News
Polish Supreme Administrative Court Requires DPAs to Prove Identifiability Before Treating IP Addresses and Cookie IDs as Personal Data
In a significant judgment issued on 16 October 2025 (III OSK 2595/22), the Polish Supreme Administrative Court (NSA) held that the data protection authority (UODO) cannot assume that IP addresses and cookie identifiers always constitute personal data. Instead, the authority must demonstrate - based on objective, case-specific factors - that an individual is identifiable within the meaning of Article 4(1) GDPR. The ruling strengthens procedural rigor in GDPR enforcement and reinforces the contextual approach to identifiability reflected in CJEU case law, including Breyer and Planet49.
Background
The proceedings began with a complaint submitted by an internet user who alleged that a Warsaw-based company had improperly processed his IP address and cookie ID, including by sharing them with third parties and failing to comply with requests for information and a copy of personal data. In response, the President of the Personal Data Protection Office issued a decision ordering the company to delete the identifiers, notify third parties of their deletion, and issued reprimands for violations of Articles 6, 15 and 17 GDPR. The company appealed to the Voivodeship Administrative Court in Warsaw, which annulled the decision. The court found that UODO had not established a fundamental prerequisite of GDPR applicability: whether the processed identifiers were, in the circumstances of the case, personal data. The data subject’s identifiability must be examined in light of technical and legal means reasonably available to the controller, and not presumed from general considerations about the nature of online identifiers. UODO filed a cassation complaint, which the Supreme Administrative Court rejected in its entirety.
Judgement
Judgment of the Supreme Administrative Court The Supreme Administrative Court confirmed that identifiability under Article 4(1) GDPR is a contextual concept rather than an automatic consequence of processing an IP address or cookie ID. It stressed that Recital 26 GDPR requires an assessment of whether the controller or another party has reasonably available means to identify the individual, taking into account objective factors such as cost, time, and technological capabilities. The Court found that UODO had not conducted such an assessment and had instead assumed identifiability from the outset of the administrative proceedings. A central part of the reasoning concerned the distinction between static and dynamic IP addresses. Static addresses may allow the identification of a device and, indirectly, its user, if they are assigned permanently or for long periods. Dynamic addresses, however, require additional information from the internet service provider, which is not automatically available to website operators. The Court noted that UODO failed to determine whether the IP address in this case was static or dynamic, and did not examine whether the company had any legal or practical means to obtain subscriber information. As a consequence, UODO did not demonstrate that the company was capable of identifying the user at the time the data was processed. The Court also held that cookie IDs are not inherently personal data. It recalled that in Planet49, the cookie identifier became personal data because it was combined with identifying information voluntarily supplied by the user. In the present case, the user had not entered any such information, and UODO did not establish that the cookie ID, viewed in isolation or in combination with the IP address, enabled the identification of a natural person. The Court stressed that identification must relate to a person, not merely to a device or browser session, and that this distinction was missing from the authority’s reasoning. A further deficiency concerned UODO’s failure to comply with fundamental procedural obligations under the Administrative Procedure Code. The authority did not gather relevant evidence, did not analyse the company’s explanations regarding the technical limitations of identification, and provided an inadequate justification that did not allow for proper judicial review. The Court emphasised that the correctness of an administrative decision must be evaluated solely on the basis of its reasoning and the evidence collected during the proceedings, and cannot be supplemented by arguments presented only in litigation. Ultimately, the Court concluded that UODO had not shown that the company processed personal data within the meaning of Article 4(1) GDPR at the time the user visited the website. Without establishing identifiability, the authority lacked grounds to find a violation of the GDPR, which rendered its decision unlawful.
This judgment is a significant contribution to the interpretation of the concept of personal data in the online environment. It reaffirms that identifiability is not presumed but must be demonstrated through a clear, evidence-based assessment. The ruling aligns national case law with the reasoning of the Court of Justice in Breyer, where dynamic IP addresses were considered personal data only when the controller could realistically obtain additional identifying information, and with the nuanced approach taken in Planet49.
For controllers, the ruling underscores the importance of documenting the technical realities of processing identifiers and the limits of their ability to identify users. For supervisory authorities, it signals that procedural rigor-particularly in establishing identifiability-is indispensable before applying GDPR obligations. While IP addresses and cookie IDs often will amount to personal data in practice, this judgment makes clear that such a conclusion cannot be reached without proper factual and legal analysis.
The Polish Supreme Administrative Court’s approach seems to fit within the logic developed by the Court of Justice in its 2025 SRB judgment (C-413/23 P). In SRB, the Court insisted that classifying information as “personal data” cannot be abstract or assumption-driven, but must be grounded in an assessment of whether identification is realistically possible for the actor concerned, taking into account technical and organisational safeguards such as pseudonymisation. The CJEU explicitly rejected a categorical stance that all pseudonymised or indirectly linkable data automatically qualify as personal data, emphasising instead a contextual analysis based on “reasonable likelihood” and objective means of identification. This reasoning mirrors the NSA’s criticism of the Polish DPA for skipping the evidentiary examination of whether the controller could, in fact, identify the website user.
The judgment also lands in a broader European debate in which the very scope of the definition of personal data remains contested, which is sharply illustrated by the most recent preliminary reference from the German Federal Court of Justice in Case C-654/25 (Undelam), which explicitly asks the CJEU to clarify whether a dynamic IP address constitutes personal data merely because some third party-such as an ISP or public authority-could identify the user, or whether identifiability must be assessed strictly from the perspective of the controller or recipient involved in the transfer. The German court also raises the question whether merely hypothetical legal avenues for identification are sufficient, or whether identifiability requires that the legal and factual conditions for obtaining subscriber information are actually met in the individual case.
The recent European Commission’s legislative initiative under the Digital Omnibus Package proposes to revise the definition of personal data in Article 4(1) GDPR. The EC wants to codify in the regulation the approach of the SRB judgment by clarifying that information is not personal data for a given entity when that entity cannot identify the natural person using means reasonably likely to be employed. Under the proposed Article 41a, the Commission would also be empowered to adopt implementing acts establishing technical measures and assessment criteria for determining when pseudonymised data can no longer be considered personal data.. It remains, however, too early to predict whether these amendments will survive the legislative process or emerge in their current form, given the political sensitivity and conceptual complexity surrounding the definition of personal data It remains, however, far too early to predict whether these amendments will survive the legislative process or emerge in their current form given the political sensitivity and doctrinal complexity surrounding the definition of personal data.
Article provided by INPLP members: Xawery Konarski and Mateusz Kupiec (Traple Konarski Podrecki & Partners, Poland)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Jänner 2026
- Dezember 2025
- November 2025
- Oktober 2025
- September 2025
- August 2025
- Juli 2025
- Juni 2025
- Mai 2025
- April 2025
- März 2025
- Februar 2025
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010