article by Ambrozie | Legal & Strategic Counsel
The Facts
The facts are the kind of situation a properly run internal investigation should avoid. An employer, suspecting that a former employee had sold company goods on an online platform, accessed her private account using a username and password that another employee had obtained from a computer’s browsing history and from a family password file. On the basis of the information gathered this way, the company sued for damages.
The referring court, without finally deciding whether the initial collection of data was unlawful, proceeded on the assumption that it might have been, and asked the CJEU whether and under what conditions the data could still be used in the proceedings.
What the Court decided
The judgment rests on three main points.
First, civil proceedings are not a data-protection-free zone. The fact that personal data end up in a court file does not automatically remove them from the scope of Regulation (EU) 2016/679. When a court places documents containing personal data on the case file, or consults, stores and uses such data, it is carrying out “processing” under Article 4(2) of the regulation - judicial activity as such isn’t among the exceptions in Article 2(2) and (3).
Second, and this is the heart of the ruling: the GDPR sets no general, automatic rule excluding evidence obtained through a prior processing operation that may have been unlawful. Admissibility and assessment of evidence remain, at this stage of EU law, matters governed primarily by national procedural law. A court may therefore use personal data that were previously processed unlawfully or questionably, not because the regulation validates that earlier processing, but because it doesn’t itself impose an absolute prohibition on judicial use of the data, provided national procedural law, the legal basis for the court’s own processing, and the principle of data minimisation are respected.
The Court also clarified that the legal basis for the court’s own processing is, in principle, Article 6(1)(c) - the court’s legal obligation to adjudicate the case - while the “legal basis” required under Article 6(3) can also come from national case law, as long as that case law is sufficiently clear, specific and foreseeable. At the same time, judicial use of the data must be limited to what is necessary to resolve the dispute, and where the data are disclosed to the parties or third parties, the court must reduce the interference through appropriate measures, including anonymisation or pseudonymisation where possible.
Third - the point that matters most for companies - the judgment concerns the court’s subsequent use of the data, not the employer’s initial collection of it. Accessing a private account, reading personal correspondence, using an employee’s passwords, or pulling data from digital spaces that don’t belong to the employer remain subject to a separate assessment, and can still trigger action by the supervisory authority, damages under Article 82, employment-law consequences and, depending on the circumstances, criminal liability.
Potential objections
One could argue the ruling, in practice, encourages aggressive evidence-gathering: if evidence is not automatically excluded and courts can still use it, employers have an incentive to take the risk of breaching data protection rules. The objection is fair, but it conflates two separate questions: whether evidence can be used in civil proceedings, and whether the party that obtained it is liable for how it did so.
The fact that a court may use the evidence doesn’t erase the liability of the party that obtained it unlawfully; and in some cases makes that liability more visible, since the court file itself documents how the data were collected, who accessed them, why, and why proportionality, transparency or information obligations weren’t respected. A company might win its damages claim against a former employee while simultaneously facing scrutiny from the data protection authority, a separate claim or counterclaim from the data subject, or, in more serious cases, questions from criminal authorities about how the account or private communications were accessed.
The judgment doesn’t tell companies evidence can be obtained by any means. It says only that EU law doesn’t require a civil court to automatically disregard evidence simply because the data were previously processed unlawfully or questionably by one of the parties.
What it means for companies running internal investigations
The ruling requires an important clarification: it concerns civil and employment proceedings, not the evidentiary rules that apply in criminal cases. In many jurisdictions, including Romania, criminal procedure law bars evidence obtained unlawfully from being used in criminal proceedings at all, a distinction that becomes critical whenever an internal investigation could feed into a criminal complaint.
That doesn’t mean every technical breach of the GDPR will automatically get evidence thrown out of a criminal case - criminal procedure has its own standards, remedies and case law. But the stakes rise sharply where evidence is obtained by infringing fundamental rights: unauthorised access to accounts or information systems, reading private communications, using passwords that don’t belong to the employer, or conduct that could itself amount to a criminal offence. In those cases, the internal investigation no longer creates just administrative or civil exposure; it can compromise the later use of the material in a criminal case altogether.
The conclusions for companies: design the investigation before accessing the data, don’t justify it afterward; establish the legal basis for processing up front - typically legitimate interest, backed by a documented proportionality assessment; keep the scope strictly to professional devices, applications and accounts; rule out access to private accounts and personal communications, however tempting the evidence sitting there might look; and document the necessity of each investigative step in real time, rather than reconstructing it after a dispute has already arisen.
Where the suspicion involves fraud, misappropriation of assets, breach of fiduciary duty or other conduct with potential criminal relevance, the bar needs to be even higher: chain of custody, data segregation, prior legal review, access limited to the team with a genuine need to know, and a clear ban on anything that could be characterised as unauthorised access to an information system or interference with private communications. A well-run internal investigation is not just about finding relevant evidence quickly; it is about preserving the ability to use that evidence later.
NTH Haustechnik does not turn unlawfully obtained evidence into an acceptable strategy. It confirms a less comfortable lesson for employers: evidence can survive in civil litigation while the way it was obtained opens up a separate front of liability.
Contact: Ambrozie.com