IP case law Court of Justice

CJEU, 18 Jun 2026, C-484/24 (NTH Haustechnik)

Personal Data Protection > General Data Protection Regulation (GDPR) > Article 6 - Lawfulness of processing > c) compliance with a legal obligation
Personal Data Protection > General Data Protection Regulation (GDPR) > Article 17 - Right to erasure (‘right to be forgotten’)
Personal Data Protection > General Data Protection Regulation (GDPR) > Article 5 - Principles relating to processing of personal data > c) data minimisation
Personal Data Protection > General Data Protection Regulation (GDPR) > Article 5 - Principles relating to processing of personal data > c) data minimisation
Personal Data Protection > Charter of Fundamental Rights
Personal Data Protection > General Data Protection Regulation (GDPR) > Article 13 - Information to be provided where personal data are collected from the data subject
Personal Data Protection > General Data Protection Regulation (GDPR) > Article 5 - Principles relating to processing of personal data > a) lawfulness, fairness and transparency

Provisional text

JUDGMENT OF THE COURT (Fifth Chamber)

18 June 2026 (*)

( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 5(1)(e) – Storage limitation – Point (e) of the first subparagraph of Article 6 – Lawfulness of processing such data relating to a contract of employment in judicial proceedings – Article 17(3)(e) – No obligation to erase such data where processing is necessary for the establishment, exercise or defence of legal claims – Data collected by the employer with a view to proving a serious failure by the employee to comply with his or her obligations – Use of evidence obtained unlawfully )

In Case C-484/24,

REQUEST for a preliminary ruling under Article 267 TFEU from the Landesarbeitsgericht Niedersachsen (Higher Labour Court, Lower Saxony, Germany), made by decision of 8 May 2024, received at the Court on 10 July 2024, in the proceedings

NTH Haustechnik GmbH

v

EM,

THE COURT (Fifth Chamber),

composed of M.L. Arastey Sahún, President of the Chamber, J. Passer, E. Regan (Rapporteur), D. Gratsias and B. Smulders, Judges,

Advocate General: D. Spielmann,

Registrar: G. Chiapponi, Administrator,

having regard to the written procedure and further to the hearing on 2 July 2025,

after considering the observations submitted on behalf of:

–        the German Government, by J. Möller and P.-L. Krüger, acting as Agents,

–        the Hungarian Government, by M.Z. Fehér, K. Szíjjártó and Zs. Biró-Tóth, acting as Agents,

–        the Finnish Government, by A. Laine and H. Leppo, acting as Agents,

–        the European Commission, by A. Bouchagiar, F. Erlbacher and H. Kranenborg, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 16 October 2025,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Articles 5, 6, 9, 13 and 17 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

2        The request has been made in proceedings between NTH Haustechnik GmbH (‘NTH’) and its former employee EM concerning compensation for the harm which that company allegedly suffered on account of the unauthorised sale online of property belonging to that company.

 Legal context

 European Union law

3        Recitals 1, 2, 4, 7, 10, 20, 39 and 41 of the GDPR provide:

‘(1)      The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the “Charter”) and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.

(2)      The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

(4)      The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

(7)      Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.

(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31)], Member States have several sector-specific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.

(20)      While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.

(39)      Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. …

(41)      Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union and the European Court of Human Rights.’

4        Article 1 of the GDPR, entitled ‘Subject matter and objectives’, provides:

‘1.      This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2.      This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

3.      The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.’

5        Article 2 of the GDPR, headed ‘Material scope’, provides in paragraphs 1 and 2:

‘1.      This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2.      This Regulation does not apply to the processing of personal data:

(a)      in the course of an activity which falls outside the scope of Union law;

(b)      by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the [EU Treaty];

(c)      by a natural person in the course of a purely personal or household activity;

(d)      by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

6        Article 4 of the GDPR, entitled ‘Definitions’, provides:

‘For the purposes of this Regulation:

(2)      ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(6)      ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

…’

7        Chapter II of the GDPR, entitled ‘Principles’, comprises Articles 5 to 11 thereof.

8        Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides, in paragraph 1 thereof:

‘1.      Personal data shall be:

(a)      processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b)      collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);

(c)      adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(e)      kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

…’

9        Article 6 of the GDPR, entitled ‘Lawfulness of processing’, provides:

‘1.      Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)      the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b)      processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)      processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)      processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)      processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)      processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2.      Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3.      The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a)      Union law; or

(b)      Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4.      Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a)      any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b)      the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c)      the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d)      the possible consequences of the intended further processing for data subjects;

(e)      the existence of appropriate safeguards, which may include encryption or pseudonymisation.’

10      Article 9 of the GDPR, entitled ‘Processing of special categories of personal data’, provides:

‘1.      Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

2.      Paragraph 1 shall not apply if one of the following applies:

(f)      processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

3.      Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4.      Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.’

11      Chapter III of the GDPR, entitled ‘Rights of the data subject’, contains Articles 12 to 23 thereof.

12      Article 13 of the GDPR, headed ‘Information to be provided where personal data are collected from the data subject’, provides:

‘1.      Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

(a)      the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b)      the contact details of the data protection officer, where applicable;

(c)      the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d)      where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(e)      the recipients or categories of recipients of the personal data, if any;

(f)      where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2.      In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a)      the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b)      the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c)      where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d)      the right to lodge a complaint with a supervisory authority;

(e)      whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f)      the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3.      Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

4.      Paragraphs 1, 2 and 3 shall not apply where and in so far as the data subject already has the information.’

13      Article 17 of the GDPR, entitled ‘Right to erasure (“right to be forgotten”)’, provides:

‘1.      The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(b)      the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(d)      the personal data have been unlawfully processed;

3.      Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(e)      for the establishment, exercise or defence of legal claims.’

14      Article 23 of the GDPR, entitled ‘Restrictions’, provides:

‘1.      Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(e)      other important objectives of general public interest of the Union or of a Member State …

(f)      the protection of judicial independence and judicial proceedings;

(i)      the protection of the data subject or the rights and freedoms of others;

(j)      the enforcement of civil law claims.

2.      In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a)      the purposes of the processing or categories of processing;

(b)      the categories of personal data;

(c)      the scope of the restrictions introduced;

(d)      the safeguards to prevent abuse or unlawful access or transfer;

(e)      the specification of the controller or categories of controllers;

(f)      the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g)      the risks to the rights and freedoms of data subjects; and

(h)      the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.’

 German law

 The Basic Law of the Federal Republic of Germany

15      Paragraph 92 of the Grundgesetz für die Bundesrepublik Deutschland (Basic Law of the Federal Republic of Germany) of 23 May 1949 (BGBl. 1949 I, p. 1) states:

‘The judicial power shall be vested in the judges; it shall be exercised by the Federal Constitutional Court, by the federal courts provided for in this Basic Law, and by the courts of the Länder.’

 Code of Civil Procedure

16      Paragraph 138 of the Zivilprozessordnung (Code of Civil Procedure), in the version applicable to the dispute in the main proceedings, entitled ‘Obligation to make declarations as to facts; obligation to tell the truth’, provides:

‘(1)      The parties shall make their declarations as to the facts and circumstances fully and completely and are obliged to tell the truth.

(2)      Each party shall react in substance to the facts alleged by the opponent.

(3)      Facts that are not expressly disputed shall be deemed as having been agreed unless the intention to dispute them is evident from the other declarations made by a party.

(4)      A party may declare its lack of knowledge only where this concerns facts that were neither actions taken by the party itself, nor have been perceived by the party.’

17      Paragraph 286 of the Code of Civil Procedure, which is entitled ‘Unfettered evaluation of evidence’, provides:

‘(1)      The court shall decide, according to its discretion and opinion, and taking account of the entire content of the hearings and the results obtained by evidence being taken, if any, whether an allegation as to fact is to be deemed true or untrue. The judgment shall state the reasons informing the court’s opinion.

(2)      The court shall be bound by statutory rules of evidence only in the situations covered by the present Code.’

18      Paragraph 355 of that code, entitled ‘Evidence to be taken directly’, is worded as follows:

‘(1)      Evidence shall be taken before the court hearing the case. Only in the situations determined in the present Code shall the taking of evidence be entrusted to a member of the court hearing the case or to another court.

(2)      The decision ordering one or the other manner of taking evidence is not subject to appeal.’

