Publication date: July 07, 2026
The contemporary economic and social reality is undergoing an irreversible process of digitalization. Business activity, commercial communication, and marketing have largely shifted to the internet, e-commerce platforms, and social media. As a consequence, key legal events, infringements of entrepreneurs’ personal rights, acts of unfair competition, and unlawful actions affecting the goodwill and reputation of companies now leave traces almost exclusively in the digital sphere. Consequently, the traditional perception of evidence through the prism of paper documents bearing handwritten signatures has become insufficient in the realities of business transactions. Polish civil procedure meets these needs through the fundamental assumption of an open catalog of evidence. However, the dynamic development of technology forces the constant evolution of judicial practice and a full openness to next-generation evidence. In addition to traditional text files, today’s multifaceted economic processes require the management of complex data structures, such as metadata, advanced web analytics, system logs, and screenshots from social media platforms.
Presenting such complex, non-linear evidence, which often encompasses many gigabytes of data, requires the implementation of modern procedural information management tools. The concept of a “digital evidence folder” emerges as a key tool for structuring, selecting, and correlating digital data directly with precisely formulated evidentiary theses.
To fully understand the revolution that has taken place in the Polish legal system regarding electronic evidence, it is necessary to refer to the legal status prior to the entry into force of the Act of 10 July 2015. The civil law system at that time lacked a legal definition of a document. Consequently, doctrine and case law equated this term exclusively with the written form of legal acts within the meaning of Article 78 of the Civil Code. The constitutive elements of a document were considered to be its written form and the handwritten signature of the issuer. A document was defined as human thoughts conveyed through graphic symbols arranged in a logical sequence of concepts on a material basis. This legal structure resulted in procedural limitations regarding electronic evidence. Any information transmitted electronically, e.g., in emails or text messages, that bore only a simple electronic signature, could not be accepted as documentary evidence (see, among others, Supreme Court judgments I CK 32/04, I CKN 1280/00). Photocopies, scans, blueprints, and computer printouts were treated as so-called secondary documents. According to the then-established Supreme Court case law, such reproductions did not constitute a document within the meaning of the Code of Civil Procedure. Although the Code of Civil Procedure did not contain a closed catalog of evidence, allowing computer printouts to be considered “other evidence” under Articles 308 and 309 of the Code of Civil Procedure, errors occurred in court practice. Some courts took the erroneous position that since a printout or photocopy was not a document, it did not constitute evidence at all and was beyond the court’s jurisdiction.
A breakthrough in the approach to electronic evidence occurred on September 8, 2016, when a legal definition of a document was introduced, along with a new form of legal act: the documentary form (Article 77 § 2, Article 73 § 1, Article 74 of the Civil Code). These changes were complemented by a broad amendment to the Code of Civil Procedure of November 7, 2019, which reformulated the rules of evidence (including Article 243 § 2 of the Code of Civil Procedure). Under the current wording of Article 77 § 3 of the Civil Code, a document is content (information constituting a human thought) contained on a medium enabling its review. A key element of this definition is the complete separation of the concept of a document from its physical, paper medium. Nowadays, a medium can be traditional or electronic. All devices and technical spaces used for collective data storage and reading, such as a flash drive, computer disk, server, or cloud computing, are permissible. The introduced amendment to the Code of Civil Procedure explicitly requires that the provisions on documentary evidence apply to all documents containing text that allow for the identification of their issuers. This change removed obstacles to treating digital data as full-fledged documents. However, the mere existence of a medium and the text recorded on it does not automatically allow for the recognition that the documentary form requirements have been met. A necessary premise and minimum condition for granting such evidence material validity is the ability to establish the identity of the person (issuer) from whom the declaration of will or knowledge originated. The act does not impose a rigid catalog of identification methods, meaning that the issuer’s identity can be proven in any objective manner, adapted to the technical realities of the given tool. Identification may result directly from the document’s content or from the circumstances surrounding its creation, for example, based on the mobile number from which the text message was sent or the email address from which the email was sent. As a consequence of the changes introduced by the amendment, the distinction between document evidence containing text and documentary evidence in other forms (e.g., audio recording, image recording, or image and sound recording) has become more important. Depending on the form in which the document’s content is expressed, the procedural system provides for completely different procedures. Article 2341 of the Code of Civil Procedure applies to documents containing text if they meet the conditions (they contain text and their issuers can be identified). If these conditions are met, the provisions on documentary evidence apply to documents in written, electronic, and documentary form. Differences in application include, for example, the appropriate application of Article 244 of the Code of Civil Procedure to documents containing text. Article 308 of the Code of Civil Procedure applies to documents in other forms (consisting of image, sound, or image and sound recordings). When examining them, the court will apply the provisions on visual inspection and documentary evidence, as appropriate.
