spouse, civil partner, or cohabitant to up to three mandatory medical appointments per protocol.

 

Likewise, employees involved in an adoption project are entitled to leave to attend compulsory adoption interviews. A forthcoming decree will set the maximum number of absences allowed.

 

This law represents a major advance in equality and anti-discrimination policy: parental projects, whether through PMA or adoption, are now fully recognized within the professional sphere. Employers must adjust internal leave and HR management procedures accordingly.

 

• Automatic compensation in cases of proven trade union discrimination — a new reversal

In 2016, the Court of Cassation established that in the event of an employer’s breach of a legal or contractual obligation, trial judges have sovereign discretion to assess the existence and quantum of damages.

 

Since then, the Court has recognized various exceptions.

 

In a ruling dated September 10, 2025, it introduced a new one, holding that “the mere finding of trade union discrimination entitles the employee to compensation.”

 

In this case, a former staff representative dismissed for incapacity claimed damages for trade union discrimination. The Dijon Court of Appeal rejected his claim, holding that he had neither proven the damage nor needed further reparation since the court’s recognition of discrimination was itself compensatory.

 

The Court of Cassation overturned that decision, ruling that the mere finding of trade union discrimination automatically opens the right to compensation.

 

This surprising decision appears to rest on an unwritten, third criterion suggested by the Advocate General, based on both:

• the importance of the legal rule at stake, and
• the victim’s inability to prove the harm suffered.

 

Although not explicitly stated, it seems the Court relied on this reasoning.

 

If confirmed, this new standard could significantly broaden automatic compensation cases. However, recent rulings from the Court of Justice of the European Union reaffirm that judges’ discretion to assess damages does not undermine the effectiveness of EU law, suggesting the French courts may maintain a case-by-case approach.

 

• Hidden cameras in the workplace: CNIL recalls legality requirements

 

In a decision dated September 18, 2025, the CNIL fined a company €100,000 for installing hidden cameras disguised as smoke detectors and recording employees’ conversations in storage areas. This ruling reiterates the strict conditions governing workplace video surveillance.

 

Hidden cameras may only be used exceptionally, where reasonable suspicion of serious misconduct exists, and with strict safeguards balancing corporate security and employee privacy.

 

To be lawful, such monitoring must be:

• temporary and strictly time-limited;
• documented and objectively justified;
• compliant with GDPR, following consultation with the Data Protection Officer.

 

In this case, the company failed to prove the temporary and proportionate nature of the system, nor its compliance with transparency or fairness obligations. The CNIL also noted excessive audio recording, lack of DPO involvement, and failure to report a personal data breach.

 

This decision reaffirms that hidden video surveillance is a highly exceptional measure that must observe robust proportionality and GDPR compliance safeguards.

La société Fred Paris a obtenu, le 18 juin 2025 (TJ Paris, 18 juin 2025, RG n° 23/10855), la condamnation d’une créatrice de bijoux qui commercialisait une gamme de bijoux reproduisant les caractéristiques essentielles du bracelet Force 10 GM et de son modèle communautaire. Nous n’avons pas connaissance d’un éventuel appel interjeté.

 

Le litige oppose un célèbre joailler et une créatrice de bijoux

 

La célèbre maison française de joaillerie et d’horlogerie compte, parmi ses créations, deux gammes de bijoux dénommées « Force 10 » et « Chance Infinie ». La maison est titulaire du modèle de l’UE n° 000772819-0001, déposé en 2007, représentant la fameuse boucle en forme de manille stylisée des créations de la gamme Force 10.

 

La défenderesse est une créatrice de bijoux qui commercialisait, sur son site Internet et sur des marchés locaux, des modèles qui reproduisaient, selon Fred Paris, les caractéristiques essentielles de ses produits.

 

Fred Paris a ainsi, après mise en demeure, assigné la créatrice de bijoux en contrefaçon de droit d’auteur, en contrefaçon de modèle et en concurrence déloyale.