 The Federal Law on data protection

19      Paragraph 3 of the Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 (BGBl. 2017 I, p. 2097), in the version applicable to the dispute in the main proceedings, entitled ‘Processing of personal data by public bodies’, provides:

‘Public bodies shall be permitted to process personal data if such processing is necessary to perform the task for which the controller is responsible or to exercise official authority which has been vested in the controller.

…’

20      Paragraph 26 of the Federal Law on data protection, in the version applicable to the dispute in the main proceedings, entitled ‘Processing of personal data for the purposes of the employment relationship’, provides:

‘(1)      Employees’ personal data may be processed for the purposes of an employment relationship where this is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination or for the exercise or discharge of the rights and obligations arising from the representation of employees’ interests and laid down by law or a collective bargaining agreement or a private or public-sector works agreement concluded with the employer (collective agreement). In order to detect criminal offences, the personal data of employees may be processed provided that there is a suspicion based on concrete indications, which must be established, that the data subject has committed an offence in the employment relationship, that the processing is necessary for the detection of the offence and that the legitimate interest of the employee or employees in excluding the processing does not prevail, and, in particular, that the nature and extent of the processing is not disproportionate to the reasons for the processing.

(2)      Where the personal data of employees is processed on the basis of consent, account must be taken, in particular, of the dependency of the employee in the employment relationship and the circumstances in which that consent was given when assessing whether the consent was given freely. The free nature of consent may be established, in particular, if there is a legal or economic advantage for the employee, or if the employer and the employee have convergent interests. Consent must be made in writing or by electronic means, unless another form is required because of special circumstances. The employer is required to inform the employee in writing of the purpose of the data processing operation and of his or her right to withdraw consent, as provided for in Article 7(3) of the [GDPR].

(5)      The controller must take appropriate measures to ensure that, in particular, the principles for the processing of personal data set out in Article 5 [of the GDPR] are complied with.

(6)      The participation rights of organisations representing employees remain unchanged.

(7)      Subparagraphs 1 to 6 shall also apply where personal data, including special categories of personal data, of employees are processed without that data being contained or being intended to be contained in a filing system.

(8)      The following are ‘employees’ for the purposes of the present law:

1.      workers, including temporary agency workers in the relationship with the user;

…’

 The dispute in the main proceedings and the questions referred for a preliminary ruling

21      NTH, a heating and air-conditioning undertaking, employed EM who was married to NTH’s managing-director.

22      On 31 October 2019, the employment relationship between NTH and EM came to an end. Subsequently, until her separation from NTH’s managing-director on 26 June 2022, EM continued to have access to NTH’s premises and to use the computers located there.

23      Immediately after that separation, acting, in essence, via its employee F., who is the son of NTH’s managing-director and EM, NTH established that EM had sold, via the eBay online sales platform, for her own benefit goods which NTH claims it owned, for an overall sales value of EUR 13 217.09. Having regard to the purchase price of those goods and the amount of the administrative costs caused by the need to replace them, the total harm thereby suffered by NTH amounts to EUR 46 567.91.

24      EM denies having sold those goods without NTH’s knowledge. In EM’s view, those goods were mainly goods returned by customers as defective or outdated goods. NTH could not use them and they therefore no longer had any value for NTH. NTH gave them free of charge to EM, who sold them to cover the costs of being in a household with NTH’s managing-director.

25      The Landesarbeitsgericht Niedersachsen (Higher Labour Court, Lower Saxony, Germany), which is the referring court, states that NTH was aware of the sales EM made by accessing her private account on the eBay online sales platform. That access was achieved by employee F. using EM’s user ID and password on that sales platform.

26      As regards how that employee knew that user ID and that password, NTH[’s managing director states that employee F. obtained information on EM’s use of that platform by reviewing the browsing history of the computer belonging to him, which EM used, and that he obtained that password by consulting a ‘family file’ created on its server. EM, for her part, states that she did not store that password on NTH’s data storage devices. However, EM maintains that NTH’s managing-director reported the mobile telephone she was using and which was registered in the name of NTH as having been lost, in order to request a new SIM card (Subscriber Identity Module) from the relevant telephone operator, which enabled [him] to use the telephone number associated with that telephone to change, on the eBay platform, the password of her private account and to gain access to it.

27      The referring court does not rule out the possibility that the data collection undertaken by NTH in order to become aware of the sales made by EM on the eBay online sales platform was unlawful.

28      In any event, that court states that it is inclined towards the view that the data collected by NTH constitutes processing of personal data, for the purposes of the GDPR.

29      However, according to the referring court, the case-law of the Court of Justice does not make it possible to determine clearly, first of all, whether the rules of German procedural law are sufficiently precise to comply with the requirements of the GDPR, in particular as regards the criteria to be applied in order to determine when the use of such data is prohibited, next, whether the German courts may rely on Article 17(3)(e) of the GDPR when acting in their judicial capacity to process such data and, lastly, which criteria apply when a detailed assessment must be made of whether the processing of data undertaken in the exercise of that function is authorised, in particular where, as in the present case, a party may have collected data unlawfully.

30      In particular, the referring court notes, in the first place, that, under the first subparagraph of Article 6(3) of the GDPR, the basis for the processing referred to in points (c) and (e) of the first subparagraph of Article 6(1) of the GDPR is, in the absence of provisions of EU law, laid down by Member State law to which the controller is subject and which must, in accordance with that court’s reading of the second subparagraph of Article 6(3), determine the purposes of that processing. In addition, according to that court, it is apparent from the case-law of the Court resulting from the judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes) (C-175/20, EU:C:2022:124, paragraph 83), that, in order to satisfy the requirement of proportionality of which Article 5(1)(c) of the GDPR constitutes a specific expression, the legislation which provides the basis for such processing must lay down clear and precise rules governing the scope as well as the application of the measure in question and, in particular, must indicate in what circumstances and under which conditions a measure providing for such processing may be adopted.

31      The referring court therefore asks whether the second subparagraph of Article 6(3) of the GDPR must be interpreted as meaning that, where a court acting in its judicial capacity adopts a measure involving an interference with the fundamental rights of a party and undertakes the related processing of data, it is sufficient that that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, or whether it is necessary, having regard, in particular, to Article 8(2) of the Charter, to require that the legal basis for that processing include details of the circumstances and conditions under which the data produced by the parties may be used by that court.

32      In the event that the Court concludes that judicial acts of data processing which involve infringements of fundamental rights must be based on legal provisions containing such clarification, the referring court asks whether national rules, such as those at issue in the main proceedings, satisfy the requirements set out in the GDPR. Those rules contain no indication as to the conditions which must be satisfied or the criteria which must be balanced in order to determine whether a court is permitted to take account of facts relied on by a party or to take evidence offered in support by that party. In particular, the referring court has doubts regarding the relevance of there being no provision dealing with the situation where the party concerned has unlawfully obtained the personal data on which is it basing its claim or in situations where it relies on evidence obtained via unlawful use of personal data. It also has doubts regarding the relevance of the fact that the rules governing the use of such data under German law are derived exclusively from case-law.

33      In the second place, the referring court notes that, in its case-law, the Bundesarbeitsgericht (Federal Labour Court, Germany) has stated that it is clear from Article 17 of the GDPR that it can be envisaged that a court processes personal data, even if the collection of such data by a party which occurred before litigation or outside judicial proceedings proves to be unlawful under the GDPR or the national data protection law concerned and that, therefore, there is no need to make a request for a preliminary ruling to the Court of Justice.

34      However, the Bundesarbeitsgericht also notes that while Article 17(3)(e) of the GDPR lays down an exception to the right to erasure of data which has been processed unlawfully, to the extent that processing is ‘necessary’ for the establishment, exercise or defence of legal claims, that provision concerns only that right to erasure.

35      In any event, the referring court takes the view that it is necessary to raise the question of whether Article 6(1)(e) or Article 9(2)(f) of the GDPR constitute the basis for the processing of personal data undertaken by the national courts when acting in their judicial capacity or whether national courts may also rely on Article 17(3)(e) of the GDPR.

36      If the Court concludes that Article 17(3)(e) of the GDPR may constitute such a basis for processing undertaken by national courts acting in their judicial capacity, the referring court is unsure how that provision ought to be applied and whether that provision involves a prohibition on using the data, for example, where the initial data collection was not concealed and was used to determine that an obligation had been infringed intentionally.

