25.06.2026
Gernot Fritz, Tanja Pfleger, Sabine Prossinger
In its judgment of 18 June 2026 in Case C-484/24 (NTH Haustechnik), the CJEU issued a highly relevant decision for litigation practice on the interface between data protection law and the use of evidence. At its core, the case concerns a question that repeatedly arises in employment and civil law disputes: may a court use personal data as evidence if that data may have been unlawfully obtained by one of the parties?
The Court clarifies that the GDPR does not automatically render such personal data inadmissible in court proceedings. At the same time, however, the court’s processing of that data remains subject to the principles of the GDPR, in particular the principle of data minimisation.
While the GDPR generally protects against the unlawful processing of personal data, it does not contain a general rule excluding evidence obtained in this way. A party that unlawfully collects data may still expose itself to significant data protection risks. However, this does not automatically mean that a court may not take the information concerned into account in civil proceedings.
The case arose from an employment dispute between a heating and air conditioning business and a former employee. The company accused the employee of having sold items via her private eBay account which, according to the company, belonged to the company. The alleged damage amounted to approximately EUR 46,500. The company had learned of the sales because one of its employees had accessed the former employee’s private eBay account using a username and password.
It was precisely this access that was problematic from a data protection perspective. According to the findings of the referring court, it could not be ruled out that the data had been collected unlawfully. The Lower Saxony Regional Labour Court therefore asked the CJEU whether, and under what conditions, personal data that may have been unlawfully obtained may be used in court proceedings.
The GDPR Does Not Stop at the Courtroom Door
The CJEU first clarifies that courts may also process personal data within the meaning of the GDPR. Where a court includes documents containing personal data in a case file, retrieves, stores or uses digital evidence, or extracts personal data from such material, this will generally constitute processing of personal data.
This means that the GDPR is, in principle, also relevant in judicial proceedings. The fact that courts act in the exercise of their judicial functions does not generally remove their processing of personal data from the scope of the GDPR. The Regulation does take account of judicial activity through specific rules, for example in relation to supervisory authority oversight. But this does not mean that court file management, the taking of evidence and the publication of judgments are irrelevant from a data protection perspective.
Civil proceedings are therefore not a data protection-free zone. Personal data does not lose its protection simply because it is introduced into court proceedings. However, it does not follow from this that the GDPR fully harmonises the rules on the admissibility and assessment of evidence.
Legal Basis for Judicial Processing: Article 6(1)(c) GDPR
It is particularly interesting that the CJEU does not primarily base the court’s processing on Article 6(1)(e) GDPR, that is, processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Instead, the Court relies on Article 6(1)(c) GDPR: the processing by the court is necessary for compliance with a legal obligation. The court must decide on the submissions and evidence offered by the parties and take admissible evidence into account when reaching its decision.
This legal obligation consists in deciding on the admissibility of evidence offered and taking admissible evidence into account in the decision. The court therefore does not process the data because it freely chooses to do so, but because, under procedural law, it must decide on the facts submitted by the parties and the evidence offered.
Article 6(1)(c) GDPR requires a legal basis in Union law or in the law of the relevant Member State. That legal basis must pursue an objective in the public interest and be proportionate. However, the CJEU does not require every detail of the use of evidence to be expressly regulated by statute. It may be sufficient if national procedural rules are specified through clear, precise and foreseeable case law.
Rules of Evidence Remain a Matter for the Member States
At the same time, the CJEU emphasises that, as EU law currently stands, it does not itself determine the conditions under which facts and evidence are admissible in national court proceedings or how they must be assessed. These questions remain, in principle, a matter for national law.
This does not mean, however, that national rules are entirely unconstrained. Where personal data is processed in the context of judicial proceedings, the national legal basis must comply with the requirements of the GDPR and the Charter of Fundamental Rights. It must pursue an objective in the public interest, be proportionate and be sufficiently clear, precise and foreseeable.
It is noteworthy that the CJEU does not require a detailed statutory catalogue setting out, for every conceivable situation, when personal data may be used as evidence. It may be sufficient if the relevant criteria follow from clear, precise and foreseeable national case law. The concept of “Member State law” within the meaning of the GDPR is therefore not necessarily limited to formal legislation.
This is highly relevant for Member States such as Austria. In Austria, too, the question of whether unlawfully obtained evidence may be used in civil proceedings is largely shaped by case law and balancing exercises. The CJEU does not require full codification. It does, however, require the criteria to be foreseeable and to take appropriate account of the fundamental rights concerned.
No Automatic Exclusion of Evidence
The most important practical part of the decision concerns the question of whether a court may process personal data that one of the parties obtained in breach of the right to private life or data protection law. The CJEU rejects an automatic exclusion of such evidence.
According to the Court, Articles 7 and 8 of the Charter of Fundamental Rights, Articles 5 and 6 GDPR and the principle of data minimisation do not prevent a national court from using such evidence merely because the party submitting it did not have a legitimate interest in the processing beyond proving the facts alleged.
This is a clear statement. The CJEU does not qualify a party’s mere evidentiary interest as insufficient under EU law. In doing so, the Court leaves considerable room for national procedural law. Whether, and under what conditions, evidence must be excluded in a specific case remains, in principle, a matter for the national legal order. The GDPR does not contain an independent, general rule excluding evidence obtained in breach of data protection law.