 

Des actes de contrefaçon et de concurrence déloyale étaient invoqués

 

Fred Paris alléguait que la créatrice avait enfreint ses droits d’auteur en reproduisant les caractéristiques essentielles composant l’originalité des produits litigieux. Concernant le modèle de l’UE, la société estimait que les bijoux litigieux reprenaient les caractéristiques essentielles des produits de la marque, de sorte qu’ils créaient une même impression visuelle globale, caractérisant ainsi des actes de contrefaçon.

 

La créatrice reconnaissait la similitude entre les bijoux mais invoquait la banalisation de la gamme, de nombreux bijoux similaires étant commercialisés par des tiers. Elle arguait, pour sa défense, que l’acheteur moyen n’est pas conscient de la similitude entre les produits litigieux et ceux de Fred Paris.

 

Le tribunal a reconnu l’ensemble des faits reprochés

 

Sur la contrefaçon de droits d’auteur

Après avoir reconnu la titularité des droits revendiqués par Fred Paris, qui exploite publiquement sa gamme depuis au moins 2008, les juges caractérisent l’originalité des bijoux la composant.

 

Ils constatent que les bijoux litigieux reprennent, comme l’alléguait la demanderesse, les caractéristiques essentielles des siens.

 

Les actes de contrefaçon sont ainsi caractérisés selon les juges, « peu important l’existence d’autres sites proposant des bijoux similaires […], la bonne foi étant indifférente », en particulier dans un contexte où la créatrice avait été mise en demeure par Fred Paris.

 

Sur la contrefaçon de modèle communautaire

De même, le tribunal reconnait la reproduction des caractéristiques essentielles du modèle dans les bijoux de la créatrice qui produisent, sur l’utilisateur averti, la même impression globale.

 

Sur la concurrence déloyale et le parasitisme

Le risque de confusion ou d’association dans l’esprit du public créé par l’effet de gamme des bijoux de la défenderesse est reconnu. Il vaut en particulier pour la gamme « Chance infinie » qui n’avait pas fait l’objet d’un dépôt de modèle.

 

Le parasitisme résulte de la volonté de la défenderesse de se placer dans le sillage de la société Fred Paris pour profiter de ses investissements et de la notoriété de ses bijoux.

 

La réparation octroyée reste modeste

 

La créatrice de bijoux est condamnée à réparer le préjudice subi par Fred Paris au titre de la contrefaçon, estimée à hauteur de 3 000 euros, et du parasitisme et concurrence déloyale, à hauteur de 1 000 euros. Le caractère modeste de ces montants résulte notamment du fait que Fred Paris n’avait pas prouvé, selon le tribunal, des conséquences économiquement négatives ; que les bénéfices réalisés étaient limités ; qu’il n’était pas prouvé que les actes reprochés s’étaient étalés dans le temps. Le préjudice réparé est donc circonscrit aux économies d’investissement réalisées et au préjudice moral résultant de la banalisation des bijoux de la demanderesse.

 

La défenderesse est également condamnée à verser 3 000 euros à Fred Paris en application de l’article 700 du code de procédure civile.

 

Cette décision illustre la double protection des créations joaillières (et de toutes les œuvres d’art appliqué) par le droit d’auteur et le droit des dessins et modèles, mais aussi par le droit commun de la responsabilité civile entre concurrents.

 

Elle incitera peut-être les titulaires de droits qui envisagent d’assigner à opérer une balance entre les coûts de la procédure, les perspectives de réparation potentiellement très modestes et le souhait éventuel de faire de ces condamnations une affaire de principe.

A dynamic semester for the Joffe & Associés Team!

 

The past six months have been marked by a steady pace of milestones and achievements: the appointment of a new partner, the arrival of fresh talent, recognitions in leading rankings, media features, expert analyses, industry conferences, sporting challenges, social commitments, and interactions with students. It has been a period of sustained activity on all fronts.

 

Behind every initiative stands a committed and dynamic team, attentive to the needs of its clients as well as the broader issues shaping society.

 

This newsletter looks back at the highlights of the semester and reflects what truly sets us apart: the strength of our collective.

 

We hope you enjoy reading it!

 

Read the full newsletter here: Joffe & Associés : Newsletter – First Half of 2025.

According to the CJEU, annual paid leave is intended for rest, while sick leave is for healing. One cannot therefore replace the other.