37      In the third place, the referring court has doubts regarding the substantive criteria which must govern data processing undertaken in a judicial capacity.

38      In particular, that court is unsure, first, whether, for data obtained unlawfully, but where the authenticity and material accuracy of such data are not disputed as such, national courts must examine proportionality and conduct a detailed balancing of the interests involved. The referring court is also unsure whether national courts must assess whether a distinction must be made between such a situation and the situation in which the other party challenges both how the data concerned was obtained, regarding it as unlawful, and the authenticity and/or factual accuracy of such data.

39      Second, the referring court points out that EM had not used NTH’s computer system for a long time when, for the purposes of the main proceedings, she extracted some of the data stored there. In addition, that court notes that Article 5(1)(e) of the GDPR provides, in essence, that personal data may be stored only for no longer than is necessary for the purposes for which such data are processed. The referring court is therefore uncertain of the conclusions, for the application of that provision, to be drawn from the fact that those data had been collected much earlier, or had possibly even been stored for a long period, and, lastly, from the fact that there were contractual erasure obligations which were not complied with.

40      Third, the referring court has doubts regarding whether it is sufficient for a party to rely on a general interest in putting evidence before the court or whether EU law does not require other aspects to be taken into consideration, from which it follows that the interest in obtaining evidence deserves protection despite an infringement of the other party’s right having occurred.

41      Fourth, that court is unsure regarding whether it is possible for the applicant employer to rely, in a situation such as that at issue in the main proceedings, on Article 47(2) of the Charter, in order to justify its collection and processing of the personal data, and to rely on the consequences to be drawn from the fact that that employer may not have complied with its obligations to provide information under Article 13 of the GDPR.

42      Fifth, the referring court notes that, in paragraph 55 of the judgment of 2 March 2023, Norra Stockholm Bygg (C-268/21, EU:C:2023:145), the Court of Justice held that, in order to take account of Article 5(1) of the GDPR, and in particular the principle of ‘data minimisation’ found in point (c) of that provision, the national court is required to determine whether the disclosure of personal data is appropriate and relevant in order to safeguard the objective pursued by the applicable provisions of national law and whether that objective cannot be achieved by recourse to less intrusive means of proof in respect of the protection of the personal data of a large number of third parties such as, for example, the hearing of selected witnesses. It therefore asks whether that solution can be transposed to the present case, since, for example, the data of buyers on the eBay online sales platform could be concerned.

43      In those circumstances, the Landesarbeitsgericht Niedersachsen (Higher Labour Court, Lower Saxony) decided to stay the proceedings before it and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Do the provisions of [Paragraph] 92 of the Grundgesetz [of the Federal Republic of Germany, Paragraphs] 138, 286, 355 et seq. of the [Code of Civil Procedure in the version applicable to the case in the main proceedings] in the case of an independent judicial processing activity falling under [point (e) of the first subparagraph of Article 6(1) and Article 6](3) of the GDPR fulfil the requirement of certainty arising from Article 8(2), Article 52(1) of the [Charter] and Article 5(1)(c) of the GDPR if the judicial processing activity involves interference with fundamental rights for a party or a third party?

(2)      (a)      When processing data – in particular personal data – can a national court rely on the fact that such processing is authorised under Article 17(3)(e) of the GDPR, or do Articles 6 and 9 of the GDPR constitute the exclusive basis for judicial processing activities?

(b)      If Article 17(3)(e) of the GDPR can in principle form a legal basis for judicial processing activities:

(aa)      Does this also apply to cases in which the original collection of those data by a litigant or a third party was not lawful?

(bb)      Does the processing of originally unlawfully collected data under the generally applicable principle of good faith (Article 5(1)(a) of the GDPR) lead to a restriction of judicial processing under secondary law in the sense that Article 17(3)(e) of the GDPR is only applicable under certain conditions or within certain limits?

(cc)      Is the provision in Article 17(3)(e) of the GDPR to be understood in such a way that a prohibition on the judicial utilisation of originally unlawfully obtained data is always excluded – i.e. the court must always utilise those data – if the original data collection was not covert and was used to prove an intentional breach of duty?

(3)      Irrespective of whether the judicial data processing activity is subject to Article 17(3)(e) of the GDPR or [points (c) or (e) of the first subparagraph of Article 6(1), Article 6(3) and] Article 9 of the GDPR or other provisions of EU law:

(a)      do the principles of necessity and data minimisation under data protection law pursuant to [the second sentence of Article 52(1)] of the [Charter], Article 5(1)(a) of the GDPR, in particular with regard to the processing of originally unlawfully collected or stored data, give rise to the need for a comprehensive proportionality test and balancing by the courts?

(b)      What impact does Article 5(1)(e) of the GDPR, which stipulates that personal data may be kept for no longer than is necessary for the purposes for which such data are processed, have on subsequent judicial data processing activities, in particular in cases where

–        the original data collection served other purposes, or

–        the original unlawful data collection took place a long time ago, or

–        unlawful storage has been maintained for longer periods of time, or

–        the unlawful data collection concerns data that were stored a long time ago – possibly unlawfully, or

–        the data processing or collecting body or person has undertaken, either unilaterally or under individual contract or collective law, to erase the data within a certain period of time, but has not done so?

(c)      Does it follow from EU law, in particular from Article 8 of the [Charter or points (c) or (e) of the first subparagraph of Article 6(1), Article 6(3) and] Article 9 of the GDPR, that the national court can utilise evidence that was obtained in violation of personal rights only if there is a recognisable interest of the party bearing the burden of proof that goes beyond the simple interest in evidence, or do no requirements follow from EU law in this respect, such that it is up to the national legal system to make provisions in that regard?

(d)      Does it follow from Article 47(2) of the [Charter], which guarantees the right to effective judicial protection, and in particular to a fair trial, according to which the parties to civil proceedings must in principle be able sufficiently to substantiate and prove their legal protective objective, that the judicial processing of personal data of the applicant employee unlawfully collected by the employer can only be inappropriate and disproportionate in the narrower sense if the data collection under EU law would prove to be a serious infringement of Article 7 and Article 8 of the [Charter] and other possible sanctions for the employer (e.g. compensation for damages under Article 82 of the GDPR and the imposition of fines under Article 83 of the GDPR) would be completely inadequate, or can inappropriateness and disproportionality be established even in the case of other less serious breaches of data protection law during the original data collection?

(e)      When deciding whether to utilise the data originally collected from a party or a third party as part of its judicial data processing activities, does the court have to take into account whether the data collector has complied with its information obligations under Article 13 of the GDPR? If so, Under what conditions and according to what standards must the court take this into account?

(f)      Does the fact that the Court is bound by the GDPR and the [Charter] when processing personal data also include the personal data of third parties? In what way does a possible breach of data protection law in the original data collection have an effect on any subsequent judicial data processing in a dispute between two parties? Can a party rely on an offence committed not against it but against third parties, or is that not the case?’

 Consideration of the questions referred

 Admissibility

44      As a preliminary point, it should be recalled that, while, in accordance with settled case-law, questions on the interpretation of EU law referred by a national court in the factual and legislative context which that court is responsible for defining, and the accuracy of which is not a matter for the Court to determine, enjoy a presumption of relevance, such questions are, however, inadmissible if it is quite obvious that the interpretation of EU law that is sought bears no relation to the actual facts of the main action or its purpose, if the problem is hypothetical, or if the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (see judgment of 18 June 2024, Bundesrepublik Deutschland (Effect of a decision granting refugee status), (C-753/22, EU:C:2024:524, paragraph 44 and the case-law cited).

45      In the present case, it should be noted that, in its questions, the referring court makes a number of references to Article 9 of the GDPR, which concerns certain special categories of personal data, namely those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and genetic and biometric data, provided that those data are processed for the purpose of uniquely identifying a natural person or data concerning health or data concerning a natural person’s sex life or sexual orientation.

46      As it is apparent from the file before the Court that the dispute in the main proceedings does not concern such data, the questions referred for a preliminary ruling by the referring court must be regarded as inadmissible in so far as they concern the interpretation of Article 9 of the GDPR.

 The first question

47      As a preliminary point, it must be stated that the question referred is based on the premiss that the processing of personal data undertaken by a court when acting in its judicial capacity may take as its basis only point (e) of the first subparagraph of Article 6(1) of the GDPR, which refers to the processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

48      First, it must be stated that, in certain situations, a number of alternative lawfulness conditions may apply to the same processing.

