CJEU on the GDPR in Court Proceedings: No Automatic Prohibition on the Use of Evidence in Cases of Data Protection Violations
Update Data Protection No. 255
The European Court of Justice (CJEU) ruled on 18 June 2026 in Case C-484/24 – NTH Haustechnik GmbH v. EM – on the use of personal data as evidence in court proceedings. The decision is particularly relevant for employers, compliance departments, and companies that conduct internal investigations and need to access employee data, email accounts, log files, or other digital data.
1. Facts
The case originated from a dispute before the Lower Saxony Regional Labour Court (Landesarbeitsgericht Niedersachsen). An employer brought damages claims against a former employee who allegedly sold company property online without authorization. The data submitted as evidence by the employer may have been collected in violation of data protection requirements.
The referring court asked the CJEU whether the GDPR (Datenschutz-Grundverordnung – DSGVO, i. e. the General Data Protection Regulation) precludes the judicial use of such data, which legal basis applies for data processing in court proceedings, and whether Art. 17(3)(e) GDPR can serve as an independent legal basis.
2. Key Findings of the CJEU
The CJEU clarifies that the GDPR does not establish an automatic prohibition on the use of personal data as evidence that was previously collected or otherwise processed in violation of the GDPR.
The data protection-questionable collection of personal data by a party or third party does not, as such, prevent a national court from using the evidence. As a legal basis for the processing of personal data by courts, Art. 6(1)(c) GDPR, Art. 6(3) GDPR in conjunction with a national legal basis may apply, insofar as the court is obligated under national law to investigate the facts and evaluate evidence.
For German civil and labour court proceedings, Art. 92 GG (Grundgesetz – Basic Law), §§ 138, 286, 355 et seq. ZPO (Zivilprozessordnung – Code of Civil Procedure) and the labour court procedural rules are relevant. These provisions require the parties to present substantiated factual submissions and the court to comprehensively evaluate the case material.
At the same time, the CJEU emphasizes that Art. 17(3)(e) GDPR does not constitute an independent legal basis for data processing. The provision merely limits the right to erasure insofar as the processing is necessary for the establishment, exercise, or defence of legal claims. The lawfulness of processing must still be assessed under Art. 6 GDPR and, where applicable, further provisions.
3. No Carte Blanche for Unlawful Data Collection
The decision benefits the party bearing the burden of proof but is not a carte blanche for unlawful data collection. Data protection violations in the original collection or securing of personal data can still have significant consequences, including:
- Damages claims under Art. 82 GDPR,
- Supervisory authority measures and fines under Art. 58, 83 GDPR,
- Erasure claims under Art. 17 GDPR,
- Reputational damage,
- and in individual cases, national prohibitions on the use of evidence in cases of particularly serious fundamental rights violations.
For companies: A data protection violation does not necessarily destroy the procedural value of evidence. However, every data protection violation remains an independent compliance and liability risk.
4. Significance for Internal Investigations
The decision is particularly relevant for internal investigations, such as in cases of suspected fraud, embezzlement, disclosure of trade secrets, corruption, antitrust violations, data protection violations, or other breaches of duty.
In practice, internal investigations frequently involve the processing of employee personal data, particularly from:
- work email accounts,
- chat and collaboration tools,
- log files and access data,
- cloud storage,
- CRM and ERP systems,
- access control data,
- other device and usage data.
Access to and evaluation of personal data must always be based on a suitable legal basis, in particular Art. 6(1)(f) GDPR (legitimate interests), Art. 6(1)(c) GDPR (legal obligations), § 26(1) sentence 1 BDSG (Bundesdatenschutzgesetz – Federal Data Protection Act) for employment purposes, and § 26(1) sentence 2 BDSG for investigations to uncover criminal offences.
For special categories of personal data (e.g., health data, trade union membership, religious affiliation), Art. 9 GDPR, § 26(3) BDSG and, where applicable, § 22 BDSG must also be observed. Where data relates to criminal offences or convictions, Art. 10 GDPR applies.
5. Access to Employee Email Accounts
Private use of company communication tools should be clearly regulated. This creates legal certainty and facilitates lawful access in case of need.
From an employer’s perspective, the safest approach is usually to expressly prohibit private use of work email accounts and IT systems. The prohibition should be set out in the employment contract, an IT policy, or a works agreement and enforced in practice. If private use is tolerated over a longer period despite a prohibition, this can impair the permissibility of later access, as the legal requirements are significantly higher.