Although the amended provisions of Polish civil procedure, through a technologically neutral definition of a document, have paved the way for the widespread use of electronic data in proceedings, generally applicable legal provisions still do not provide a legal definition of “digital evidence” itself. Such a concept is hard to find not only in the Civil Procedure Code, but also in criminal or administrative procedures. Consequently, the burden of developing a conceptual framework has fallen on legal doctrine and case law. Among the existing definitions used in international trade, the one adopted by the US Department of Justice is worth citing as the most clear and precise. It states that “digital evidence should be treated as information or data recorded in the form of digital data, of value to ongoing proceedings, and stored, downloaded, or sent using an electronic device. Analyzing the subject matter of digital evidence, it should be noted that this phenomenon can only be discussed when the information useful for evidentiary proceedings is in the form of digital data. From a technical perspective, “digital data” constitutes an ordered logical sequence of characters recorded on appropriate media, which, after decoding by an IT system, can take the form of human-readable content. Consequently, the evidence itself (understood as specific information) is highly immaterial, even abstract. This characteristic occurs even when the data is stored using the most tangible objects, such as hard drives or CDs. Therefore, the evidence in a case is solely the content of the digital recording, while the digital evidence carrier itself becomes, in essence, merely a “piece of plastic” and a physical medium. From the perspective of evidence theory, data recorded on a computer medium is not a thing. The essence of this distinction is best captured by a forensic analogy: evidence in a case is the information contained on the disk, not the disk itself – just as evidence is a secured fingerprint, not the entire door along with the doorknob on which the fingerprint was left. This information, hidden in a digital structure, can take two forms. On the one hand, these are forms visible to the naked eye to the average system user, such as photos, text files, or programs on a computer. On the other hand, full-fledged digital evidence requires specialized knowledge, as it is found, for example, in system logs, command history, print traces, or metadata. The lack of a legal definition does not constitute any obstacle to the jurisdictional admissibility of digital evidence in the Polish legal system. This fact is confirmed in all key court proceedings. In civil proceedings, the implementation of Article 77 § 3 of the Civil Code neutralizes the technological barrier.
A digital evidence bundle is a structured collection of evidence stored on an electronic medium. It is organized according to a predetermined evidentiary logic (evidence theses). It differs from a standard set of electronic files in that each file is marked to enable its identification during the hearing, and there is a documented link between the theses and specific files. A digital evidence bundle is not a separate legal institution in the Polish legal system. The situation is different in the British legal system. In that system, the bundle (e- bundle) is regulated by general court guidelines for e- bundles, designed to ensure a uniform standard of preparation. In the UK, the bundle must be submitted in PDF format, all pages must be numbered, and the file name must include the case reference number. Furthermore, the UK Supreme Court requires that the bundle index be hyperlinked to the pages or documents to which it refers, and attorneys should refer to the bundle numbering rather than the original page numbers during the hearing. In the Polish digital process, a digital file is not a new, separate means of evidence, but a structured collection of many text and non-text documents, logically and technically linked into one coherent information system, subject to the provisions on documentary evidence (and evidence from other documents.
In the practice of Polish civil courts, the digital file can be presented in two ways
Transfer on a physical data carrier – in light of the analyzed technological neutrality of the document definition, the evidence file may (and, if larger, must) be transferred on a physical carrier such as a flash drive, portable external drive, or DVD. This carrier will be attached to the procedural document (e.g., an evidentiary motion).
Transmission via teleinformatics – e.g. via an information portal (smaller size)
A necessary condition is to maintain the integrity and durability of the data and to provide the opposing party with full access to the same version of the file.
To ensure clarity, the portfolio should have a rigorous and transparent structure. A key element will be an interactive table of contents, modeled after the British e-bundle. This should be a PDF file located in the root directory of the medium. Each item in the table of contents must be a hyperlink, which, when clicked, takes the user to the appropriate source file stored on the medium. The table of contents must also include metadata to facilitate orientation, such as a unique serial number, file name, date of creation, and description.
Effective implementation of a digital evidence folder requires assigning each digital trace to a predefined directory subgroup:
– Includes, among others, digital contracts, general terms and conditions, regulations and other documents in electronic form
– Files in .pdf/ .docx /.txt formats
– Basis: Evidence from a document containing text
– Business correspondence between the parties, commercial threats, offer arrangements, order confirmations
– eml / .msg format (source files) and export of the thread to a searchable .pdf file
– Evidence from a document containing text
– Conversations from applications such as WhatsApp, Messenger, Telegram, Signal, Teams documenting operational arrangements, attempts to induce unfair competition
– Full, non-editable export of chat history to PDF with timestamps, and raw .csv or .json files for IT backup
– Evidence from a document containing text
– Screenshots showing, for example, defamatory social media posts, unlawful use of trademarks
– Format . png /.jpg/. tiff . The screenshot should be made with the URL, system date and time visible.
– Requires metadata enhancement and metadata verification (as to date)
– Depending on what the evidence shows, either from a document containing text or from another document containing an image
– E.g. packaging designs, logos, advertising graphics
– Format: .jpg/ .png / .tiff
– Evidence from other documents (Article 308 of the Code of Civil Procedure)
– Telephone conversation records, dictaphone recordings of negotiations
– Format: .mp3/.wav and text transcription in PDF format
– Evidence from other documents
– E.g. Materials from YouTube and TikTok platforms
– Format: .mp4/ .mkv / .avi
– Evidence from other documents
E.g. Official reports from CRM and SAP systems
Format: PDF with a qualified electronic signature of the issuer
Statistical data (DAT)
For example, raw data from analytical tools
Formats: .xlsx / .csv
If they contain only numbers and tables, they are evidence from other documents
Internet Archives (ARC)
Format: .html / .warc
Evidence from other documents
Metadata (MET)
“Data about data” is crucial for authenticity: technical email headers (establishing the true sending server IP), EXIF photo data (indicating the exact camera model, GPS coordinates, and time the photo was taken), and PDF file properties (revealing the author and the legality of the software).
Formats: .txt/.xml / .json or extracts generated by programs
Metadata is an integral part of the digital document from which it originates.