49      Second, while some processing of personal data undertaken by a court may be regarded as necessary for the performance of such a task carried out in the public interest or as being within the exercise of such official authority, the processing of personal data which a court is liable to undertake, as in the case at issue in the main proceedings, when evidence offered in support by the parties has the specific feature of being, in principle, necessary to comply with a legal obligation incumbent on that court, namely the obligation to rule on whether that evidence is admissible and, where that evidence has been declared admissible in the light of the criteria laid down for that purpose by national law, the obligation to take that evidence into account in order to provide its decision.

50      The Court therefore considers that, in order to provide a useful answer to the referring court, it is necessary to examine the various questions which have been referred to it in the present case in the light of point (c) of the first subparagraph of Article 6(1) of the GDPR, rather than in the light of point (e) of the first subparagraph of Article 6(1) of that regulation.

51      In those circumstances, it must be held that, by its first question, the referring court is, in essence, asking whether point (c) of the first subparagraph of Article 6(1) and Article 6(3) of the RPGD, read in the light of Article 8(2) and Article 52 of the Charter, must be interpreted as precluding national legislation which, as regards the use of personal data when a court examines the facts and takes evidence, merely prescribes that it is for the parties to submit detailed factual evidence which is truthful and requires that court to take such evidence fully into consideration, before, as the case may be, assessing that evidence, without providing any indication as to the circumstances and conditions under which the facts stated and the evidence adduced by the parties containing personal data may be used by that court.

52      In the first place, it must be recalled that it is true that, as EU law currently stands, it is for national law alone to determine the rules relating to the admissibility and assessment of the facts and evidence (see, to that effect, judgments of 6 October 2020, La Quadrature du Net and Others, C-511/18, C-512/18 and C-520/18, EU:C:2020:791, paragraph 223, and of 5 April 2022, Commissioner of An Garda Síochána and Others, C-140/20, EU:C:2022:258, paragraph 127).

53      However, as set out in Article 2(1), the GDPR applies to ‘the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system’ subject to certain situations set out in Article 2(2) and (3) of the GDPR. Given that processing undertaken by courts and other judicial authorities is not one of the situations envisaged by Article 2(2) and (3), the GDPR may therefore, as is confirmed moreover by recital 20 thereof, apply to processing undertaken by those courts and those authorities.

54      In that regard, Article 4(2) of the GDPR defines ‘processing’ as being any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

55      The use, in that article, of the expression ‘any operation’ implies that the EU legislature intended to confer a broad scope upon the concept of ‘processing’ (judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C-683/21, EU:C:2023:949, paragraph 50 and the case-law cited).

56      It is true that, in order for the processing of personal data to fall within the scope of the GDPR, it is also necessary, in accordance with Article 2(1) of that regulation, that that processing be wholly or partly by automated means or, where the processing is not automated, that the data concerned form part of a filing system or are intended to form part of a filing system.

57      First, the processing of personal data must be regarded as being automated, in whole or in part, for the purposes of that provision, where it involves the use of technical operations without any human intervention (see, to that effect and by analogy, judgment of 6 November 2003, Lindqvist, C-101/01, EU:C:2003:596, paragraph 26).

58      Second, point 6 of Article 4 of the GDPR defines a ‘filing system’ as any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

59      However, even if the admissibility of supporting evidence does not fall within the scope of the GDPR, a court must be regarded as undertaking processing of personal data, for the purposes of that regulation, in particular where it places documents containing personal data in a file, such as that in the proceedings at issue in the main proceedings, provided that file is a ‘filing system’ within the meaning of Article 2(1) and point 6 of Article 4 of the GDPR.

60      Similarly, where such documents are provided to a court in electronic form and that court consults, retrieves, stores or uses those data, it undertakes processing for the purposes of the GDPR.

61      In particular, given that each transmission of data to a controller distinct from the previous controller entails a corresponding act of collection by that controller (see, to that effect, judgment of 30 April 2024, La Quadrature du Net and Others (Personal data and action to combat counterfeiting), C-470/21, EU:C:2024:370, paragraph 62), a court must be regarded as undertaking such an act of collection when it gathers, on the basis of electronic documents which a party has transmitted to it, certain personal data found in those documents.

62      In the present case, it will be for the referring court to ascertain, in the light of the foregoing considerations, whether the processing of personal data at issue in the main proceedings may be regarded as falling within the scope of the GDPR, either because it concerns data which is to be accessible from the procedural file of that case under specific criteria, or because it is wholly or partly automated, which is in particular so where the evidence was transmitted in electronic form and that processing consisted of consulting, retrieving, storing or using personal data found in that evidence.

63      In the second place, it should be noted that the main objective pursued by the GDPR, as is set out in particular in Article 1 thereof, and in recitals 1, 2, 7 and 10 of that regulation, consists in ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data, as enshrined in Article 8(1) of the Charter and Article 16(1) TFEU (see judgment of 4 October 2024, Koninklijke Nederlandse Lawn Tennisbond, C-621/22, EU:C:2024:858, paragraph 26 and the case-law cited).

64      In accordance with that objective, in order to be lawful, all processing of personal data falling within the scope of the GDPR must observe the principles set out in Chapter II of that regulation, and the rights of data subjects set out in Chapter III thereof (see, to that effect, judgment of 2 March 2023, Norra Stockholm Bygg, C-268/21, EU:C:2023:145, paragraph 43 and the case-law cited).

65      Under Article 6(1) of the GDPR, processing of personal data falling within the scope of that regulation is lawful only if and to the extent that it meets at least one of the alternative lawfulness conditions set out in that provision (see, to that effect, judgment of 5 June 2023, Commission v Poland (Independence and private life of judges), C-204/21, EU:C:2023:442, paragraph 335 and the case-law cited).

66      As regards processing based on the alternative lawfulness condition laid down in point (c) of the first subparagraph of Article 6(1) of the GDPR, the first subparagraph of Article 6(3) of the GDPR states that the basis for that processing must be laid down by EU law or by Member State law to which the controller of that processing is subject.

67      Therefore, the first subparagraph of Article 6(3) of the GDPR requires, since EU law does not govern the detailed rules for presenting facts and taking evidence before national courts, that the processing of personal data, carried out on the basis of that alternative condition, has a legal basis in national law (see, to that effect, judgment of 2 March 2023, Norra Stockholm Bygg, C-268/21, EU:C:2023:145, paragraph 32).

68      As regards the form and content of that legal basis, subject to the requirements relating to the situation referred to in the third sentence of Article 6(3) of the GDPR, that provision merely requires, as regards the processing referred to in point (c) of the first subparagraph of Article 6(1) of that regulation, that the purposes of such processing operations be determined in that legal basis, that that legal basis meet an objective of public interest and that it be proportionate to that objective.

69      However, it is not apparent from Article 6(3) of the GDPR or from any other provision of that regulation that the objective pursued by the legal basis in national law must be set out in that national law, it being understood that ‘objective’ means the general objectives pursued by the processing concerned and ‘purposes’ means the specific and real aims of that processing (see, to that effect judgment of 20 November 2025, Policejní prezidium (Storage of biometric and genetic data), C-57/23, EU:C:2025:905, paragraph 81).

70      It is true that, where the legislature of a Member State adopts a legal basis authorising processing on the basis of point (c) of the first subparagraph of Article 6(1) of the GDPR, that legislature is implementing EU law, so that, under Article 51 of the Charter, such legal basis must comply with the Charter.

71      As the referring court points out, the Court inferred from Article 8(2) of the Charter, which itself only reflects, by giving specific expression to, the requirement of Article 52 of the Charter that any limitation on the exercise of the fundamental rights recognised by the Charter must, in particular, be provided for by law (see, to that effect, judgment of 20 November 2025, Policejní prezidium (Storage of biometric and genetic data), C-57/23, EU:C:2025:905, paragraph 51), and that any legal basis which permits the interference with the right to the protection of personal data must itself define the scope of the limitation on the exercise of that right which it is liable to bring about (see, to that effect, judgment 6 October 2020, Privacy International, C-623/17, EU:C:2020:790, paragraph 65 and the case-law cited).

