This blog discusses two recent judgments of the Court of Justice of the European Union (hereinafter: 'the Court') concerning the processing of personal data in the context of judicial proceedings and employment relationships. The Court clarified under what conditions a court may use unlawfully obtained personal data as evidence and when an employer may retain data on a worker's suspect status in their personnel file.
In the case NTH Haustechnik v EM, the Court ruled on the question whether a national court may use evidence containing personal data that may have been collected in breach of the GDPR. The judgment provides clarification on the relationship between the right to data protection and the right to a fair trial.
NTH Haustechnik (applicant) is a German heating and air-conditioning company. EM (respondent) was employed by NTH and was also the spouse of NTH's director. In 2019, the employment relationship between NTH and EM was terminated. As the director's spouse, EM had access to NTH's premises and computer systems. This access continued until the divorce between EM and the director in 2022. Following the divorce, NTH discovered via employee F. (also the son of the director and EM) that EM had allegedly sold company goods for her own account via eBay. To verify this, NTH gained access to EM's personal eBay account.
Two accounts exist regarding how access to the eBay account was obtained. NTH claims that employee F. found EM's login credentials through the browser history of the computer system and a "family file" on NTH's company server. EM, by contrast, claims that NTH's director reported her company phone as lost in order to obtain a new SIM card, which enabled him to change her eBay password. The referring court did not exclude the possibility that this data collection by NTH was unlawful.
In this context, the referring court submitted the following questions for a preliminary ruling to the Court:
Regarding the first question referred by the German court, the Court held that Article 6(1)(c) and 6(3) GDPR must be interpreted as not precluding the German national legislation. Although the national legislation does not specify how courts may process evidence containing personal data, national case law can provide this specification according to the Court. This requires the existence of clear and precise national case law whose application is foreseeable, which establishes the circumstances and conditions under which evidence containing personal data may be used by a judicial body. Additionally, the case law must serve an objective of general interest and the case law must be proportionate to that objective.
The referring court asked whether Article 17(3)(e) GDPR (the exception to the right to erasure for the establishment, exercise or defence of legal claims) constitutes an independent legal basis for processing. The Court ruled that it does not. According to the Court, the list of legal bases for processing in Article 6(1) GDPR is exhaustive. Article 17(3)(e) merely provides an exception to the right to erasure, and thus no independent justification for processing.
The Court ruled that neither Article 5(1) GDPR nor other provisions of Chapters II or III GDPR contain a general and absolute prohibition on a court using personal data that were previously unlawfully processed by the party that submitted such data. The Court takes the view that the right to data protection is not an absolute right. It must be balanced against other fundamental rights, including the right to a fair trial under the Charter of Fundamental Rights of the European Union. Given the essential function that the right to a fair trial fulfils in society, the obligation on a court to process all personal data in the evidence submitted does not constitute a disproportionate interference with the provisions of the Charter. This is also the case where that data was obtained in breach of the GDPR.
The Court qualifies that the court must verify, not only when providing access to the parties or third parties and upon publication of the judgment, but also before inclusion in the case file (after the documents have been declared admissible), that the personal data processed are limited to what is necessary for the processing. Where appropriate, the court takes measures to limit the interference with the right to data protection, for example through (partial) anonymisation, pseudonymisation or restricted access, without prejudice to the rights of the other party. The Court clarifies that the data minimisation principle does not require the court to carry out a full proportionality assessment for each individual processing operation. Such an assessment may be omitted if the processing is "adequate, relevant and limited to what is necessary" and the legal basis for processing is already proportionate.
The Court also ruled that Article 13(1) and (2) GDPR (information obligation of the controller) does not preclude a court from using data collected by a party that has failed to comply with its information obligations. The unlawfulness of the original collection does not affect the court's legal basis for processing.
The Court confirms that the fact that evidence may have been collected in breach of the GDPR does not automatically mean that such evidence is inadmissible in civil proceedings. This is relevant for employment disputes, commercial cases and other civil proceedings in which digital evidence plays a role. At the same time, this does not exempt the party that collected the data from liability for the original GDPR breach. Compensation under Article 82 GDPR and fines under Article 83 GDPR remain possible. For courts, the judgment means that when assessing evidence they need not examine whether the collecting party complied with the GDPR, but that they must observe data minimisation when publishing the judgment or providing access to third parties.