 

However, the French Labor Code ignores this situation and case law considers that “if an employee falls ill during their leave, their sick leave is not taken into account. The days of leave cannot be carried over and are lost.”

 

In view of this gap, the European Commission launched an infringement procedure against France on 18^th June 2025. A letter of formal notice has been sent urging France to comply with Directive 2003/88/EC on working time in order to guarantee the effectiveness of the right to annual leave. France has two months to comply, or risk a referral to the CJEU and a possible sanction. The legislator will therefore have to adapt the Labour Code.

 

Some lawyers and trade unions in favour of the change see this as an important social step forward in order to guarantee employees a real right to rest, even in the event of illness occurring during the holidays, while sick leave and paid leave pursue two different purposes. Many countries provide for this right to deferral: in Belgium, provided that the employee informs their employer immediately, provides a medical certificate, and reschedules the days later; in Italy, Spain or Switzerland where the right to deferral is strictly regulated with the requirement of rigorous medical proof and without allowing extended holidays.

 

However, many critics have been raised against this system, fearing a generalization of sick leave during holidays and opportunistic behavior to artificially extend vacations.

 

The abuse of sick leave is already a worrying reality in France. The Health Insurance has noted an explosion of false work stoppages in recent years. 42 million euros of sick leave fraud were detected in 2024, a figure 2.4 times higher than in 2023. In addition, out of 230,000 sick leaves verified by medical advisors, one in three was unjustified and was suspended.

 

In order to effectively combat these abuses, the Health Insurance has made available, and then made mandatory from July 2025, a new standardized form for notice of sick leave that is difficult to falsify and more secure (special paper, holographic label, magnetic ink, identification of the prescriber, etc.).

 

Strengthening the control of sick leave is certainly a reasonable counterpart to the evolution of French law required by the European Commission, to avoid abuses and preserve the credibility of the system. Confidence requires maintaining the balance between individual rights and the prevention of abuse. It is on this condition that this reform can be fully accepted and effective.

Click here to download our newsletter.

 

IN BRIEF:

 

• SANCTIONS– 2024 review of the sanctions and corrective measures pronounced by the CNIL and sanction of a company for the excessive surveillance of its employees.
• ARTIFICIAL INTELLIGENCE – Clarification of the definition of AI systems by the European Commission and new recommendations from the CNIL to support responsible AI.
• ANONYMIZATION/PSEUDONYMIZATION – A search engine called to order by the CNIL and publication of guidelines by the European Data Protection Board.
• RIGHT OF ACCESS – European coordinated action identifies gaps in the implementation of the right of access.
• TRANSFER OUTSIDE THE EUROPEAN UNION – Publication of the CNIL guide on impact assessments of data transfers.

 

I. SANCTIONS TO REMEMBER

 

a. 2024 report on the CNIL’s sanctions

 

In 2024, the Commission Nationale de l’Informatique et des Libertés (“CNIL“) (France) issued 87 sanctions, including 69 under the simplified procedure (here). This significant increase compared to 2023 (42 sanctions) and 2022 (21 sanctions) can be explained by the increasingly frequent use of the simplified procedure (almost three times more than in 2023).

 

As part of its ordinary procedure, the CNIL has sanctioned companies in particular for:

• Commercial prospecting: in particular for the failure to collect prior consent from individuals before sending commercial communications.
• Health data processing: in particular with regard to anonymisation (e.g. clarification of the qualification of data processed in health data warehouses).

 

As part of its simplified procedure, the CNIL has sanctioned (i) the failure to cooperate with the CNIL, (ii) the failure to comply with the exercise of rights, (iii) the failure to minimise data, (iv) the breach relating to the security of personal data, and (v) the breach of the regulations relating to cookies.