Evidence theses should be linked by headings in the table of contents (PDF):
E.g. TD-1 (Evidence Thesis No. 1) as a result of the defendant’s breach of contract, the plaintiff suffered damage (LINK) ——> subfolder [TXT] —-> agreement.docx
Pursuant to Article 235 § 1 of the Code of Civil Procedure, I request the admission and taking of evidence from materials collected in section TD-1 of the Digital Evidence Folder filed on a data carrier constituting Annex No. [no.] to this letter, including, according to the table of contents of the folder, the following categories of evidence: analytical documents (TD-1/ANL), screenshots (TD-1/SCR), internet archives (TD-1/ARC) and a metadata and checksum report (TD-1/MET) regarding the scope of dissemination of the information contained in the publication [exact designation: title, URL, date], posted by the defendant via the [name] platform, including: the total number of views of this publication in the period from [date] to [date]; the number of websites that reprinted, quoted or linked to this publication; the secondary reach resulting from sharing by users within and outside the same platform; as well as the persistence of accessibility of the challenged content, as measured by its presence in the search engine index after [number] months from its initial publication. A detailed list of the files comprising section TD-1, along with a description of each, SHA-256 checksums, and hyperlinks to individual documents, is included in the table of contents of the Digital Evidence Folder.
Pursuant to Article 235¹ of the Code of Civil Procedure, I request the admission and taking of evidence from materials collected in section TD-2 of the Digital Evidence Folder filed on a data carrier constituting Annex No. [no.] to this letter, which includes, in accordance with the table of contents of the folder, video files from screen recordings (TD-2/VID), screenshots of interaction sections (TD-2/SCR) and exported comment databases in text/JSON format (TD-2/DAT), regarding the scale and nature of internet users’ interaction with the disputed video material/post [exact designation, URL], posted by the defendant on the [name] platform, including: the total number and dynamics of growth of public reactions (likes, shares, retweets); the number, content and tone of comments posted under the material, in particular those repeating the defendant’s narrative; the degree of audience engagement measured by ER (Engagement Rate) indicators; and the fact and date of the defendant’s modification or deletion of selected comments in order to manipulate public perception, as evidenced by discrepancies in the checksums and metadata of files secured at intervals.
Pursuant to Article 235¹ of the Code of Civil Procedure, I request the admission and taking of evidence from materials collected in section TD-3 of the Digital Evidence Folder submitted on a data carrier constituting Annex No. [No.] to this letter, including extracts from the public Meta Advertising Library (TD- 3/ANL), raw analytical reports in CSV/XLSX format generated from the Meta Ads Manager panel and related settlement invoices (TD-3/TXT), in the event of deliberate, organized and paid increase in the market reach of the defendant’s message, including: the precise period of broadcasting of paid advertising campaigns, the amount of the budget involved and the profit generated; the artificial multiplication of the number of views and unique recipients obtained in this way); geotargeting criteria and demographic targeting aimed at the plaintiff’s market; and, above all, the circumstance of intentional selection of behavioral targeting criteria and interests based on the plaintiff’s brand and customers, which, in the light of Article 3 et seq. UZNK constitutes an action contrary to good practice aimed at unfairly taking over customers.
Internet reach (Reach) is the total number of unique users who have viewed a given piece of content at least once. It is measured using advanced telemetry systems, tracking scripts, and server logs that record unique queries sent by user browsers and applications to the servers storing the content. Reach should be distinguished from Impressions, which define the total number of times content is played or appears on device screens, regardless of whether it was generated by the same person. In summary, the main difference between reach and impressions comes down to the group of people – reach counts unique users (meaning the same person is not counted twice), while impressions count the total number of impressions (which includes impressions generated multiple times by the same person). Engagement is a separate category, requiring active action on the part of the user, such as clicking, liking, or commenting.
With regard to market practice, it should be noted that for the marketing industry, the above-mentioned indicators are among the basic instruments of ongoing analytics, used to evaluate the effectiveness of campaigns and optimize advertising budgets. Passive indicators, such as reach and impressions, allow marketing agencies to determine the upper limits of the sales funnel and estimate brand awareness among the selected target group (audience active metrics, in turn, range from raw engagement, through click -through rates, to advanced metrics such as virality (the ability of information to rapidly spread online through reciprocal shares) and amplification (an indicator measuring how widely content is shared beyond the author’s original audience). They are interpreted as a direct measure of the quality and appeal of the advertising creative. High levels of these parameters mean that the message effectively resonates with audience needs, prompting them to interact and organically distribute the content further. Importantly, in business realities, the marketing industry treats this data as a currency of account, as it is based on them, for example, the market value of influencers. The widespread use and high methodological sophistication of these measurements in marketing give the reports generated by advertising systems a strong mandate of objectivity.
In court practice, these indicators can serve as evidence. The reach indicated by the number of unique users can determine the scale and prevalence of infringements of personal rights. In the context of infringement of personal rights, indicators such as virality can be useful to demonstrate the irreversibility of the effects of the infringement.
When assessing the scale of a tort and estimating the amount of damages or compensation (Article 233 § 1 of the Code of Civil Procedure), a court cannot rely on general statements. It requires hard metrics that illustrate the strength, reach, and dynamics of the unlawful communication. Each leading internet platform operates its own unique data architecture. For digital evidence to be fully understandable and legible to the adjudicating panel, it is necessary to precisely identify and name indicators native to a given online environment. Each of the most popular social media platforms differs in which indicators are most relevant.
X (formerly Twitter) – a text and information platform.
Number of publications – the number of posts (tweets) posted by a given person
Number of mentions – the number of posts that quote a given person’s post
Number of views – an indicator visible under each post, used to show how many times the information appeared on users’ screens
Number of interactions – number of likes, retweets, and bookmarks of the tweet
Number of comments – number of replies to a tweet
Number of followers – determines the size of a person’s profile and may determine the basic reach of the entry
Number of views, audiences and unique users
Number of reactions (like, great, haha, etc.) – important for demonstrating the engagement rate and social reception of a given post
Number of comments and shares
Instagram – a visual and audiovisual platform – is crucial in cases of unfair competition committed by influencers (e.g., failure to indicate collaboration).