In the Darashev judgment (Dutch only), the Court ruled on the question whether an employer may retain data on a worker's suspect status in their personnel file where the criminal investigation has been suspended without the worker being prosecuted.
CL was a police officer at the Directorate-General for "Security Police" and the Directorate-General for "National Police" of the Bulgarian Ministry of Interior. In March 2016, the Directorate for "Internal Security" of the Ministry of Interior opened an investigation into a robbery with violence. Two months later, on 17 May 2016, CL was publicly arrested during a general meeting of his department, at which point he was required to surrender his badge, weapon and service ID. CL was subjected as a suspect to various investigative measures, including a house search. An identification procedure was also initiated. During this procedure, CL was not recognised by the victims of the robbery and no fingerprints of his were found on the victims' belongings. After 24 hours in pre-trial detention, CL was released. Further prosecution of CL was discontinued. The further investigation into the robbery was also closed. No suspect could be identified. CL resumed his duties, but data on his pre-trial detention and suspect status remained stored in his personnel file. CL applied several times for a higher position but was repeatedly refused on the basis of his suspect status. CL decided to bring the matter before the court.
The referring court decided to submit questions for a preliminary ruling to the Court in this case. The most important of these was whether the GDPR or Directive 2016/680 (in short: the directive on the protection of personal data in police investigations) applied to the processing in the police officer's personnel file and whether the storage of the data could be classified as processing of personal data. Additionally, the referring court asked whether the storage can lawfully be based on a legal obligation within the meaning of Article 6(1)(c) and (3) GDPR, and what requirements apply in that respect for purpose limitation, necessity, proportionality and for the clarity and foreseeability of the national legal basis for processing. Finally, the referring court asked whether the employer is obliged to erase the data under the GDPR, particularly where the investigation has been suspended without prosecution or where the processing is unlawful.
The Court ruled that the GDPR applies to the storage of information obtained through criminal proceedings in personnel files when these are used for HR purposes. The original collection by the directorate carrying out criminal investigations does not alter the fact that the further processing by the employer for personnel management falls within the scope of the GDPR. The purpose limitation principle is decisive: as soon as data are processed for other (non-investigative) purposes, the GDPR applies. This is also the case where the same public authority obtained the data as a competent authority.
As in the judgment discussed earlier, the Court held that the retention of personal data can only be lawful if it is based on a clear and precise legal obligation (Article 6(1)(c) and (3) GDPR), whose application is foreseeable for data subjects, which pursues an objective of general interest and is proportionate to that objective. The Court clarifies that such a legal basis need not necessarily be a law adopted by parliament: instructions adopted by a minister and made public can also serve this purpose, provided they are based on a statutory power and are sufficiently clear and foreseeable. Additionally, the general principles of Article 5 GDPR (including purpose limitation, data minimisation and storage limitation) apply and the burden of proof rests on the controller to demonstrate the necessity of the personal data processed.
The Court takes the view that safeguarding the integrity of police officers is a legitimate general interest. Retention of information on suspect status may therefore be justified where an investigation is still ongoing or has led to prosecution or conviction, for example in order to be able to take precautionary or disciplinary measures. According to the Court, in this specific situation, where the investigation has been suspended and there is no incriminating evidence, it is not self-evident that such data storage is necessary. The national court must examine whether the national legal basis actually and with sufficient precision covers the retention of this type of data in personnel files, and subsequently whether the storage is proportionate, including the duration of storage of the data. Because these are data concerning criminal convictions and offences, Article 10 GDPR also applies. Such data may only be processed under the control of official authority or on the basis of Union or Member State law providing for appropriate safeguards. In this case, the requirement of official control has been satisfied. This means that, if the national court finds the data processing to be lawful, the data subject cannot enforce a right to erasure: the exception in Article 17(3)(b) GDPR (processing necessary for compliance with a legal obligation) precludes this.
For public authorities that fulfil both investigative and employer functions (such as police, defence and security services), the Court confirms that HR processing of data obtained through criminal proceedings must comply with the GDPR. This requires a clear, precise and foreseeable legal basis for the data subject that serves a legitimate general interest and is proportionate, plus demonstrable compliance with the principles of purpose limitation, data minimisation and storage limitation. In the case of suspended investigations without prosecution, continued storage is not self-evident; periodic review of necessity is required. For employees, this means that, as soon as the data are no longer necessary or the processing is unlawful, they may in principle request erasure, unless an applicable exception prevents this.
For more judicial insights, check out our case law blogs.