Synthetic Law

Polish Supreme Court: Cookies Are Not Always Personal Data

Dariusz Czuchaj
Oct 22, 2025By Dariusz Czuchaj

October 16, 2025 

In a significant victory for digital businesses and a nuanced interpretation of GDPR, Poland's Supreme Administrative Court (Naczelny Sąd Administracyjny) has sided with a company in a case that challenges the automatic classification of IP addresses and cookie IDs as personal data. The ruling, issued on October 16, 2025, represents a critical moment in European data protection jurisprudence.

The dispute began when an individual, J.O., filed a complaint with the Polish Data Protection Authority (PUODO - Prezes Urzędu Ochrony Danych Osobowych) against a company, alleging improper processing of his personal data. Specifically, the complainant argued that the company processed his IP address and artificially assigned cookie IDs without a legal basis.

The Data Protection Authority initially sided with the complainant, issuing a decision that ordered deletion of the IP address and cookie IDs and required notification to third parties who received this data.

However, both lower courts and ultimately the Supreme Administrative Court found critical flaws in the Authority's reasoning.

The Supreme Administrative Court's core holding is straightforward yet profound: Internet identifiers like IP addresses and cookie IDs are not automatically personal data under GDPR.

The Court ruled that the Data Protection Authority failed to properly establish whether these digital identifiers actually constituted personal data in the specific circumstances of the case. This determination, the Court emphasized, requires a contextual analysis rather than blanket assumptions.

Main findings: 

The Data Protection Authority's decision failed to even determine which type of IP address was involved in this case - a fundamental oversight that proved fatal to their ruling.Drawing on GDPR's Recital 26, the Court articulated a sophisticated test for determining when identifiers constitute personal data.

Critically, the Court referenced the landmark EU Court of Justice case Breyer (C-582/14), which established that a dynamic IP address may constitute personal data for a website operator only if they have legal means to obtain additional information from the Internet service provider that would allow identification.

The Court applied similar reasoning to cookie identifiers. The Authority had cited the CJEU's Planet49 case (C-673/17) to support treating cookie IDs as personal data. However, the Supreme Court noted a critical distinction: in Planet49, cookies were linked to registration forms where users provided names and addresses. This connection enabled personalization and identification.

The Court concluded that Planet49's holding about cookies involving personal data processing "cannot be considered a proper explanation" for classifying cookie IDs as personal data in circumstances where no connecting information exists.

The Court acknowledged an important principle: identification in the digital environment doesn't require knowing someone's name and address. Digital identification involves distinguishing one user from others for the purpose of exerting specific influence.

However, this doesn't mean that any form of digital distinction automatically constitutes personal data. The Court emphasized that proper analysis must consider whether there's a reasonable likelihood of identifying the natural person behind the digital identifier.

The Supreme Administrative Court stated unequivocally: "There are no grounds to conclude that an IP address - regardless of whether it is static or dynamic, regardless of who controls it, and regardless of what possibilities exist to use it for identifying a natural person - should always be treated as personal data."

The Broader European Context
While this is a Polish court decision, it contributes to evolving European jurisprudence on digital identifiers. The Court carefully analyzed CJEU precedents (Breyer, Planet49) and applied them with appropriate attention to factual distinctions.

The ruling aligns with GDPR's fundamental principle that data protection measures should be proportionate and risk-based. It reinforces that the regulation's scope, while broad, is not unlimited.

Related CJEU Cases:

Breyer (C-582/14) - Dynamic IP addresses
Planet49 (C-673/17) - Cookie consent and personal data
 
This analysis is based on the official court ruling and does not constitute legal advice. Organizations should consult with qualified data protection professionals regarding their specific circumstances.