72      In addition, the Court has held, as regards the requirement laid down in Article 52 of the Charter, that any interference with the right to the protection of personal data must occur while also observing the principle of proportionality, which requires that any legislation giving rise to such an interference must set out clear and precise rules governing the scope and application of the measure in question and imposing minimum requirements, so that the persons whose personal data are being processed have sufficient guarantees that those data will be effectively protected against the risk of abuse, as well as against any unlawful access to or use of that data (see, to that effect, judgments of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C-175/20, EU:C:2022:124, paragraph 55 and the case-law cited, and of 16 November 2023, Roos and Others v Parliament, C-458/22 P, EU:C:2023:871, paragraph 69 and the case-law cited).

73      In particular, the legal basis for data processing must indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary (see, to that effect, judgment of 16 July 2020, Facebook Ireland and Schrems, C-311/18, EU:C:2020:559, paragraph 176 and the case-law cited).

74      However, the Court, referring to the settled case-law of the European Court of Human Rights, has also stated that the term ‘law’, used in Article 8(2) of the Charter, in the expression ‘laid down by law’, must be understood in its substantive sense and not its formal sense (see, to that effect, judgment of 16 November 2023, Roos and Others v Parliament, C-458/22 P, EU:C:2023:871, paragraph 61 and the case-law cited).

75      Moreover, according to that case-law of the European Court of Human Rights, that sense of the term ‘law’ in the expression ‘laid down by law’, referred to in Article 8(2) ECHR, implies that that term refers to the text in force, as interpreted by the competent courts (see, to that effect, ECtHR, 23 January 2025, H.W. v. France, CE:ECHR:2025:0123JUD001380521, § 65).

76      However, recital 41 expressly states that where that regulation refers to a legal basis or a legislative measure, that does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court and of the European Court of Human Rights.

77      Therefore, the requirement set out in Article 6(3) of the GDPR, to lay down a legal basis for any processing based on the alternative lawfulness conditions laid down in points (c) and (e) of the first subparagraph of Article 6(1) of that regulation must be understood as not necessarily meaning that there is a legislative act, since the concept of ‘Member State law to which the controller is subject’ may also cover national case-law, provided that that case-law is clear and precise and its application is foreseeable by the persons subject to it (see, to that effect, judgment of 12 September 2024, HTB Neunte Immobilien Portfolio and Ökorenta Neue Energien Ökostabil IV, C-17/22 and C-18/22, EU:C:2024:738, paragraphs 71 and 72).

78      In addition, given that the second subparagraph of Article 6(3) of the GDPR requires that the legal basis for the processing at issue meets an objective of public interest and that it is proportionate to the legitimate objective pursued, such case-law must also satisfy those conditions (see, to that effect, judgment of 12 September 2024, HTB Neunte Immobilien Portfolio and Ökorenta Neue Energien Ökostabil IV, C-17/22 and C-18/22, EU:C:2024:738, paragraph 73 and the case-law cited).

79      In the present case, it is apparent from the order for reference that the legislative provisions at issue in the main proceedings do not lay down conditions which must be satisfied in order for evidence or facts containing personal data which has been the subject of earlier unlawful processing to be regarded as admissible. Therefore, it will be for the referring court, in order to ensure that those provisions comply with the GDPR, to verify that they are the subject of clear, precise case-law, the application of which is foreseeable, and which (i) itself establishes the circumstances and conditions under which the facts stated and the evidence adduced by the parties containing personal data may be used by a court, (ii) meets an objective of public interest and (iii) is proportionate to that objective.

80      In the light of all the foregoing, the answer to the first question is that point (c) of the first subparagraph of Article 6(1) and Article 6(3) of the GDPR, read in the light of Article 8(2) and Article 52 of the Charter, must be interpreted as not precluding national legislation which, as regards the processing of personal data, undertaken in the context of a court examining the facts and taking evidence, merely prescribes that it is for the parties to submit detailed factual evidence which is truthful and requires that court to take such evidence fully into consideration, before, as the case may be, assessing that evidence, without providing any indication as to the circumstances and conditions under which the facts stated and the evidence adduced by the parties containing personal data may be used by that court, provided that (i) there is clear and precise national case-law, the application of which is foreseeable, and which itself establishes the circumstances and conditions under which the facts stated and the evidence adduced by the parties containing personal data may be used by a court, (ii) that case-law meets an objective of public interest and (iii) that case-law is proportionate to that objective.

 Question 2(a)

81      By part (a) of its second question, the referring court is, in essence, asking whether Article 17(3)(e) of the GDPR must be interpreted as meaning that it sets out an alternative lawfulness condition which the processing may satisfy in order to comply with Article 5(1)(a) of that regulation and which is distinct from any of the lawfulness conditions listed in the first subparagraph of Article 6(1) of the GDPR.

82      In that regard, it should be recalled that under Article 5(1)(a) of the GDPR any processing of personal data must in particular be lawful, which implies, as recalled in paragraph 64 of the present judgment, that that processing complies with all of the principles set out in Chapter II of the GDPR and observes the rights of data subjects listed in Chapter III thereof.

83      In relation to those principles, the first subparagraph of Article 6(1) of the GDPR sets out an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as being lawful. Therefore, in order for it to be so regarded, in accordance with Article 5(1)(a) of the GDPR, processing must fall within one of the cases provided for in the first subparagraph of Article 6(1) of the GDPR (see, to that effect, judgment of 4 May 2023, Bundesrepublik Deutschland (Court electronic mailbox), C-60/22, EU:C:2023:373, paragraph 56 and the case-law cited).

84      It is true that, under Article 17(3)(e) of the GDPR, the right of data subjects to obtain from the controller the erasure of their data, in particular, as is apparent from Article 17(1)(d) of that regulation, where those data have been unlawfully processed, does not apply if that processing is necessary for the establishment, exercise or defence of legal claims.

85      However, the fact that Article 17(3)(e) of the GDPR introduces an exception to that right to erasure does not mean that that provision must be interpreted as formulating, as such, an alternative, autonomous, lawfulness condition on which the processing of personal data necessary for the establishment, exercise or defence of legal claims, could be based in order to comply with Article 5(1)(a) of the GDPR. Since the list of alternative lawfulness conditions set out in the first subparagraph of Article 6(1) of the GDPR is exhaustive and restrictive, as is apparent from paragraph 83 of the present judgment, the situation referred to in Article 17(3)(e) of that regulation cannot be regarded as being such an alternative lawfulness condition.

86      In the light of all the foregoing, the answer to part (a) of the second question is that Article 17(3)(e) of the GDPR must be interpreted as meaning that that provision does not formulate an alternative lawfulness condition which processing could satisfy in order to comply with Article 5(1)(a) of the GDPR and which is distinct from any of those listed in the first subparagraph of Article 6(1) of the GDPR.

 Question 2(b)

87      Having regard to the answer given to part (a) of the second question, there is therefore no need to answer part (b) of that second question.

 Question 3(a)

88      At the outset, it should be noted that the principle of ‘data minimisation’, to which exclusively part (a) of the third question relates, is set out not, as the referring court appears to consider, given the wording of that question, in Article 5(1)(a) of the GDPR, but in Article 5(1)(c) of that regulation.

89      In addition, it is apparent from the request for a preliminary ruling that, when it refers to an examination of the proportionality of the processing envisaged and an exhaustive ‘balancing’ of the interests involved, that court is questioning the need, under the second sentence of Article 52(1) of the Charter, to verify, for each processing of personal data undertaken, whether the data processed on that occasion are such as to enable the objective pursued by that processing to be achieved, and whether they are strictly necessary for achieving it, and whether the seriousness of the interference with fundamental rights entailed by taking such data into account in order to undertake the processing at issue is proportionate to the interest which the controller has in using those data to undertake that processing.

90      Therefore, it must be understood that, by part (a) of its third question, the referring court is, in essence, asking whether Article 5(1)(c) of the GDPR, read in conjunction with the second sentence of Article 52(1) of the Charter, must be interpreted as meaning that the principle of ‘data minimisation’ requires a court to ensure, for each processing of personal data it undertakes, that the principle of proportionality is observed, by ensuring that the data processed on that occasion are such as to enable the objective pursued by that processing to be achieved and are strictly necessary for achieving it, and that the seriousness of the interference with fundamental rights entailed by taking such data into account in order to undertake the processing at issue is proportionate to the interest which that court has in using those data to undertake that processing.

