Evidence and personal data: France’s Supreme Court draws a clear line

On 17 June 2026, the Commercial Chamber of the French Supreme Court allowed the use in court of an analysis report based on pseudonymised data, provided the approach is necessary and strictly proportionate to the right to evidence, despite trade union freedom concerns.

Facts

In case no. 25-11.499, an external firm conducted a technical analysis following allegations of data leakage and unlawful use of employees’ personal data during voting operations. The processor pseudonymised all data, destroyed raw inputs, excluded any access to email content, and ran a purely volumetric analysis producing no named files. The Court found the privacy impact “extremely limited” and the production of the report “necessary” and “proportionate” to the right to evidence.

Legal framework and basis

• Right to evidence and proportionality: confirmation of the test (Plenary 22/12/2023; 1st Civil 04/03/2026) admitting evidence obtained/produced unlawfully or unfairly if indispensable and strictly proportionate (ECHR art. 6; French CPC art. 9).
• Data protection: alignment with GDPR (data minimisation, privacy by design, legitimate interests). For a structured overview, see our page on the GDPR framework and key obligations.
• Collective freedoms: the Court acknowledges trade union freedom concerns but admits the evidence given the technical safeguards and the procedural purpose (defence in court).

What this changes for Luxembourg companies

For leadership teams in Luxembourg and the Greater Region, this ruling provides a practical playbook to run internal investigations and submit technical materials without crossing GDPR red lines. It validates a “defensive investigation” model with a narrowly defined purpose, demonstrated necessity, maximal minimisation, and genuine pseudonymisation with organised destruction of identifiers.

This approach fits the European framework and CNPD expectations. To structure governance and operating procedures, a DPO mandate with investigation SOPs helps orchestrate minimisation, pseudonymisation, and proportionality documentation.

For local requirements and practices, refer to our resource on GDPR in Luxembourg and CNPD expectations.

Concrete actions to take this week

• Map your “right to evidence” scenarios: identify investigation use cases (internal e-voting, leak suspicions, unfair competition) and draft a standard necessity/proportionality note (purpose, scope, duration, data subjects).
• Update vendor clauses and SOPs: require strong upfront pseudonymisation, certified destruction of identifiers, no access to message content, logging, and aggregated/non-nominal outputs. A certified DPO to steer these requirements accelerates implementation.
• Prepare a compliant “evidence pack”: ad hoc record of processing, targeted LIA (art. 6(1)(f) balancing test), time-limited legal hold, and a court package documenting minimisation and strict necessity. See the legal bases and minimisation principles for guidance.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.