Data Protection Inside, Issue 142

30. October 2025  |   by DPI Editorial Team
Data Protection Inside, Issue 142 - DPI 38

AG Spielmann Advises Court that National Courts May Conditionally Process Data Obtained Contrary to the Storage Limitation Principle

On 16th October, AG Spielmann opined that national courts may, under certain conditions, process in their judicial capacity personal data which they obtained by processing other personal data which was originally collected and stored by other controllers in breach of the data storage limitation principle in NTH Haustechnik GmbH v EM. As to the facts of the case, the defendant in the main proceedings was married to the applicant in the main proceedings. The former was an employee in the private company of the latter. The company sells heating and air conditioning equipment. After the couple split, the defendant continued having access to the company premises and equipment. The applicant claims that the defendant sold company equipment via her private eBay account and seeks damages from her. What remains disputed in the facts of the case is how the applicant became aware of the eBay activities of his ex-partner and had access to it, in particular in how far this happened in compliance with the GDPR requirements, especially on data storage limitation under Article 5(1)(e). According to the referring court: ‘the collection and storage of data by NTH, through which it became aware of the defendant’s sales on the eBay online platform, may have been carried out unlawfully. It also considers that its own judicial activity and, if required, use of the data collected by NTH in reaching its decision, constitute data processing within the meaning of the GPDR. In that regard, the referring court asks, in essence, about the conditions that must be laid down by national legislation for judicial data processing activity and the legal bases and substantive criteria which must govern such activity’. The referring court sent a series of questions to the CJEU for preliminary ruling. In his Opinion, AG Spielmann focused on the question of courts’ processing of personal data which might have been originally obtained in breach of the storage limitation principle. According to AG Spielmann: ‘Neither Article 5(1)(e) of the GDPR nor Article 6(1)(e) of that regulation lays down a general and absolute prohibition preventing a public authority, such as a court, from being empowered to take into account data obtained by one of the parties to the dispute by recourse to other personal data which that party processed contrary to the principle of storage limitation’. In addition, he observed that EU law does not govern the admissibility of evidence in national courts. Having established the broad discretion enjoyed by national courts, AG Spielmann then set the limits to the discretion left to them, namely the general EU principles of equivalence and effectiveness, as well as the conditions on derogations from the data protection principles, such as storage limitation, as set out in Article 23 GDPR and Article 52(1) CFREU. According to AG Spielmann, ‘there is a national legal basis laying down the conditions for the admissibility and use of personal data in a situation such as that at issue in the main proceedings.’ He then concluded that: ‘It is therefore for the referring court to identify the relevant provisions of national law and the case-law of the Member State concerned, to apply them and to verify whether, first, they are compatible with the principles of equivalence and effectiveness and meet an objective of public interest and, second, they are necessary and proportionate to that objective, so that they are capable of falling within the scope of cases of personal data processing regarded as lawful under the provisions of Article 6(3)(b) of the GDPR, read in combination with Article 23(1) thereof’.

EDPB Opinions on UK Adequacy

On 16th October, the EDPB adopted two Opinions on UK adequacy: ‘Opinion 26/2025 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data by the United Kingdom’; and ‘Opinion 27/2025 regarding the European Commission Draft Implementing Decision pursuant to Directive (EU) 2016/680 on the adequate protection of personal data by the United Kingdom’. The Opinions follow the publication, by the Commission, of draft decisions concerning the extension of UK adequacy under the GDPR and LED up to December 2031. In terms of the Opinion on the GDPR, the EDPB, in principle, ‘welcomes the continuing alignment between the UK and EU data protection framework, notwithstanding recent developments in the UK relevant legal framework’. Nevertheless, they highlight a number of issues of concern, including, amongst others: the need for further consideration of the implications of changes in UK law pursuant to the ‘Retained EU Law (Revocation and Reform) Act 2023’ and their significance for data protection; the need to highlight, in any adequacy decision, the areas to be subject to close monitoring in relation to certain powers now granted to the UK Secretary of State concerning data processing – including concerning international transfers and automated decision-making – which may lead to further divergence of UK and EU law; and the need for a ‘more detailed assessment of the restructuring of the Information Commissioner’s Office (“ICO”) as a board and the rules for appointment and dismissal of executive and non-executive board members’. In terms of the Opinion on the LED, again, the EDPB, in principle, ‘welcomes the continuing alignment between the UK and EU data protection framework, notwithstanding recent developments in the UK relevant legal framework’. Again, however, the EDPB highlights a number of issues which need to be addressed moving forward, including: the need to pay ‘particular attention…to ensuring that the data protection regime for national security processing is not being extended to contexts not related to national security’; and ‘the need for the European Commission to closely monitor the application of corrective powers and of remedies for data subjects in the United Kingdom data protection framework’. Both Opinions are lengthy and cover much more than can be highlighted in this report. Accordingly, we advise all those interested in the topic to read the Opinions in full. We would finally highlight in this context that the international exchange of personal data is an issue fraught with contention. We thus consider the Opinions should best be read in the light of the fact there will likely be much more discussion on the Commission’s decisions, reflecting more viewpoints, in the coming months.

EDPB Publications

Over the past two weeks, in addition to those discussed above, the EDPB has published the following important document:

  • 20th October 2025: Expert Opinion on: ‘The Digital Euro and its token-based offline modality’.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply

back to overview