While it is increasingly argued that employers are not subject to telecommunications secrecy under § 3 TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – Telecommunications Digital Services Data Protection Act) even where private use is permitted or tolerated, a definitive ruling from the highest courts is still pending. Companies should therefore either prohibit private use or at least clearly regulate it and additionally implement technical and organizational safeguards.
An IT or email policy should comply with the information obligations under Art. 13, 14 GDPR and should in particular regulate:
- whether private use is permitted, prohibited, or only exceptionally allowed,
- whether private content must be specially marked or stored in private folders,
- under what conditions work mailboxes may be accessed,
- which departments decide on access,
- how private or obviously irrelevant content is filtered out,
- what logging and documentation obligations apply,
- how long data is retained.
6. Requirements for Internal Investigations
Internal investigations must be incident-related, purpose-bound, and proportionate. The principles of Art. 5(1) GDPR are decisive: lawfulness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality.
Where there is suspicion of criminal offences in the employment relationship, § 26(1) sentence 2 BDSG requires documented factual indications to substantiate the suspicion. The processing of personal data must be necessary for detection, and the legitimate interests of the affected employee must not outweigh. The nature and extent of data processing must be proportionate to the occasion.
Before accessing (private) communication data, it should be examined whether less intrusive means are available, such as the evaluation of contractual documents, invoices, system logs, metadata, or interviews with other parties involved. Email mailboxes should only be evaluated when this is necessary for (further) investigation.
7. Works Council and Collective Agreements
Where a works council exists, co-determination rights under § 87(1) No. 6 BetrVG (Betriebsverfassungsgesetz – Works Constitution Act) must be observed insofar as technical systems are used that are capable of monitoring employee behaviour or performance. This includes log file evaluations, monitoring tools, DLP systems, SIEM systems, and collaboration tools.
A works agreement can also serve as an important data protection legal basis for the processing of personal data. Under § 26(4) BDSG, personal employee data may be processed on the basis of collective agreements; however, these must meet the requirements of Art. 88(2) GDPR and provide appropriate safeguards for the rights and freedoms of employees.
8. Documentation and Safeguards
Internal investigations should always be conducted on the basis of a documented approval process. Before the measure begins, the following should be documented:
- the specific investigation reason,
- the legal basis under Art. 6 GDPR and, where applicable, § 26 BDSG,
- the investigation purpose,
- the affected data sources,
- the less intrusive measures considered,
- the circle of authorized persons,
- the search criteria and evaluation method,
- the handling of private or irrelevant content,
- retention and deletion periods,
- the involvement of Legal, Compliance, HR, IT, and the Data Protection Officer.
Organizationally, the need-to-know principle, the four-eyes principle, access restrictions, logging, measures to maintain confidentiality, and data security under Art. 32 GDPR should be observed and implemented. For extensive or systematic monitoring measures, a Data Protection Impact Assessment under Art. 35 GDPR is regularly required. The processing must be recorded in the record of processing activities under Art. 30 GDPR.
9. Procedural Consequences
If an investigation result is to be used later in court proceedings, companies should prepare the data in a litigation-ready manner already during the investigation. Unnecessary personal data, private content, and data of uninvolved third parties should be filtered out, redacted, or pseudonymized.
The CJEU decision strengthens the possibility of using personal data as evidence in court proceedings. At the same time, it confirms that every processing of personal data requires a legal basis and that the principle of data minimization under Art. 5(1)(c) GDPR must be observed when disclosing data to opposing parties or third parties.
10. Recommendations for Action
Companies should not wait until a crisis to take action in the context of internal investigations but should proactively and transparently provide policies in advance. The following is recommended in particular:
a. Introduction and/or regular updating of an internal IT and email policy.
b. Clear regulation of private use of work communication tools.
c. Transparent access reservations for compliance and investigation cases.
d. Works agreement for co-determination-required technical systems.
e. Regulate and document investigation and approval processes.
f. Involvement of the Data Protection Officer, Legal, Compliance, HR, and IT.
g. Logging of the respective measures and the balancing of interests.
h. Clear deletion and retention concepts.
i. Data protection-compliant preparation of evidence for court proceedings.
11. Conclusion
The CJEU clarifies: The GDPR does not establish an automatic prohibition on the use of evidence for personal data that may have been obtained in violation of the GDPR.
Nevertheless, the data protection permissibility of internal investigations must continue to be reviewed. Employers should therefore establish the legal foundations for access to employee data at an early stage. Decisive factors are clear regulations and concepts, as well as, in the case of an investigation, the documentation of grounds for suspicion and the measures taken to safeguard the rights of affected employees.