Number of views, audience, reach – for stories measured within 24 hours of publication (before it is automatically archived)
Number of interactions, reactions
Number of followers
YouTube is a video platform. As a result, disputes mainly concern defamatory videos or unlawful product placement.
Number of views and total watch time (watch time) is crucial for showing whether the audience watched the entire video or turned it off after a few seconds
Number of interactions or comments (thumbs up and down)
Number of channel subscribers
Tik Tok – short video content based on a recommendation algorithm. Currently, this is crucial when it comes to the virality of a given video or topic.
Number of views
Number of interactions – likes, favorites, shares
Video completion rate – how many users watched the video to the end
LinkedIn – a business platform. Any posts that violate the personal rights of entrepreneurs are of a serious nature due to the greater potential for reaching business partners.
Number of publications, mentions, views
Number of interactions and reactions
Recipient structure – identification of positions, industries, and company sizes
Reddit and other forums of this type, e.g. Wykop – platforms based on threaded structure and user anonymity
The number of interactions and reactions – up or down votes (Upvotes or Downvotes) – determine the position of the thread on the main page of the website and the time of its visibility
Number of comments – entries in the thread
Number of unique users
Blogs and news portals, e.g. Onet, WP, Interia – violations concern in particular press articles or unlawful use of graphics.
Number of publications
Number of unique users and number of views
Time spent on the site
Number of comments under articles
With respect to analytical tools for measuring and verifying metrics in the virtual space, three categories of tools are used in litigation, providing objective evidence with a high level of credibility. The first are native social media platform panels, such as Meta Business Suite, YouTube Studio, X Analytics, and LinkedIn Page Analytics. These, as internal statistical systems of service providers, provide direct insight into relational databases and enable the generation of official analytical reports (filed in the ANL subfolder of the digital file) containing precise structure of views, reach, and audience demographics. In situations where the infringement occurred on third-party profiles or external portals to which the plaintiff does not have administrative access, professional media and internet monitoring systems, such as Brand24, SentiOne, the Institute of Media Monitoring (IMM), and Press-Service, are used. These systems aggregate public mentions in real time, measure the total algorithmic reach, and automatically qualify the sentiment of statements, creating reports that resemble private documents. This set of instruments is complemented by specialized web analytics and market intelligence tools (SEO Tools), including Google Analytics 4, Similarweb, Semrush, Ahrefs and Senuto; they allow for the examination of the number of unique users and page views on the defendant’s external blogs or news portals, proving the intensity of unfair advertising campaigns by a competitor, and demonstrating the dynamics of traffic decline on the plaintiff’s website.
Within the Meta Ads Manager advertising system, system reports and the public Meta Ad Library (powered by extended data under the EU Digital Services Act DSA), you can prove key campaign parameters, such as the exact broadcast period and creative activity status, campaign budget supported by invoices from Meta Platforms , total number of impressions, unique audience (reach), click statistics (including CTR and CPC), as well as precise geotargeting criteria (countries, cities or radii around specific points) and advanced parameters of demographic (age, gender) and behavioral targeting, including interests, Lookalike lists and Custom groups. Audiences are created based on, among other things, email databases and Pixel Meta code. To effectively present this data to a Polish court as digital evidence (e.g., under Article 308 of the Code of Civil Procedure), you must export raw, certified reports from the ad manager panel in .xlsx or .csv formats containing unique Campaign IDs or Ad IDs, create a secure screencast of the login and statistics generation process with a visible URL, SSL certificate, and system time, submit official financial documentation corresponding to the ad account ID, and notarize a public extract from the Ad Library.
Ads data is crucial evidence in unfair competition cases, as it helps demonstrate the scale, intent, content, and target audience of unlawful market activities. In the context of misleading designations of companies, goods, or imitations of products listed in Articles 5, 10, and 13 of the Act on Combating Unfair Competition (UZNK), and unfair advertising under Article 16 of the UZNK, statistics on the number of views and audiences demonstrate the mass nature of the infringement and the degree to which it has caused confusion in the market. Secured graphic and video materials illustrate the very fact of unlawfully copying a product’s external appearance or using a competitor’s trademarks. In turn, precisely demonstrating behavioral targeting based on a competitor’s company or brand name exposes intentional bad faith, involving parasitizing another’s reputation and aggressively acquiring customers, which directly violates good practices and the interests of another entrepreneur, pursuant to the general clause of Article 3 of the UZNK. Moreover, detailed emission parameters, prices, campaign budgets and click statistics constitute a solid basis for demonstrating the dissemination of false information about prices or the legal situation (Article 14 of the Advertising Law), and also allow for a precise estimation of the amount of damage suffered, lost profits or the degree of unjust enrichment of the perpetrator.
Video materials constitute an independent piece of evidence in contemporary civil and commercial proceedings, classified under the Code of Civil Procedure as evidence from devices recording or transmitting images and sounds, to which the provisions on evidence from visual inspection apply accordingly. As with screenshots, raw video recordings are subject to the principle of limited trust due to the risk of manipulation. Therefore, to maintain full procedural immunity and rebuttal, they must be properly recorded along with their network environment. This, in the event of technological disputes, paves the way for specialized verification of their metadata by a computer forensics expert.
