The General Court weighs institutional data protection against a staff member’s right to access their own harassment investigation file, in a case where the defendant institution is the EU’s own judiciary.
The EU General Court ruled in Case T-84/24 on April 22nd, 2026. The applicant, referred to as UU and identified as a staff member of the Court of Justice of the EU, brought an action against the Court of Justice itself. The case concerns a partial refusal to provide access to documents from an internal harassment investigation under Regulation (EU) 2018/1725.
UU filed a formal harassment complaint against colleagues, which was followed by an internal investigation. UU then requested access to the full investigation file under Article 17 of Regulation 2018/1725, which was partially refused by the court, citing the need to protect the personal data of third parties named in the investigation as justification for withholding portions of the file. UU challenged that refusal before the General Court.
The General Court examined how EU institutions must balance the data subject’s access rights against third-party data protection, with a blanket refusal being impermissible. The institution must assess each document individually, weigh the competing interests, and provide a specific justification for each withheld item. The Court confirmed the general principle that institutional actors cannot use data protection as a shield to deny victims of workplace misconduct all access to the factual record that concerns them.
The judgment carries a particular institutional dimension, as the Court of Justice, which oversees the enforcement of EU law including data protection rules, was the defendant in a case where one of its own staff members asserted data rights arising from a workplace harassment complaint. No EU institution, including the judiciary, can claim automatic or categorical exemptions from the framework it applies to others.