 

b. Excessive surveillance of employees: €40,000 fine for a company in the real estate sector

 

The CNIL, by deliberation SAN-2024-021 of December 19, 2024 (here), imposed a fine of €40,000 on a company in the real estate sector for having set up excessive surveillance of its employees, by means of software for monitoring working time and employee performance and a continuous video surveillance system set up in employees’ work and break areas. The CNIL has identified several shortcomings, in particular:

 

Failures	Details
Excessive surveillance	(i)     The continuous recording of images and sounds of employees is contrary to the principle of data minimization (Article 5 of the GDPR); and (ii)   There is no legal basis for implementing endpoint monitoring software (Article 6 of the GDPR).
Lack of information	Oral information on the implementation of the monitoring software does not meet the conditions of accessibility over time and, in the absence of a written record of it, its completeness is not established (Articles 12 and 13 of the GDPR).
Lack of security measures	The CNIL recalls the reinforced requirement for individualized access to administrator accounts, which have very extensive rights over personal data – here, several employees shared the same access to data from the surveillance software (Article 32 of the GDPR).
Lack of impact assessment (DPIA)	The systematic monitoring of employees at their workstations required the formalization of a DPIA (Article 35 of the GDPR).

 

II. TOWARDS RESPONSIBLE AI

 

a. Prohibited practices in artificial intelligence: the new guidelines of the European Commission

 

On 6 February 2025, the European Commission adopted guidelines on the definition of artificial intelligence (“AI“) systems to help stakeholders identify whether a software system falls under AI. It should be noted that these guidelines do not address general-purpose AI models. The Commission has identified and clarified the 7 elements that make up the definition of ‘AI system’, introduced in Article 3(1) of Regulation (EU) 2024/1689 on AI:

 

Definition of the AI Act	Commission clarifications
Machine-based system	AI systems must be computationally driven and based on machine operations.
that is designed to operate at varying levels of autonomy	The deductive capacity of systems is key to ensuring their autonomy: an AI system must operate with a certain reasonable degree of independence of action (which excludes systems requiring full manual human involvement and intervention).
and that may exhibit adaptiveness after deployment	The condition of the system’s self-learning capacity is optional and non-decisive.
and that, for explicit or implicit objectives	Explicit (encoded) or implicit (inferred from behavior or assumptions) objectives are internal and refer to the goals and results of the tasks to be performed. They are part of a broader notion of the “purpose” of the AI system, which corresponds to the context in which it is designed and how it must be operated.
infers, from the input it receives, how to generate outputs	This notion refers to the building phase of the AI system, and is therefore broader than just the phase of use of the system. The Commission distinguishes between AI systems and other forms of software that have only a limited capacity to analyse patterns and adjust autonomously their output.
such as predictions, content, recommendations, or decisions	AI systems are distinguished by their ability to generate nuanced results, leveraging complex models or expertly defined rules. The Commission details each of the terms of the definition.
that can influence physical or virtual environments.	AI systems are not passive but actively impact the environments in which they are deployed.

 

 

b. The CNIL’s new recommendations for responsible AI

 

On February 7, 2025, the CNIL published new recommendations to support the development of responsible AI, in compliance with the GDPR (here). These relate both to the information of individuals and to the exercise of their rights:

 

• Information: the data controller must inform individuals when their personal data is used to train an AI model. This information can be adapted according to the risks to people and operational constraints and can therefore sometimes be limited to general information (when people cannot be contacted individually) and/or global information (when many sources are used, for example by indicating only categories of sources).
• Rights of individuals: the CNIL invites stakeholders to take into account the protection of privacy from the design stage of the model (e.g. anonymization strategy, non-disclosure of confidential data). The implementation of rights in the context of AI models can be difficult and a refusal to exercise rights can sometimes be justified. When these rights must be guaranteed, the CNIL will take into account the reasonable solutions available and may adjust the conditions of delay.

 

III. ANONYMIZATION AND PSEUDONYMIZATION UNDER DEBATE

 

a. The new EDPS Guidelines on pseudonymisation

 

On 16 January 2025, the European Data Protection Board (EDPB) adopted new guidelines 01/2025 on pseudonymisation, which are subject to public consultation until 14 March 2025.

 

Pseudonymisation means that personal data is no longer attributed to a data subject without additional information (Article 4(5) GDPR). Pseudonymised data is personal data because there is a risk of re-identification of the data subjects.