Securing and verifying YouTube recordings for legal purposes requires immediate capture of the material in its entirety and without any editing, which is best achieved through screen recording (including audio and visible page context) or using external download tools. For evidence to be credible in court, the circumstances of its recording (who recorded it, when, and on what device) must be precisely described in an evidence log, and the number of file transfers must be minimized, protecting the original metadata. The author’s identity and the authenticity of the video itself are confirmed through content analysis, witness testimony, and, in cases of risk of disinformation and manipulation, using tools such as DataViewer for reverse image search of video thumbnails (which allows for detection of old videos) and geolocation. Because view, reaction, and comment statistics can be deleted or modified by the author at any time, it is crucial to capture them by smoothly scrolling through the interaction section during the screen recording. They can also be demonstrated using external tools such as SocialBlade (if they haven’t been deleted by then). You should also prepare a written transcript of the dialogue in case of technical problems in the courtroom.
Securing and verifying evidence from live streams and disappearing content (such as Instagram Stories, TikTok Live, or streams on Twitch and Kick) requires instant, real-time data capture. For live streams, it’s crucial to simultaneously record the raw stream using command-line tools (e.g., yt-dlp, which will automatically save the recording to disk in real time) and full screen recording (e.g., in OBS Studio) along with dynamic chat. If broadcasts on Twitch and Kick haven’t been deleted, the platforms provide tools for creating clips during the broadcast or from the live stream recording. For time-sensitive content, immediate screen recording with system audio or using mobile certification apps (e.g., TrueScreen ) is the priority, which generate evidence with a qualified timestamp that prevents editing. To ensure the integrity of the chain of custody, secured files must be immediately provided with a SHA-256 checksum (a sequence of numbers and letters that serves as a “cryptographic fingerprint” of a file or document) and the technical parameters of the recording must be precisely described in the protocol, including full URLs and UTC time zones. Due to frequent changes in usernames and pseudonyms, the author’s identity is determined by extracting persistent, unique network identifiers from the source code (such as TikTok ‘s authorId), as well as by analyzing voice, facial, and background characteristics. Identifying the exact publication time of disappearing materials requires finding UNIX timestamps in the browser cache or mathematically reconstructing the time by comparing the relative application time (e.g., “3 hours ago”) with the certified atomic time (e.g., from the time.is website) visible in the recording. Finally, because reach statistics and interaction sections can be deleted at any time, and the publicly invisible view counts of the story prevent direct measurement, it is crucial to capture peak moments of viewership, public reactions and shares by smoothly scrolling the screen or exporting the chat database to structured text files with precise timestamps for each comment.
Metadata, or “data about data,” is structured, precisely defined, and uniformly named information used to describe, identify, organize, and access a specific object, digital resource, or research dataset. It operates based on sets of information units arranged in a structure with definitions and usage rules. Institutions can create these themselves or adopt ready-made standards developed by internationally recognized organizations such as ISO, ANSI, RDA, OpenAire, or Metadata 2020. Within this framework, three main types of metadata are distinguished: descriptive metadata, which provides information necessary to identify or locate a resource (e.g., title, author, keywords, production technique, or history of the object). Structural metadata, which describes relationships and dependencies between collection elements to facilitate navigation. Administrative metadata, on the other hand, assists in resource management (e.g., storage location or insurance premium). Administrative metadata also includes technical metadata, typically created automatically in files such as EXIF (containing, for example, creation date, file type, and resolution), intellectual property rights management metadata, and preservation metadata necessary for archiving and maintaining the resource. From the user’s perspective, consistent application of the schema according to the instructions is crucial, as complete metadata provides information about the structure and limitations of the data, explains its meaning, indicates how to cite it, and is a necessary condition for its understanding and reuse. Digital forensics plays a significant role in analyzing metadata and using it as evidence in proceedings. The process of data analysis in computer forensics is based on methodologies focused on identifying, securing, examining, and presenting digital traces in a manner acceptable to law enforcement. In the context of digital forensics, raw content (e.g., document text, an image in a screenshot) constitutes only the surface layer of evidence. Its full value is achieved only by combining this layer with deep analysis, encompassing metadata, system logs, file change history, user identifiers, as well as location, server, and analytical data. Defining the individual components of the data layer is crucial; in practice, they constitute the essence of computer forensics. The first and most common group are timestamps, precisely defined chronological reference points automatically generated by operating systems or applications, recording the date and time of a specific event. This most often occurs in the form of so-called MAC attributes, documenting the moment of creation, content modification, and last file opening (Access). Their direct extension are system logs, called event logs. They take the form of automatically created, chronological text files or databases. They contain all critical activities, process errors, and correct or incorrect user login attempts recorded by the operating system and running programs. These logs are inextricably linked to the file change history, a sequence of digital traces illustrating the entire evolution and modifications to which a given resource has been subjected throughout its lifecycle. This history reveals sequences of overwriting, deletion, or addition of data sections, allowing for the reconstruction of the original file content before editing. To assign these operations to a specific entity, digital experts forensics examine user identifiers, which are unique alphanumeric, numeric, or address strings permanently assigned to a specific account in a system, corporate network, or online platform. These identifiers are used for authorization and are automatically associated with every action performed by a given profile. Location data (geolocation) provides additional physical and geographical context. This information identifies the physical geographic location of a device based on raw GPS coordinates, cellular base station (BTS) identifiers, or Wi-Fi MAC addresses. These data are often automatically embedded in the structure of multimedia files. All these operations are embedded in the network architecture, recorded by server data, including HTTP server Access Logs and DNS records, which record the client’s IP address, the exact date of the request, the HTTP method, the URL, and the User-Agent string identifying the user’s browser type and operating system. The final link in this structure is analytical data generated by external tracking systems and scripts (e.g., Google Analytics, Meta Pixel), which aggregate the behavior of thousands of unique users online, measuring parameters such as the number of unique users, page views, click-through rates, etc. Only such a comprehensive approach to these seven technical components allows computer forensics to go beyond the layer of raw, visual description of data and reach its digital foundation.
