Article

EU—Court of Justice clarifies when courts may rely on unlawfully obtained personal data as evidence

EU—Court of Justice clarifies when courts may rely on unlawfully obtained personal data as evidence

On June 18, 2026, the Court of Justice of the European Union (the CJEU) handed down its judgment in NTH Haustechnik GmbH v. EM (Case C-484/24). The case arose from a German employment dispute in which an employer accessed its former employee’s private eBay account—potentially unlawfully—to obtain evidence that the employee had been selling company property online. The core question referred to the CJEU was whether, and on what conditions, a national court may rely on personal data as evidence where that data was obtained in breach of the General Data Protection Regulation (GDPR).

The CJEU held, in essence, that the GDPR does not impose an absolute prohibition on courts using unlawfully obtained personal data as evidence—the right to a fair trial justifies such processing, provided clear and foreseeable national rules (including case law) govern when and how such evidence may be admitted. The key points are as follows:

  • A court may rely on evidence containing personal data that a party obtained unlawfully, even where that party's own interest in obtaining or using the data would not, by itself, outweigh the data subject’s privacy interests.
  • National rules need not expressly state the circumstances under which a court may use personal data as evidence, provided clear, precise and foreseeable national case law establishes the relevant conditions.
  • Article 17(3)(e) GDPR does not itself provide a standalone legal basis for processing personal data in litigation; it only limits the right to erasure where the data is needed to establish, exercise or defend legal claims. 
  • Before disclosing such data to the parties (or third parties), the court must limit disclosure to what is necessary for the purpose concerned and, where appropriate, take measures (such as anonymisation) to mitigate the impact on data protection rights.
  • A failure to meet the Article 13 GDPR transparency obligations does not, by itself, prevent a court from using that data in its judicial capacity. 
  • The court must comply with the GDPR when handling personal data relating not only to the parties but also to third parties referred to in the proceedings. 

The judgment is available here.

Related capabilities

subscribe

Interested in this content?

Sign up to receive alerts from the A&O Shearman on data blog.