Polish Supreme Administrative Court Requires DPAs to Prove Identifiability Before Treating IP Addresses and Cookie IDs as Personal Data

09.12.2025

In a significant judgment issued on 16 October 2025 (III OSK 2595/22), the Polish Supreme Administrative Court (NSA) held that the data protection authority (UODO) cannot assume that IP addresses and cookie identifiers always constitute personal data. Instead, the authority must demonstrate - based on objective, case-specific factors - that an individual is identifiable within the meaning of Article 4(1) GDPR. The ruling strengthens procedural rigor in GDPR enforcement and reinforces the contextual approach to identifiability reflected in CJEU case law, including Breyer and Planet49.

Background

The proceedings began with a complaint submitted by an internet user who alleged that a Warsaw-based company had improperly processed his IP address and cookie ID, including by sharing them with third parties and failing to comply with requests for information and a copy of personal data. In response, the President of the Personal Data Protection Office issued a decision ordering the company to delete the identifiers, notify third parties of their deletion, and issued reprimands for violations of Articles 6, 15 and 17 GDPR. The company appealed to the Voivodeship Administrative Court in Warsaw, which annulled the decision. The court found that UODO had not established a fundamental prerequisite of GDPR applicability: whether the processed identifiers were, in the circumstances of the case, personal data. The data subject’s identifiability must be examined in light of technical and legal means reasonably available to the controller, and not presumed from general considerations about the nature of online identifiers. UODO filed a cassation complaint, which the Supreme Administrative Court rejected in its entirety.

 

Judgement

Judgment of the Supreme Administrative Court The Supreme Administrative Court confirmed that identifiability under Article 4(1) GDPR is a contextual concept rather than an automatic consequence of processing an IP address or cookie ID. It stressed that Recital 26 GDPR requires an assessment of whether the controller or another party has reasonably available means to identify the individual, taking into account objective factors such as cost, time, and technological capabilities. The Court found that UODO had not conducted such an assessment and had instead assumed identifiability from the outset of the administrative proceedings. A central part of the reasoning concerned the distinction between static and dynamic IP addresses. Static addresses may allow the identification of a device and, indirectly, its user, if they are assigned permanently or for long periods. Dynamic addresses, however, require additional information from the internet service provider, which is not automatically available to website operators. The Court noted that UODO failed to determine whether the IP address in this case was static or dynamic, and did not examine whether the company had any legal or practical means to obtain subscriber information. As a consequence, UODO did not demonstrate that the company was capable of identifying the user at the time the data was processed. The Court also held that cookie IDs are not inherently personal data. It recalled that in Planet49, the cookie identifier became personal data because it was combined with identifying information voluntarily supplied by the user. In the present case, the user had not entered any such information, and UODO did not establish that the cookie ID, viewed in isolation or in combination with the IP address, enabled the identification of a natural person. The Court stressed that identification must relate to a person, not merely to a device or browser session, and that this distinction was missing from the authority’s reasoning. A further deficiency concerned UODO’s failure to comply with fundamental procedural obligations under the Administrative Procedure Code. The authority did not gather relevant evidence, did not analyse the company’s explanations regarding the technical limitations of identification, and provided an inadequate justification that did not allow for proper judicial review. The Court emphasised that the correctness of an administrative decision must be evaluated solely on the basis of its reasoning and the evidence collected during the proceedings, and cannot be supplemented by arguments presented only in litigation. Ultimately, the Court concluded that UODO had not shown that the company processed personal data within the meaning of Article 4(1) GDPR at the time the user visited the website. Without establishing identifiability, the authority lacked grounds to find a violation of the GDPR, which rendered its decision unlawful.

This judgment is a significant contribution to the interpretation of the concept of personal data in the online environment. It reaffirms that identifiability is not presumed but must be demonstrated through a clear, evidence-based assessment. The ruling aligns national case law with the reasoning of the Court of Justice in Breyer, where dynamic IP addresses were considered personal data only when the controller could realistically obtain additional identifying information, and with the nuanced approach taken in Planet49.

For controllers, the ruling underscores the importance of documenting the technical realities of processing identifiers and the limits of their ability to identify users. For supervisory authorities, it signals that procedural rigor-particularly in establishing identifiability-is indispensable before applying GDPR obligations. While IP addresses and cookie IDs often will amount to personal data in practice, this judgment makes clear that such a conclusion cannot be reached without proper factual and legal analysis.

The Polish Supreme Administrative Court’s approach seems to fit  within the logic developed by the Court of Justice in its 2025 SRB judgment (C-413/23 P). In SRB, the Court insisted that classifying information as “personal data” cannot be abstract or assumption-driven, but must be grounded in an assessment of whether identification is realistically possible for the actor concerned, taking into account technical and organisational safeguards such as pseudonymisation. The CJEU explicitly rejected a categorical stance that all pseudonymised or indirectly linkable data automatically qualify as personal data, emphasising instead a contextual analysis based on “reasonable likelihood” and objective means of identification. This reasoning mirrors the NSA’s criticism of the Polish DPA for skipping the evidentiary examination of whether the controller could, in fact, identify the website user.

The judgment also lands in a broader European debate in which the very scope of the definition of personal data remains contested, which  is sharply illustrated by the most recent preliminary reference from the German Federal Court of Justice in Case C-654/25 (Undelam), which explicitly asks the CJEU to clarify whether a dynamic IP address constitutes personal data merely because some third party-such as an ISP or public authority-could identify the user, or whether identifiability must be assessed strictly from the perspective of the controller or recipient involved in the transfer. The German court also raises the question whether merely hypothetical legal avenues for identification are sufficient, or whether identifiability requires that the legal and factual conditions for obtaining subscriber information are actually met in the individual case.

The recent European Commission’s legislative initiative under the Digital Omnibus Package  proposes to revise the definition of personal data in Article 4(1) GDPR. The EC wants to codify in the regulation the approach of the SRB judgment by clarifying that information is not personal data for a given entity when that entity cannot identify the natural person using means reasonably likely to be employed. Under the proposed Article 41a, the Commission would also be empowered to  adopt implementing acts establishing technical measures and assessment criteria for determining when pseudonymised data can no longer be considered personal data.. It remains, however, too early to predict whether these amendments will survive the legislative process or emerge in their current form, given the political sensitivity and conceptual complexity surrounding the definition of personal data  It remains, however, far too early to predict whether these amendments will survive the legislative process or emerge in their current form given the political sensitivity and doctrinal complexity surrounding the definition of personal data.

 

Article provided by INPLP members: Xawery Konarski and Mateusz Kupiec (Traple Konarski Podrecki & Partners, Poland)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.