In civil and commercial cases, where key evidence consists of digital traces, statistical reports, or screenshots, expert witness testimony becomes a key instrument for fact-checking. The main advantage of engaging an expert witness is that it gives the collected network traces substantive, indisputable probative value. Pursuant to Article 278 § 1 of the Code of Civil Procedure, expert witness testimony is conducted when the assessment of a specific issue requires specialized knowledge, beyond the knowledge of an average person. This procedure is formally initiated by filing an application meeting the requirements of a procedural document (Article 126 of the Code of Civil Procedure), in which the party identifies the facts to be ascertained and specifies the expert’s desired specialization. After hearing the parties’ submissions, the court issues a decision on the admission of evidence, appointing an expert from the list of the president of the district court or appointing an ad hoc expert, formulating an evidentiary thesis, and setting a deadline for preparing the expert’s opinion. After receiving the decision and possibly reviewing the case files or the subject of the inspection, the expert, acting under penalty of perjury and pursuant to an oath, begins research activities, culminating in the preparation of a reasoned opinion in writing or its oral presentation in the transcript. In civil and commercial proceedings, expert opinions in this field are most often used in cases involving the verification of digital evidence provided by the parties – its authenticity and the content thereof.
Screenshots are defined as a specific recording of the current image displayed on a computer monitor, tablet, smartphone, or other device equipped with a display. In essence, they constitute a type of digital “photograph” or “still” that permanently captures and depicts the content currently being generated on the screen. Under Polish civil procedure and the case law of common courts and the Supreme Court, printouts and files containing screenshots have the status of evidence in the case. In court practice, a screenshot is most often classified as private document evidence (constituting an information carrier enabling review of its content and confirming the submitter’s assertion of specific circumstances) or as other evidence within the meaning of Article 309 of the Code of Civil Procedure. Screenshots are widely used, among others, in family matters (documenting parents’ conversations), consumer matters (shop offers, prohibited clauses in regulations), copyright infringements (use of a protected photo) or disputes over the infringement of reputation and personal rights on social networking sites, forums and blogs.
The main limitation of this evidence is that it is subject to the principle of limited confidence due to its susceptibility to simple and arbitrary interference. Parties to the proceedings frequently challenge the authenticity of screenshots, alleging that they can be easily modified, are incomplete, taken out of context, or have partially removed content. The mere submission of a single screenshot does not determine the veracity of the facts, and this evidence only demonstrates that a computer recording of specific content existed at the time the recording or printout was made. The Court of Appeal in Warsaw (ref. no. I ACa 2111/15) explicitly stated that the potential ease of modification does not deprive a screenshot of its evidentiary value; however, it requires the court to conduct a thorough analysis. The Court of Appeal in Kraków adopted a similar approach in judgment I ACa 315/16. An additional limitation is the legality of the source of their acquisition, as malicious actions or hacking into the application in order to perform a dump may result in criminal liability for violating the secrecy of correspondence and result in the rejection of evidence by the court.
To increase the credibility of screenshots and protect against allegations of manipulation, additional archiving or procedural measures are necessary. The evidentiary value of a screenshot can be enhanced by securing the page in digital form (saving it on a hard drive or in the cloud) or by preparing a proper protocol by a notary, who will personally confirm the credibility and existence of the content. Furthermore, it is crucial that the screenshot is accompanied by other electronic documents and objective verification data. From a procedural perspective, the evidentiary value of screenshots varies progressively depending on their degree of IT integration, with the screenshot itself, devoid of additional elements, having the lowest probative value. In such cases, it merely constitutes a private document demonstrating that a computer recording of specific content existed at a given moment. However, due to the widespread and easy possibility of graphic modification, it is most susceptible to challenge by the opposing party. A screenshot presented with an analytical report has slightly higher and more objective value. It constitutes enhanced evidence, in which the raw image is supplemented with external system data, allowing for a precise demonstration in court of the scale, dynamics, and situational context of the digital tort being analyzed. The probative value of the screenshot with metadata option is low to medium, as submitting the original, source image file only allows for the identification of the device and recording time. The raw metadata of the image file only documents the moment the image itself was created. The highest probative value, fully accepted and sanctioned by, among others, the case law of the Court of Justice of the European Union, is characterized by a screenshot combined with a parallel website archive. Combining screenshots with information from independent internet archives, which store copies of the historical code of websites and record any changes made to it, undoubtedly confirms that specific content, statements or graphic materials were actually published on a specific date, while the potential technical possibility of subsequent modification of the website by its author does not invalidate the probative value of such a package, as external data from digital archives effectively verifies and confirms the full authenticity of the submitted screenshot.
Digital events that are procedurally significant, such as the publication of a defamatory post, the launch of an advertising campaign that violates personal rights or the principles of fair competition, are rarely one-off and momentary phenomena. In fact, they constitute processes spread over time, composed of successive stages, each of which leaves a separate, identifiable digital trace. A complete reconstruction of these stages in the form of a chronological timeline evidence) performs a function similar to that of a protocol recording the course of events in real time, the integration of which requires specialist knowledge and methodology.
This is the starting point of the entire timeline. Reconstructing moment zero requires determining the exact date and time of the first publication, with at least minute accuracy (via a timestamp in the platform’s metadata, HTTP headers of the server response, or the WARC archive from the first dump); the URL at which the content was available, including the permalink or canonical URL, which identifies the content regardless of subsequent address changes; the identity of the author or account from which the publication was made (e.g., through the user ID in the page’s source code, domain WHOIS data, email headers notifying about a new entry); and the original content in its entirety, before any subsequent edits (the source could be the first WARC or MHTML archive, a copy from the Google Cache, or a record in the Wayback Machine).
