What the court actually decided

The dispute behind the ruling was ordinary enough. A Lower Saxony company sued a former employee it accused of reselling company equipment through a private eBay account, and it built its case on data pulled from that account without authorisation. That access was itself a breach of the GDPR. The referring court, the LAG Niedersachsen, asked the EuGH a sharper question than the parties expected: does a court itself break data protection law simply by looking at evidence that was gathered unlawfully.

The EuGH answered no. In its judgment of 18 June 2026 (C-484/24), it rejected a blanket ban on using unlawfully obtained personal data and held that a court may rely on such data where it is required and material for the decision. The judges leaned on the court's own duty to establish the facts and on the right to a fair trial under Article 47 of the Charter, while requiring that data minimisation still be respected and that anonymisation be considered before disclosure. This is about whether evidence enters a civil file, not about criminal guilt.

Why this reverses a comfortable assumption

Many owners and their advisers have run on an unspoken rule of thumb: if the other side got its material improperly, it can be kept out, so a data protection foul is a reliable shield. The ruling weakens that shield. A court weighing the facts is now told to balance the fair trial interest against the privacy breach rather than to discard the evidence on principle, so the awkward document, the recovered message, or the account extract may sit in front of the judge regardless of how it was obtained.

That cuts both ways, and the second edge is the one to watch. The same logic that lets a claimant use imperfectly sourced proof lets an opponent use yours. An internal investigation that oversteps, a monitoring log gathered without a proper basis, or a former partner's inbox accessed too freely does not become harmless because it was collected badly. It can still land in the record against you, while the underlying breach remains separately exposed to supervisory authorities. Please treat this as reporting rather than legal advice, and confirm the ruling and its reach for your own facts.

What to consider before the next dispute

The practical response is not to chase loopholes but to assume that most relevant data will eventually be admissible, whoever holds it and however it was gathered. That reframes evidence hygiene as a business risk rather than a compliance footnote. It is worth revisiting how your internal investigations are run, how employee and counterparty data is accessed during a dispute, and where your own collection practices could be turned into exhibits by the other side.

It is equally worth mapping, before litigation is on the horizon, what data about your operations exists, where it lives, and who could obtain it. The scope of this judgment is still settling and its application will vary by member state and by the type of proceeding, so anything specific belongs with your own counsel on your own facts. The point for a decision-maker is simpler: the old bet that bad data disappears is no longer safe to make.