This is a clear rejection of the idea that the GDPR automatically results in a procedural exclusion of evidence. The unlawfulness of the initial data collection and the subsequent use of the data by the court are two distinct levels. The first may be unlawful and may trigger sanctions, claims for damages or supervisory measures. But it does not necessarily follow that the court may not use the data concerned in the proceedings.
No Licence for Digital Self-Help
At the same time, it would be wrong to understand the judgment as an invitation to obtain evidence through unlawful access where necessary. That is not what the CJEU says.
The initial collection of data by a party remains subject to a separate assessment under the GDPR and the relevant fundamental rights. If an employer accesses private accounts, evaluates communication content or uses passwords, this may still be unlawful under data protection law. It may result in supervisory measures, claims for damages under Article 82 GDPR, employment law consequences and, in some cases, even criminal law risks.
The decision primarily concerns the question of whether the court may later use such data in the proceedings. It does not legitimise the prior acquisition of the data. This is the decisive distinction: obtaining evidence in breach of data protection law may remain unlawful, even if the evidence is not automatically inadmissible in the proceedings.
For companies, this means that anyone conducting internal investigations, investigating compliance breaches or preparing claims against employees, board members or contractual partners should continue to ensure that there is a carefully assessed data protection basis. The judgment does not reduce the risks associated with collecting data. It merely weakens the argument that every data protection infringement necessarily leads to procedural inadmissibility.
Data Minimisation Remains Relevant for Courts
The CJEU emphasises the importance of the principle of data minimisation. However, it does not require a court to carry out an additional comprehensive proportionality assessment and balancing exercise for every individual processing operation involving personal data, provided the requirements of Article 5(1)(c) GDPR are complied with.
Where evidence has been lawfully included in the case file, the CJEU assumes that the data contained in that evidence may, in principle, be adequate, relevant and limited to what is necessary for the court’s decision-making. The court must be able to assess the evidence in order to perform its function and safeguard the right to a fair trial.
Data minimisation becomes particularly relevant, however, when personal data is disclosed. Before a court discloses data to parties or third parties, for example in the context of service of documents or the publication of a decision, it must assess whether that data is limited to what is necessary. Where appropriate, measures such as anonymisation or pseudonymisation must be taken.
Article 13 GDPR: Breach of Information Obligations Does Not Necessarily Lead to Inadmissibility
A possible breach of information obligations under Article 13 GDPR also does not, according to the logic of the decision, automatically mean that a court may not use the data concerned.
Article 13 GDPR, of course, remains relevant. Anyone collecting personal data must, in principle, inform the data subject transparently. For the use of the data in court proceedings, however, this is not necessarily decisive. Here too, the CJEU treats the initial collection of the data and the subsequent processing by the court as separate operations. A transparency breach by a party may therefore have data protection consequences, but does not in itself lead to a mandatory exclusion of evidence under EU law.
What Does This Mean for Employers?
The decision is particularly relevant for employment disputes. In practice, such cases often involve emails, log files, chat histories, browser data, access credentials, video recordings or other digital traces intended to prove breaches of duty. In precisely such situations, the temptation is often strong to analyse existing data as extensively as possible and submit it in the proceedings.
The judgment is not, however, an invitation to take investigative shortcuts. Employers must continue to assess whether the collection and evaluation of personal data is lawful. Depending on the situation, transparency obligations, purpose limitation, data minimisation, storage limitation, employee participation rights and specific rules on employee data may all be relevant. Those who ignore these requirements risk claims for damages, supervisory proceedings and, where applicable, employment law consequences.
The decision does help employers in one respect: data protection mistakes in the initial collection of data do not automatically mean that a later case is lost because the evidence would be inadmissible under EU law. Whether a national court uses a piece of evidence in a specific case remains a question of national procedural law and the circumstances of the individual case. The GDPR, however, does not require automatic exclusion.
What Does This Mean for Companies More Generally?
Beyond employment law, the decision is relevant for all companies that use personal data as evidence in civil disputes. This may concern internal investigations, compliance matters, disputes with customers or suppliers, IP/IT-related proceedings, corporate disputes or damages claims.
In all of these cases, three levels should be distinguished.
First: may the company collect, evaluate and use the data for the purpose of enforcing rights? This question must be assessed under the general rules of the GDPR and, where applicable, under specific statutory provisions.
Second: may the company submit the data to the court? Here too, a separate data protection assessment is required, in particular with regard to purpose limitation, necessity and the scope of the data transmitted.
Third: may the court use the data in the proceedings, disclose it to others or reproduce it in a decision? This concerns the court’s own judicial processing operations and the principle of data minimisation.
Conclusion
The decision in NTH Haustechnik provides greater clarity on how data protection law and the law of evidence interact. The message is clear: the GDPR is not an automatic rule excluding evidence. Even personal data that a party may have obtained unlawfully can be used by a national court in the proceedings.
Nevertheless, companies should review their internal investigation processes. Particularly in cases involving suspicions against employees or board members, it is crucial to assess the data protection basis, the scope of the data analysis, the documentation of necessity and compliance with information obligations at an early stage. The judgment does not make the use of evidence impossible, but it does not replace careful compliance. Unlawful access to private accounts, private communications or disproportionate IT analyses may still trigger significant legal consequences, including under data protection law.
For companies, the judgment is therefore neither a blank cheque nor a cause for alarm. It is a pragmatic clarification: data protection infringements can have significant consequences, but they do not automatically destroy the evidentiary value of information in litigation.
We are happy to support you in assessing internal investigations from a data protection perspective and in preparing data protection-sensitive evidence for litigation.