The start of an advertising campaign – equivalent to the moment the content is published. It has particular evidentiary significance in cases involving acts of unfair competition. The reconstruction of this layer is based, among other things, on data from the Meta Ad Library.
This layer reconstructs the mechanism by which content first spread beyond the original publication. This is key evidence for demonstrating that the violation has spread beyond the author’s immediate followers and has become public. Data for this layer’s reconstruction comes from publicly available sharing data (e.g., retweets on X) or through media monitoring tools. The reconstruction report should present this layer as a map of the initial distribution nodes, using a graph or table indicating which platforms and when the content reached within the first 24-48 hours of publication.
This layer documents the acceleration of the phenomenon, meaning the moment the content ceased to be a niche post and began to generate significant user engagement. Its reconstruction is crucial for demonstrating that the violation was not a marginal event. Data needed to establish this includes a daily or hourly chart of the increase in the number of likes, comments, shares, and views obtained by exporting data from the platform’s dashboard or analytical tools; identification of the moment the content exceeded virality thresholds ; and data on the engagement of high-reach accounts that shared the content, which provides evidence that the plaintiff’s damaged reputation reached influential circles.
This layer documents the territorial and demographic extension of the publication’s impact, which may be important both for assessing the scale of damage and for establishing jurisdiction in cross-border cases, e.g., by determining the place where the damage was caused under the Brussels Ia Regulation. This data is obtained from geolocation reports of some platforms, showing the countries and regions from which users came, as well as the demographic data of the recipients (gender and age indicated when creating an account).
This layer documents the qualitative dimension of the publication, i.e., how recipients reacted to the published content, which can, for example, be the basis for demonstrating that the infringement actually harmed the plaintiff’s reputation and did not go unnoticed. Reconstruction of this layer includes, among other things, a sentiment analysis of comments and mentions from social media monitoring tools, indicating the percentage distribution of positive, neutral, and negative reactions towards the plaintiff or company during the period under review; and the provision of representative quotes from the comments, e.g., in the form of screenshots. In the reconstruction report, this layer should be presented with methodological caution, as sentiment analysis generated automatically by monitoring tools is not always fully reliable and should be verified by an expert or accompanied by information about the algorithm’s margin of error.
This is the final layer of the timeline and is the most important for demonstrating pecuniary or non-pecuniary damage within the meaning of Article 361 of the Civil Code. It documents the measurable consequences of the infringement on the plaintiff’s business. Evidence in this layer may include data showing a decline in organic traffic on the plaintiff’s website in correlation with the escalation of the infringement (daily session chart, bounce rate, average session time before and after the infringement); data from the plaintiff’s CRM or ERP system documenting a decline in the number of quotations; data from e-commerce platforms, e.g., Allegro, Amazon, showing changes in sales volume or the number of views of the plaintiff’s offers; documentation of costs incurred in managing the reputational crisis, e.g., invoices from PR agencies, costs of remedial advertising campaigns, legal costs in the pre-litigation phase; and reports from industry media or specialized market monitoring services that noted the infringement and its effects.
The reconstruction report should be a PDF document with a qualified electronic signature and a certified time stamp. Its structure should include a title page with the file reference number, date of preparation, and author information; a chronological timeline in graphical form with key points for each layer; an event and evidence correlation table linking each event on the timeline to the source file reference number in the digital evidence folder; and a narrative description of each layer with references to specific file reference numbers and folder page numbers.
Such a report, incorporated into a digital file, becomes a key orientation document for the court and allows for understanding the entire evidence without having to independently review hundreds of source files, constituting the procedural equivalent of the dispute plan used in English and American proceedings.
The description of digital evidence in a lawsuit or a procedural document containing an evidentiary motion serves a much broader purpose than traditional evidence labeling. Digital evidence, when included in a multi-gigabyte digital evidence file, requires a description that allows the court to understand its technical nature, origin, method of acquisition, and relationship to the evidentiary thesis. This description therefore fulfills four distinct procedural functions. The first is the identification function, as it precisely identifies the evidence with a signature, file name, and location within the file, making it uniquely identifiable at every stage of the proceedings, during the hearing, and in the transcript. The second is the verification function, fulfilled by providing the SHA-256 checksum and the date of acquisition, allowing the opposing party and the court to verify whether the submitted file is identical to the one that formed the basis of the claims in the lawsuit. The third is the contextualizing function, a substantive description and an indication of the connection with the factual situation allows the court to understand, already at the stage of reading the claim, what specific fact a given file is used to prove.
The digital evidence description template should be used consistently for each item in the digital evidence index. Below is an example of a professional description template for a text document.
The evidence ID is TD-1/TXT/0001. The file name in the folder is distribution_agreement_2026-01-16.pdf, and the original source file name is Sales Agreement No. 12/2026.pdf. The date the evidence was obtained is June 16, 2026, which is the date the file was included in the digital evidence folder and the checksum was calculated. The source of the evidence is the plaintiff’s electronic mailbox: a file attached to an email dated January 16, 2026, sent by the defendant from j.kowalski@pozwani.p. The file’s SHA-256 checksum is a3f1d8…9b2c (the full string in file TD-1/MET/0001 of the digital folder).
The technical description indicates that the evidence is an 842 KB PDF/A-1b file with a searchable text layer. The file does not contain active scripting or embedded multimedia. The document’s metadata identifies the author as Jan Kowalski, the creation date as January 14, 2026, 10:47:22 UTC, and the file was generated using Microsoft Word 2019. The metadata was extracted using exiftool version 12.60 and archived in file TD-1/MET/0001.
