By Adela Nuță

At the intersection of employment law and data protection, the judgment of the Court of Justice of the European Union of 18 June 2026 in Case C‑484/24, NTH Haustechnik, clarifies a question that arises ever more frequently in practice: may a court rely on evidence where the data it contains were, in all likelihood, obtained unlawfully by the party producing it?

The Court rejects both of the easy answers. It does not accept that evidence is "cleansed" simply by being placed on the case file, and it recognises that the unlawfulness of the initial collection remains a relevant consideration. Yet it equally rejects the opposite proposition that any breach of data protection rules should automatically render the evidence inadmissible.

The answer lies in between. The relevant question is no longer whether the party acted properly when gathering the data, but whether the court itself has a lawful basis when it receives and uses them, and whether it observes the limits imposed by the GDPR in doing so.

Background of the case

The case originated in an employment dispute between a German company and a former employee who was also the wife of the company's managing director. After the employment relationship had ended, the former employee continued for a time to have access to the company's premises and IT equipment. The employer subsequently claimed to have discovered that she had sold, through her private eBay account, goods belonging to the company, and sought compensation for the loss allegedly caused.

The former employee disputed those allegations, maintaining that the goods in question were, for the most part, returned, defective or obsolete items that had been transferred to her without consideration.

In this context, the crux of the dispute lay not solely in the existence or extent of the harm, but rather in the manner in which the company had obtained the information concerning the activity carried out through the former employee's private eBay account. The origin of the access credentials used to consult that account remained contested throughout the proceedings, and the national court did not rule out the possibility that they had been obtained in breach of the applicable rules on data protection and respect for private life. Against this background, the question arose whether information so obtained may be used as evidence in civil proceedings and, in particular, what obligations Regulation (EU) 2016/679 ("the GDPR") imposes on a court when it processes such data in the exercise of its judicial functions.

What did the Court hold

1. The initial collection of the data and their use in judicial proceedings are distinct processing operations. For the purposes of the GDPR, a court processes personal data whenever it receives, records, stores, consults or uses information contained in a case file, whether held in physical or electronic form. It follows that any unlawfulness in the way one of the parties initially obtained the data does not automatically carry over to the subsequent processing carried out by the court. The judge's assessment of the admissibility and relevance of the evidence is an autonomous operation, separate from the initial collection of the information, and must be evaluated in light of the conditions and safeguards applicable to judicial activity.

2. A court may process the data because the law requires it to examine the evidence submitted by the parties. The Court held that the judicial task of assessing evidence constitutes, in itself, a valid legal basis for the processing of personal data. In other words, the judge is under a duty to verify the admissibility of the evidence and, where it is admissible, to take it into account in resolving the dispute. The Court further emphasised that this obligation need not derive from a detailed legislative provision; it is enough that it flows from a clear and foreseeable legal or case‑law framework.

3. The "defence of a legal claim" is not, in itself, a self‑standing basis for processing. One of the significant clarifications offered by the Court concerns a confusion frequently encountered in practice. The fact that the GDPR permits the retention of data where they are necessary for the establishment, exercise or defence of a legal claim does not mean that this circumstance justifies, of itself, any processing of those data. The Court explained that this provision operates solely as an exception to the right to erasure, allowing data to be retained in a litigation context, without thereby creating a basis for processing additional to those expressly laid down by the GDPR.

4. A breach of the GDPR does not automatically render the evidence inadmissible. The mere fact that certain data were obtained in breach of the rules on data protection or privacy does not, of itself, make them inadmissible in the proceedings. Likewise, a failure to comply with the duty to inform under the GDPR does not automatically lead to the exclusion of the evidence from the material before the court.

5. The activity of the courts remains subject to the principle of data minimisation. Even when examining evidence relevant to the resolution of the dispute, a court must confine its processing to the data that are strictly necessary and reduce, so far as possible, their exposure through measures such as anonymisation or pseudonymisation. The same obligation subsists where the documents contain data relating to third parties.

Why it matters?

The judgment is particularly relevant in practice because it addresses a situation frequently encountered in litigation, and especially in the field of employment relationships: the use in court of emails, screenshots, electronic conversations or information drawn from private accounts, the lawfulness of whose acquisition is disputed. The Court's message is clear: data protection and the right to a fair trial neither cancel each other out nor automatically prevail one over the other.

The fact that data were obtained in breach of data protection rules does not, of itself, lead to their exclusion from the proceedings. At the same time, the judgment grants no "amnesty" to the party that collected the data unlawfully, who may remain exposed to civil liability or to the administrative penalties provided for by the GDPR.

At its core, NTH Haustechnik confirms that the focus of the analysis must shift from the conduct of the person who obtained the data to the obligations of the court that processes those data in the context of judicial proceedings. The judgment therefore reaffirms the autonomy of judicial processing and the responsibility of courts to ensure an appropriate balance between the protection of personal data and the proper administration of justice.