91      In that regard, first, as is apparent from the second sentence of Article 52(1) of the Charter, in order for limitations on the exercise of the fundamental rights guaranteed by the Charter to be made while observing the principle of proportionality, those limitations must be necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others.

92      More specifically, derogations from and limitations on the protection of personal data should apply only in so far as is strictly necessary, it being understood that where there is a choice between several measures appropriate to meeting the legitimate objectives pursued, recourse must be had to the least onerous of those measures. In addition, an objective of general interest may not be pursued without having regard to the fact that it must be reconciled with the fundamental rights affected by the measure at issue, by properly balancing the objective of general interest against the rights concerned, in order to ensure that the disadvantages caused by that measure are not disproportionate to the aims pursued. Thus, the question whether a limitation on the rights guaranteed in Articles 7 and 8 of the Charter can be justified must be assessed by measuring the seriousness of the interference which such a limitation entails and by verifying that the importance of the objective of general interest pursued by that limitation is proportionate to that seriousness (judgment of 21 March 2024, Landeshauptstadt Wiesbaden, C-61/22, EU:C:2024:251, paragraph 83 and the case-law cited).

93      Accordingly, observance of the principle of proportionality requires that limitations on fundamental rights guaranteed by the Charter may be made only where, first, the measure at issue pursues one or more objectives of general interest recognised by the European Union and is actually such as to enable those objectives to be achieved, second, where the resulting interferences are limited to what is strictly necessary, in the sense that those objectives could not reasonably be achieved as effectively by other means less prejudicial to those fundamental rights of the data subjects, and, third, where those interferences are not disproportionate to those objectives, which implies, inter alia, a balancing of those objectives and the seriousness of those interferences (judgment of 21 March 2024, Landeshauptstadt Wiesbaden, C-61/22, EU:C:2024:251, paragraph 84 and the case-law cited).

94      Second, Article 5(1)(c) of the GDPR, by providing that personal data undergoing processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, makes the processing of personal data subject to observance of the principle of ‘data minimisation’ (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 104).

95      While that principle gives ‘expression’ to the principle of proportionality (see, to that effect, judgment of 9 January 2025, Mousse, C-394/23, EU:C:2025:2, paragraph 24 and the case-law cited), that does not mean that that provision, of itself, implements the principle of proportionality and, consequently, the three conditions referred to in paragraph 91 of the present judgment.

96      In that regard, it should be noted that the requirements laid down in Article 5(1)(c) of the GDPR, which are sufficient to justify that provision being regarded as giving expression to the principle of proportionality, are such as to ensure that the choice of using certain data rather than other data satisfies the first two conditions which follow from observing that principle.

97      First, it is apparent from the very meaning of the terms ‘adequate’ and ‘relevant’ that, where data satisfy those first two requirements, they are such as to achieve the purposes of the processing concerned and, a fortiori, of achieving the objective of that processing. Second, given that those data are limited to what is necessary in relation to the purposes for which they are processed, they are also limited in relation to the objective pursued more generally where it has been decided to use those data in order to undertake the processing at issue.

98      As regards the third condition referred to in paragraph 91 of the present judgment, it must be stated that satisfying one of the alternative lawfulness conditions referred to in the first subparagraph of Article 6(1) of the GDPR already, in principle, limits the processing of the data which may occur not only to processing which is necessary to achieve a legitimate objective, but also to processing with a legitimate interest which outweighs the seriousness of the interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter involved in such processing.

99      As regards processing falling within the scope of point (c) of the first subparagraph of Article 6(1) of the GDPR, that is to say processing necessary to comply with a legal obligation to which the controller is subject, the second subparagraph of Article 6(3) of that regulation thereby expressly provides that the EU law or Member State law which is the legal basis for such processing, and which therefore sets out the obligation with which the processing must comply, must meet an objective of public interest and be proportionate to the legitimate aim pursued.

100    In so doing, the latter provision expressly lays down the requirement that the legal obligation to which the controller is subject and which is the basis for the processing of personal data must result from a balancing, when that legal basis is adopted, between (i) the fundamental rights to respect for private life and to the protection of personal data enshrined in Articles 7 and 8 of the Charter, and (ii) the objectives legitimately pursued on that occasion by EU law or the law of the Member States (see, by analogy, judgment of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraph 124 and the case-law cited).

101    Since, in accordance with Article 5(1)(c) of the GDPR, only data which are adequate, relevant and limited to what is necessary in the light of the purposes pursued may be used to undertake processing, where that obligation is the result of such a balancing exercise, data which meet such requirements will necessarily be solely data for which the legitimate interest in processing outweighs the seriousness of the interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter involved in such processing.

102    For processing of personal data which a court must undertake when examining the evidence offered in support by the parties, given that such processing is necessary to comply with the right to a fair trial, it must be held that, in order to comply with the principle of ‘data minimisation’, that court must solely verify that the data it processes satisfy the conditions laid down in Article 5(1)(c) of the GDPR, without – for that specific purpose, and therefore in addition to the obligation laid down in the second subparagraph of Article 6(3) of the GDPR that the legal basis requiring the processing at issue be proportionate to the legitimate aim pursued – having to balance the interests involved, regardless of whether that balancing exercise is exhaustive or not.

103    In the light of all the foregoing, the answer to part (a) of the third question is that Article 5(1)(c) of the GDPR, read in conjunction with the second sentence of Article 52(1) of the Charter, must be interpreted as meaning that the principle of ‘data minimisation’ does not require a court to ensure, for each processing of personal data it undertakes, that the principle of proportionality is observed, by ensuring that the data processed on that occasion are such as to enable the objective pursued by that processing to be achieved and are strictly necessary for achieving it, and that the seriousness of the interference with fundamental rights entailed by taking such data into account in order to undertake that processing is proportionate to the interest which that court has in using those data in order to undertake that processing, provided that the conditions laid down in Article 5(1)(c) of the GDPR are complied with.

 Questions 3(b) to (d)

104    Having regard to the remarks in paragraph 49 of the present judgment, it must be held that, by points (b) to (d) of its third question, the referring court is, in essence, asking whether Articles 7 and 8 of the Charter, Article 5(1) of the GDPR, point (c) of the first subparagraph of Article 6(1) of the GDPR, read in conjunction with Article 6(3) thereof, and the principle of ‘data minimisation’ must be interpreted as precluding a national court from using evidence containing personal data obtained in breach of the right to the protection of privacy and the right to protection of personal data by the party transmitting such data to it, where that party’s legitimate interest in such processing does not outweigh the interest in simply adducing the facts on which it relies.

105    In that regard, it should be noted, first, that, while the right to the protection of privacy and the right to the protection of personal data, referred to in Articles 7 and 8 of the Charter, are liable in certain situations to conflict with the right to an effective remedy, guaranteed in Article 47 of the Charter, for the processing of personal data covered by the GDPR, the mechanisms allowing the different fundamental rights and interests to be balanced involved must be regarded as being contained in that regulation itself (see, to that effect, judgment of 17 June 2021, M.I.C.M., C-597/19, EU:C:2021:492, paragraph 112).

106    In particular, the proportionality of the interferences which may occur to the right to the protection of privacy and the right to the protection of personal data, referred to in Articles 7 and 8 of the Charter, by processing which falls within the scope of the GDPR is guaranteed by the combined application of the principles laid down in Article 5(1) of that regulation and the requirements inherent in each alternative lawfulness condition set out in the first subparagraph of Article 6(1) of that regulation read, where appropriate, in conjunction with Article 6(3) thereof.

107    Therefore, for as long as the conditions governing the legal processing of personal data under that regulation are fulfilled, such processing meets, in principle, the requirements of Articles 7 and 8 of the Charter (judgment of 5 June 2023, Commission v Poland (Independence and private life of judges), C-204/21, EU:C:2023:442, paragraph 332).

108    Second, as the Advocate General stated, in essence, in point 32 of his Opinion, neither Article 5(1) of the GDPR nor any of the other rights and principles set out in Chapters II and III of that regulation lay down a general and absolute prohibition preventing a public authority, such as a court, from taking into account personal data which has been the subject of earlier unlawful processing, for the purposes of that regulation, by the person who transmitted such data to that authority.

109    It is true that Article 5(1)(a) of the GDPR states, as a principle, that the processing of personal data must be not only lawful and transparent, but also fair.