 

The EDPB states that pseudonymisation can (i) facilitate the use of the legal basis of legitimate interest, provided that all other requirements of the GDPR are met, (ii) ensure compatibility with the original purpose in the context of further processing, and (iii) help organisations comply with obligations relating to the principles of the GDPR, protection by design and by default, and security.

 

The EDPB is also analysing a set of robust technical measures to prevent unauthorised re-identification. Recommended techniques include hashing with a secret key or salt, separation of information for attribution, and strict access control.

 

It will be pointed out that these guidelines are to be read in the light of Case C-413/23 pending before the Court of Justice of the European Union between the European Data Protection Supervisor and the Single Resolution Board (SRB). In this case, pseudonymised data was transferred by the SRB to Deloitte for the purposes of an analysis mission. In his Opinion of 6 February 2025, the Advocate General asks the Court to rule on whether the recipient of pseudonymised data who does not have reasonable means to re-identify the data subjects could be considered not to be processing personal data insofar as the risk of identification is ‘non-existent or insignificant’.

 

IV. SPOTLIGHT ON THE RIGHT OF ACCESS

 

The CNIL and the European Data Protection Supervisor participated in a coordinated action of the European Data Protection Board in order to evaluate the implementation of the right of access to personal data.

 

During 2024, the CNIL inspected public and private bodies, chosen on the basis of complaints received, and issued several reminders of legal obligations. She notes that the organizational measures implemented by these organizations to process right-of-access requests are sometimes insufficient/unsatisfactory. Organizations should both (i) provide information about the processing, (ii) include a copy of the data processed, and (iii) should not systematically exclude certain processing or categories of personal data from their responses.

 

The EDPS has monitored the processing of requests for the right of access by the EU institutions, bodies, offices and agencies and has highlighted in his report of 16 January 2025 : (i) the low volume of requests, (ii) the decentralisation of the management of requests, (iii) the fact that it is difficult to distinguish between access requests and other types of requests,  (iv) the excessive processing of data caused by the verification of the identity of applicants, (v) the difficulty of reconciling the protection of rights and freedoms and respect for the right of access of individuals. Controllers and processors are invited by the EDPS to refer to Guideline 01/2022 on the right of access of data subjects.

 

V. IMPACT ANALYSIS OF DATA TRANSFERS

 

On January 31, 2025, the CNIL published the final version of its guide on the Impact Assessment of Data Transfers (AITD) (here) to help data exporters assess the level of protection in destination countries located outside the European Economic Area and the need to put in place additional safeguards. This analysis is necessary when the transfer is based on a tool of Article 46 of the GDPR (standard contractual clauses, binding corporate rules, etc.): the destination country does not benefit from an adequacy decision and the transfer is not carried out on the basis of a derogation from Article 49 of the GDPR.

 

The guide proposes a six-step methodology:

• Identify the data concerned and the actors involved;
• Choose the appropriate transfer tool;
• Analyze risks related to the laws and practices of the third country;
• Determine and apply additional measures (e.g. encryption or anonymization);
• Implement these additional measures;
• Reassess the compliance of the transfer at appropriate intervals.

 

This publication follows a public consultation that allowed the CNIL to adapt its guide to the practical realities of companies, and to modify it in order to take into account the latest opinions of the European Data Protection Board.

 

🚨 DPO Newsletter: What You Need to Know! 🔒

 

 

🔥 Our latest issue is out, covering key decisions, upcoming regulations, and major trends to watch:

 

 

In this edition:

🚫 Record-breaking fines – Orange (€50M), Meta (€251M), and OpenAI (€15M) hit with major sanctions.
📉 Data Transfers outside the EU – The CJEU condemns the European Commission for illegal data transfers to the U.S.
📢 GDPR Certification for Processors – The CNIL opens a public consultation. Be ready for what’s next!
⚠️ Deceptive Cookie Banners – Time’s up for several website publishers ordered to comply.
🤖 Responsible AI – The EDPB sets the tone for AI development within GDPR rules.
📊 2025-2028 Strategic Focus – CNIL’s roadmap to secure the digital future.

 

 

👉 Stay sharp and anticipate the impact on your business!

 

 

Should you have any questions, do not hesitate to contact us: contact@joffeassocies.com