The substantive description indicates that the file contains an agreement signed by both parties for the exclusive distribution of the plaintiff’s products in the Masovian Voivodeship, concluded for a period of three years from March 15, 2022. Paragraph 7 of the agreement prohibits the defendant from conducting parallel distribution of products competing with the plaintiff’s product range. Paragraph 12 specifies contractual penalties for violating this prohibition at PLN 50,000 for each identified violation.
The evidentiary thesis for this evidence is: the fact that the parties concluded distribution agreement No. 12/2026 on 16 January 2026, the content of the defendant’s obligation to provide exclusive distribution and prohibit the distribution of competitive products, the amount of the stipulated contractual penalties, as well as the fact that the defendant submitted a declaration of intent with the content corresponding to paragraph 7 of this agreement, which demonstrates his full awareness of the limitations imposed on him.
The connection with the factual circumstances lies in the fact that this evidence constitutes the primary source of the legal relationship between the parties. A finding of violation of the prohibition by the defendant, documented by further evidence from section TD-2 of the file, is possible only by reference to the content of the contractual obligation arising from this document.
A sample summary table for cases involving multiple files, which replaces the separate listing of each piece of evidence in the procedural document. A separate table should be created for the most important pieces of evidence.
Contemporary commercial disputes unfold in two parallel realities. The first is the traditional, paper-based reality, well-known to civil litigation theory and practice, which is gradually losing its significance. The second is the digital, networked reality, generating billions of electronic traces daily and becoming the dominant environment in which contracts are concluded, negotiations are conducted, marketing campaigns are launched, infringements are committed, and damages are inflicted. The paradox is that procedural law, which is formally prepared for this change, for example, thanks to an open catalog of evidence and the technologically neutral definition of a document in Article 77³ of the Civil Code. However, in court practice, it is still often applied through the prism of categories developed for the paper-based reality. The main thesis of this article is simple and yet practically significant: evidence in 21st-century commercial cases cannot be limited solely to traditional paper documents, because the facts crucial to resolving a dispute increasingly do not exist in paper form at all. A contract concluded through an exchange of messages on corporate messaging, a violation of a non-compete clause documented in system logs – none of these events leave a paper trail. They exist solely as digital data, and their occurrence, content, and effects must be proven using appropriate methods and tools.
The online activity of businesses, as well as their contractors, competitors, and customers, leaves a vast amount of digital traces that are susceptible to analysis. As demonstrated in the individual chapters of this article, these traces include not only obvious electronic documents such as text files and emails, but also metadata and analytical data from social media platforms. The key to the effectiveness of this evidence, however, is its proper preparation, security, and presentation. A raw screenshot devoid of metadata and an online archive has minimal evidentiary value and is easily challenged. The same screenshot, provided with a qualified timestamp, supported by a parallel archive, supplemented by an analytical report documenting reach and sentiment, and integrated with a timeline reconstructing the course of events, becomes highly persuasive evidence, difficult to refute even with an active defense by the opposing party.
The concept of a digital evidence folder, proposed in this article as an adaptation of the Anglo-Saxon electronic institution trial Bundle, a Polish civil procedure tool, addresses a fundamental procedural challenge: how to present tens or hundreds of gigabytes of electronic data to the court in a way that is understandable, verifiable, and procedurally efficient. A bundle is not a new piece of evidence, but an organizational tool that organizes existing evidence according to the logic of evidentiary thesis, assigns each file a unique reference number, links evidence to facts, ensures the integrity of the file, and enables immediate retrieval of each piece of evidence during the hearing via an interactive table of contents with hyperlinks. A properly prepared digital evidence bundle is one of the most effective tools for presenting evidence in court. First, it forces the attorney to select and prioritize the material before filing a procedural document, eliminating chaotic and overwhelming collections of unselected files. Secondly, it makes the evidence transparent for the opposing party and the court, because each piece of evidence is described, classified and linked to a specific thesis, which eliminates the objection of ambiguity and facilitates an effective defense or procedural attack.
The analysis conducted in this article reveals significant regulatory gaps, the filling of which would significantly improve the effectiveness of evidence in cases involving digital materials. These proposals are both legislative and quasi-legislative in nature, involving standardization through case law and court rules.
The first and most important proposal is to introduce a legal definition of digital evidence into the Code of Civil Procedure. While the lack of such a definition does not prevent the taking of electronic evidence, it generates terminological uncertainty in case law and doctrine, leading to inconsistent assessment of the evidentiary value of the same categories of materials by different adjudicating panels. The definition should encompass all information recorded in the form of digital data, of value to ongoing proceedings, stored, downloaded, or transmitted via an electronic device.
The second postulate is the introduction of the English Practice Rules into the court regulations. The e- bundle guidelines should standardize the presentation of electronic evidence in cases where it exceeds a certain volume or number of files. Such regulations should mandatorily require: a uniform file identification system, a table of contents in PDF format with hyperlinks, and the provision of identical copies of the medium to the court and the opposing party no later than a specified number of days before the hearing. This solution, implemented without amending the law through orders of court presidents or guidelines from the Minister of Justice, would immediately improve the evidentiary culture in proceedings involving mass digital evidence.
Tacij Przemysław, Digital content and uncertified copies as evidence in civil proceedings
Lewulis Piotr, Social Media as a Source of Evidence in Civil Cases: Results of a Preliminary Survey Among Attorneys and Legal Counselors
Rafał Prabucki, Metadata related to a document and evidentiary proceedings in a civil trial
Wręczycka Katarzyna, Electronic evidence in civil proceedings
Nowak Mariusz, Types of electronic evidence in civil proceedings