110    However, it is apparent from recital 39 of that regulation that the objective pursued by that principle of fairness, which is indissociable from that pursued by the principle of transparency, is to ensure that data subjects are aware of the processing of their personal data and that, on that occasion, they receive the information necessary to exercise their rights.

111    Therefore, the effect of the fact that the data processed have been the subject of earlier unlawful processing, for the purposes of Article 5(1)(a) of the GDPR, by the party which transmitted that data, depends on the alternative lawfulness condition relied on by the controller in order to justify that processing. Some of those alternative conditions may be inapplicable to such data because of the requirements which they set out.

112    Accordingly, as regards the alternative lawfulness condition referred to in point (f) of the first subparagraph of Article 6(1) of the GDPR, the fact that the controller knew or ought to have known that certain data transmitted to it had been, in particular, the subject of earlier unlawful collection or storage precludes the collection of those data, undertaken by that controller following their having been transmitted, from being capable of being regarded as pursuing legitimate interests and, accordingly, as satisfying that alternative lawfulness condition.

113    However, it must be held that the processing of personal data undertaken by a court in connection with the personal data contained in evidence offered in support by the parties is, in principle, necessary in order to comply with a legal obligation of that court, namely the obligation to rule on whether that evidence is admissible and, where that evidence has been declared admissible in the light of the criteria laid down for that purpose by national law, to take that evidence into account in order to provide its decision.

114    Point (c) of the first subparagraph of Article 6(1) of the GDPR does not refer to any requirement which may preclude a court from relying on that alternative lawfulness condition where the personal data at issue found in supporting evidence has been the subject of earlier unlawful processing, for the purposes of that regulation, by the person who transmitted such data.

115    It is true that Article 6(3) of the GDPR states that the legal basis for processing personal data founded on point (c) of the first subparagraph of Article 6(1) of that regulation must be laid down by EU law or by the law of the Member State to which the controller is subject, that that legal basis may contain specific provisions to adapt the application of the rules of that regulation to the needs which that processing pursues and that, in any event, EU or Member State law must meet an objective of public interest and be proportionate to the legitimate aim pursued (see, to that effect, judgment of 2 March 2023, Norra Stockholm Bygg, C-268/21, EU:C:2023:145, paragraph 31).

116    As regards that proportionality condition and the requirements imposed by it, it should be noted that, according to the case-law recalled in paragraph 91 of the present judgment, (i) the legal basis on which the processing at issue is based must be such as to make it possible to meet the objective of public interest pursued, (ii) it must solely authorise processing which does not go beyond what is strictly necessary, which presupposes that there are no other measures less prejudicial to the rights and freedoms of data subjects which would enable that objective to be achieved as effectively, and (iii) that legal basis must be proportionate, in the strict sense, in that, after balancing all the relevant factors, it cannot authorise processing which causes limitations of the rights and freedoms of data subjects which are disproportionate in the light of the importance of achieving that objective.

117    The fact that the legal obligation making it necessary to process personal data contained in supporting evidence formulated by the parties also applies to personal data obtained in breach of the right to the protection of privacy and the right to protection of personal data by the party which transmitted that data to a court, does not appear to be such as to preclude that legal basis from being able to satisfy such requirements.

118    First of all, as regards the first requirement referred to in paragraph 91 of the present judgment, where a court processes personal data, the legal obligation requiring that court to rule on whether evidence offered in support by the parties is admissible and, where such evidence is admissible, to take that evidence into account in order to provide its decision, must be regarded as pursuing an objective of public interest, since it relates to observance of a fundamental right, namely the right to a fair trial, which is enshrined in Article 47 of the Charter.

119    Next, that obligation must also be regarded as being such as to enable that objective of public interest to be achieved, and being strictly necessary for the meeting of that objective, even where the data concerned were obtained unlawfully. In particular, since the right to a fair trial requires a court to rule on whether evidence offered in support by the parties is admissible and, where such evidence offered in support is admissible, to take that evidence into account in order to provide its decision, no other measure appears capable of achieving such an objective as effectively as allowing courts to process personal data found in the evidence offered in support by the parties.

120    Lastly, it should be recalled that, as recital 4 of the GDPR states, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced, in accordance with the principle of proportionality, against other fundamental rights, such as the right to effective judicial protection, guaranteed in Article 47 of the Charter (see, to that effect, judgment of 2 March 2023, Norra Stockholm Bygg, C-268/21, EU:C:2023:145, paragraph 49).

121    Having regard to the essential function which the right to a fair trial plays in society, the fact of requiring a court to process the personal data contained in the evidence offered in support by the parties, including where those data were obtained in breach of the right to the protection of privacy and the right to the protection of personal data, does not appear to be such as to cause disproportionate interference with those rights, as guaranteed in Articles 7 and 8 of the Charter.

122    Therefore, the obligation on a court, in accordance with the right to a fair trial, to process all personal data found in the evidence offered in support satisfies the requirements of Article 6(3) of the GDPR, even though (i) that obligation relates to data obtained in breach of personality rights and (ii) the legitimate interest in such processing of the party which transmitted such data to that court does not outweigh the interest in simply adducing the evidence relied on.

123    However, the data used on those occasions must, in accordance with Article 5(1)(c) of the GDPR, be limited to data which are adequate, relevant and necessary in relation to the purposes for which they are processed.

124    In that regard, concerning, in the first place, the personal data used when a court undertakes processing in order to decide, in the light of the relevant rules of national law, whether evidence offered in support is admissible and whether the facts relied on by a party are relevant, it must be stated that the right to a fair trial, as recognised in Article 47 of the Charter, means that the parties are able to submit to a court the supporting evidence which they regard as relevant.

125    Therefore, as regards legal actions seeking to safeguard rights which individuals derive from EU law, the fact that, in order to rule on whether evidence offered in support is admissible, a court is required to process personal data does not, in principle, mean any infringement of the principle of ‘data minimisation’ occurs, since, at that stage, such data are indeed adequate, relevant and necessary to enable that court to rule on such admissibility. The same applies to legal actions in which EU law is not relied on, where the law of the Member State concerned confers on the parties a right similar in scope to the right to a fair trial, guaranteed in Article 47 of the Charter.

126    By contrast, once a court has found that documents containing the personal data transmitted to it are admissible in the light of the rules laid down for that purpose by national law, that court must, before placing them on the file, examine whether those data are limited to the data necessary in relation to the purposes pursued, that is to say, to enable that court to make the most informed decision possible in the light of the relevant circumstances of the case and to comply with the principle that the parties should be heard, or whether it is appropriate for that court to take certain measures in order to reduce the amount of data thereby concerned, such as anonymising the documents concerned in full or in part, without, however, adversely affecting the rights of those other parties.

127    That having been said, the fact that the data concerned were obtained in breach of the right to the protection of privacy and the right to the protection of personal data, referred to in Articles 7 and 8 of the Charter, does not appear, in itself, to be decisive, since the criteria laid down in Article 5(1)(c) of the GDPR require those data to be adequate, relevant and limited to what is necessary in relation to the objectives pursued.

128    As regards, in the second place, the personal data used when a court undertakes processing in order to adopt its decision, having regard to the right to a fair trial, all the data found in documents declared to be admissible and placed on the file must, in principle, be regarded as adequate, relevant and limited to what is necessary in relation to the purpose of such processing, since, in accordance with that right to a fair trial, that court is required to take into account all of that evidence in order, inter alia, to assess whether it is relevant.

129    In the third and last place, as regards the disclosure of such data by a court at the time of service or publication of its judgment, such processing requires, in order to ensure that those data are limited to what is necessary in relation to the purposes for which they are processed, that account be taken of, inter alia, not only the need to enable the decision to be enforced, but also the need to inform third parties who may also be concerned by the facts in question and the need to protect individuals against the dangers of justice being administered in secret (see, to that effect, ECtHR, 2 June 2022, Straume v. Latvia, CE:ECHR:2022:0602JUD005940214, § 124), but also the possibility of taking certain measures, such as anonymising such data or using pseudonyms in such data, in order to minimise the impediment to the right to the protection of personal data which such disclosure is likely to entail.

130    In the light of all of the foregoing, the answer to points (b) to (d) of the third question is that Articles 7 and 8 of the Charter, Article 5(1) of the GDPR, point (c) of the first subparagraph of Article 6(1) of that regulation, read in conjunction with Article 6(3) thereof, and the principle of ‘data minimisation’ must be interpreted as not precluding a national court from using evidence containing personal data obtained, in breach of the right to the protection of privacy and the right to protection of personal data, by the party which transmitted such data to that court, where that party’s legitimate interest in such processing does not outweigh the interest in simply adducing the facts on which it relies. By contrast, before disclosing those data to the parties or third parties, that court must verify that such data are limited to what is necessary in relation to the purposes for which such disclosure is made and, as appropriate, take certain measures to minimise the impediment to the right to the protection of personal data which such disclosure is likely to entail.

 Question 3(e)

131    By part (e) of its third question, the referring court is, in essence, asking whether Article 13(1) and (2) of the GDPR must be interpreted as precluding a national court, when acting in its judicial capacity, from using data collected by a person who has failed to comply with the obligations on that person to provide information under that provision.

132    In that regard, it follows from Article 13(1) and (2) of the GDPR that, where personal data relating to a person are collected from that person, the controller is, at the time when those data are obtained, to provide that person with the information listed in those paragraphs.

133    Given that that provision forms part of Chapter III of the GDPR, those paragraphs must be regarded as laying down conditions which must be complied with if the collection of personal data is to be lawful.

134    Moreover, the obligation laid down in Article 13 contributes to achieving the requirement laid down in Article 5(1)(a) of the GDPR, which forms part of Chapter II of that regulation, under which any processing of personal data must be fair and transparent, with the result that it must also be complied with on that basis.

135    However, there being no need to determine whether, in order to preserve the practical effect of Article 17(3)(e) of the GDPR, that provision must be interpreted as meaning that the fact that the party concerned collected the data at issue without complying with that obligation does not mean that processing consisting of transmitting evidence containing such data to a court must be regarded as unlawful, it should be recalled that, as stated in paragraph 108 of the present judgment, neither Article 5(1) of the GDPR nor any of the other rights and principles set out in Chapters II and III of that regulation lay down a general and absolute prohibition preventing a controller from taking account of personal data which has been the subject of earlier unlawful processing, for the purposes of the GDPR, by the person who transmitted such data to the controller.

136    Therefore, the answer to part (e) of the third question is that Article 13(1) and (2) of the GDPR must be interpreted as not precluding a national court, when acting in its judicial capacity, from using data collected by a party or by a third party which has failed to comply with its obligations to provide information under that provision.

 Question 3(f)

137    By part (f) of its third question, the referring court is, in essence, asking whether the GDPR must be interpreted as meaning that a court is required, when acting in its judicial capacity, to ensure compliance with that regulation when it processes personal data relating to persons who are not a party to the proceedings pending before it and whether EU law requires that one of the parties to those proceedings be able to rely on the fact that those data have been collected or stored unlawfully, for the purposes of that regulation, by the other party in breach of the rights which those third parties derive from that regulation.

138    In that regard, it is apparent from Article 288 TFEU that a regulation is a measure with general application which is binding in its entirety and directly applicable in all Member States.

139    Given that the principles set out in Chapter II of the GDPR apply independently of any consideration relating to the procedural situation of data subjects or of the fact that the controller is a court or tribunal, that regulation, read in conjunction with Article 288 TFEU, must be interpreted as meaning that a court is required, when acting in its judicial capacity, to comply with that regulation when it processes personal data relating to persons who are not a party to the proceedings pending before it.

140    By contrast, as regards whether a party may rely on an unlawful act which is detrimental to a third party, that question falls, in the absence of a provision on that subject in EU law, within the scope of the procedural autonomy of the Member States.

141    It is true that, as regards actions intended to safeguard rights which individuals derive from EU law, under the principle of procedural autonomy, which applies where there is no provision laid down in EU law, the detailed procedural rules governing such actions must be neither less favourable than the rules governing similar domestic actions (principle of equivalence) nor liable to render impossible in practice or excessively difficult the exercise of rights conferred by EU law (principle of effectiveness) (see, to that effect, judgment of 6 October 2020, La Quadrature du Net and Others, C-511/18, C-512/18 and C-520/18, EU:C:2020:791, paragraph 223 and the case-law cited).

142    Furthermore, those detailed procedural rules must also comply with the right to a fair trial, as guaranteed in Article 47 of the Charter, the Charter being intended to apply, in accordance with Article 51 thereof, in all situations where the Member States implement EU law.

143    However, it must be stated that neither the principle of effectiveness nor the right to a fair trial guaranteed in Article 47 of the Charter requires, in principle, that the parties to judicial proceedings be afforded the possibility of relying on an infringement of the GDPR which is detrimental to persons who are not a party to those proceedings.

144    The answer, therefore, to Question 3(f) is that the GDPR must be interpreted as meaning that a court is required, when acting in its judicial capacity, to ensure compliance with that regulation when it processes personal data relating to persons who are not a party to proceedings. EU law does not require one of the parties to those proceedings to be able to rely on the fact that the other party collected or stored data unlawfully, for the purposes of that regulation, in breach of the rights which those third parties derive from that regulation.

 Costs

145    Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Fifth Chamber) hereby rules:

1.      Point (c) of the first subparagraph of Article 6(1) and Article 6(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in conjunction with Article 8(1)(c) of that regulation and Article 52 of the Charter of Fundamental Rights of the European Union,

must be interpreted as not precluding national legislation which, as regards the processing of personal data, undertaken in the context of a court examining the facts and taking evidence, merely prescribes that it is for the parties to submit detailed factual evidence which is truthful and requires that court to take such evidence fully into consideration, before, as the case may be, assessing that evidence, without providing any indication as to the circumstances and conditions under which the facts stated and the evidence adduced by the parties containing personal data may be used by that court, provided that (i) there is clear and precise national case-law, the application of which is foreseeable, and which itself establishes the circumstances and conditions under which the facts stated and the evidence adduced by the parties containing personal data may be used by a court, (ii) that case-law meets an objective of public interest and (iii) that case-law is proportionate to that objective.

2.      Article 17(3)(e) of Regulation 2016/679

must be interpreted as meaning that that provision does not formulate an alternative lawfulness condition which processing could satisfy in order to comply with Article 5(1)(a) of that regulation and which is distinct from any of those listed in the first subparagraph of Article 6(1) of that regulation.

3.      Article 5(1)(c) of Regulation 2016/679, read in conjunction with the second sentence of Article 52(1) of the Charter of Fundamental Rights

must be interpreted as meaning that the principle of ‘data minimisation’ does not require a court to ensure, for each processing of personal data it undertakes, that the principle of proportionality is observed, by ensuring that the data processed on that occasion are such as to enable the objective pursued by that processing to be achieved and are strictly necessary for achieving it, and that the seriousness of the interference with fundamental rights entailed by taking such data into account in order to undertake that processing is proportionate to the interest which that court has in using those data to undertake that processing, provided that the conditions laid down in Article 5(1)(c) of Regulation 2016/679 are met.

4.      Articles 7 and 8 of the Charter of Fundamental Rights, Article 5(1) of Regulation 2016/679, point (c) of the first subparagraph of Article 6(1) of that regulation, read in conjunction with Article 6(3) thereof, and the principle of ‘data minimisation’

must be interpreted as not precluding a national court from using evidence containing personal data obtained in breach of the right to privacy and the right to the protection of personal data by the party which transmitted such data to that court, where that party’s legitimate interest in such processing does not outweigh the interest in simply adducing the facts on which it relies. By contrast, before disclosing those data to the parties or third parties, that court must verify that such data are limited to what is necessary in relation to the purposes for which such disclosure is made and, as appropriate, take certain measures to minimise the impediment to the right to the protection of personal data which such disclosure is likely to entail.

5.      Article 13(1) and (2) of Regulation 2016/679

must be interpreted as not precluding a national court, when acting in its judicial capacity, from using data collected by a party or by a third party which has failed to comply with its obligations to provide information under that provision.

6.      Regulation 2016/679

must be interpreted as meaning that a court is required, when acting in its judicial capacity, to ensure compliance with that regulation when it processes personal data relating to persons who are not a party to proceedings. EU law does not require one of the parties to those proceedings to be able to rely on the fact that the other party collected or stored data unlawfully, for the purposes of that regulation, in breach of the rights which those third parties derive from that regulation.

[Signatures]

*      Language of the case: German.




Disclaimer

Powered by