GDPR and the Internet – 10 Key Judgments of the Supreme Administrative Court and the Court of Justice of the European Union
1. No automatic classification of IP addresses and other online identifiers as personal data
In a judgment of 16 October, 2025 (case no. III OSK 2595/22), the Supreme Administrative Court (NSA) held that the mere processing of information on IP addresses and cookie identifiers does not automatically mean that such information always constitutes personal data. The NSA agreed with the court of first instance that the GDPR does not determine whether online identifiers such as IP addresses or cookie identifiers should always be regarded as personal data, or rather as one of the factors (‘traces’) that may enable the identification of a natural person.
Consequently, in proceedings conducted by the supervisory authority, it is the responsibility of the authority (the Polish Data Protection Authority – PUODO) to demonstrate—on the basis of the circumstances of the specific case—that the identification of a person is reasonably likely, in accordance with the guidance set out in Recital 26 of the GDPR.
2. Pseudonymisation of personal data – legal consequences for the controller
In a judgment of 4 September, 2025 (case C-413/23), in European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB), the Court of Justice of the European Union (CJEU) held that a controller who has pseudonymised data usually possesses— as was the case in the proceedings at hand—additional information enabling the identification of data subjects. Therefore, despite pseudonymisation, such data is personal data for that controller.
As a result, the controller remains bound by the obligations laid down in the GDPR, including the obligation to inform data subjects of the recipients of the data (Article 13(1)(e) GDPR). It is irrelevant that the recipient of the pseudonymised data is unable to re-identify the data subjects and that the data therefore does not constitute personal data from the recipient’s perspective.
This judgment concerns a situation frequently encountered on the Internet - namely the pseudonymisation of personal data. It confirms that for the controller performing this operation, such information will often still constitute personal data. The CJEU also emphasised that when determining whether information constitutes personal data, the means reasonably available to the specific entity must be taken into account. Accordingly, for recipients of pseudonymised data, such data will often not qualify as personal data.
3. The household exemption on the Internet
In a judgment of 20 May, 2025 (case no. III OSK 1101/24), the Supreme Administrative Court held that the publication of another person’s personal data on the Internet within a closed group comprising several thousand members does not fall within the purely personal or household exemption (Article 2(2)(c) GDPR).
According to the NSA, publishing another person’s personal data on closed social networking platforms does not constitute processing of a purely personal or household nature where the person posting the data is not the administrator of the community and does not personally select its members, but merely joins an existing closed group online.
The significance of this judgment lies in narrowing the extent to which users of various closed groups (forums) on the Internet can invoke the household exemption. At the same time, the Court emphasised the GDPR-based liability of users who publish other persons’ data in such groups without their consent.
4. Inferred data about Internet users as sensitive data
In a judgment of 4 July, 2023 (case C-252/21), in Meta Platforms Inc. and Others v Bundeskartellamt, the CJEU held that Meta processes special categories of personal data within the meaning of Article 9(1) GDPR when users visit websites or applications and use integrated buttons (such as Like or Share), thereby providing various information which Meta then links to users’ social network accounts and uses in a manner that may reveal information falling within one or more special categories of data under Article 9 GDPR.
The crucial issue is that such data allows sensitive information (e.g. sexual orientation) to be inferred, regardless of the controller’s intentions.
The practical significance of this judgment lies in broadening the interpretation of sensitive data under Article 9 GDPR. The ruling aligns with the CJEU’s established line of case law, according to which, if apparently neutral data allows the inference of information belonging to special categories of data, the stricter rules governing the processing of such data under Article 9 GDPR apply.
5. Operator of an intermediary online platform as a controller
In a judgment of 2 December, 2025 (case C-492/23), in Russmedia Digital SRL and Inform Media Press SRL, the CJEU held that the operator of an online marketplace platform is a controller of the personal data contained in advertisements published on that platform. The operator must implement measures enabling it, prior to publication, to identify advertisements containing sensitive data, verify the identity of the advertiser, and refuse publication unless the advertiser demonstrates that the data subject has given explicit consent to the publication of the data on that online platform.
The Court further held that in the event of a breach of these obligations, the operator may not rely on the liability exemptions for intermediary service providers laid down in Directive 2000/31/EC on electronic commerce.
The importance of this judgment lies in recognising that operators of online platforms hosting user advertisements act as controllers of the personal data contained therein and are therefore liable for failure to comply with GDPR obligations applicable to controllers - even if they qualify as intermediary service providers (hosting providers) under the e-Commerce Directive. This directive established liability exemptions for unlawful third-party content (now replaced, in this respect, by the EU Digital Services Act - DSA).
6. Joint controllership on the Internet
In judgments in Fashion ID (case C-40/17) and Wirtschaftsakademie (case C-210/16), the CJEU ruled that an entity using a social media platform (e.g. an administrator of a Facebook fan page) may be a joint controller together with the platform operator, even if it does not have access to the personal data collected by the operator via social plugins.
The Court held that the fan page administrator is a joint controller at the stage of collecting and transmitting personal data to Facebook, and must therefore fulfil GDPR obligations at that stage (e.g. the information obligation). However, the administrator is not responsible for subsequent processing of the data; sole responsibility for that processing lies with the social media platform operator, which is required for instance to demonstrate a legal basis for further processing (e.g. for marketing purposes).
These judgments are of key importance for entities that allow third parties (such as social networking services) to install tools (cookies, social plugins, etc.) on the online spaces they administer (e.g. fan pages), through which users’ personal data is collected. According to the CJEU, the very decision to allow such data collection renders the administrators of those spaces joint controllers at the data collection stage, even if they neither access nor subsequently use the data.
7. Consent for the processing of personal data on the Internet
In its judgment of 1 October, 2019 (case C-673/17), Planet49, the CJEU held that the consent requirement under Article 5(3) of Directive 2002/58/EC (ePrivacy) - currently implemented in Poland under Article 399 of the Electronic Communications Law - applies regardless of whether the information collected via cookies constitutes personal data.
At the same time, the Court found that the consent requirements under the ePrivacy Directive are aligned with the consent standard under Directive 95/46/EC (now replaced by the GDPR), meaning that consent must be freely given, specific, informed, and unambiguous, excluding passive forms of consent (such as pre-ticked boxes, silence, or inactivity). Consent must also be clearly separated from other actions (e.g. participation in a lottery, account registration).
Despite the years that have passed since it was issued, this judgment remains a cornerstone of CJEU case law regarding proper methods and conditions for obtaining user consent on the Internet.
8. Necessity for the performance of a contract as a legal basis for processing
In the Meta Platforms judgment of 4 July, 2023 (case C-252/21) referred to above, the CJEU also interpreted the legal basis of necessity for the performance of a contract under Article 6(1)(b) GDPR.
The Court held that in order to rely on this provision, processing must be objectively necessary for a purpose that is integral to the core subject matter of the contract, and that the controller must demonstrate that the main purpose of the contract cannot be achieved without the specific processing in question. It is irrelevant that the processing is provided for in the contract or terms and conditions or that it is convenient or useful for the service provider (e.g. for personalisation or advertising profiling).
By this judgment, the CJEU significantly narrowed the extent to which contractual necessity can be invoked as a legal basis for processing. Consequently, online processing operations such as marketing profiling or behavioural advertising should be based on other legal grounds under the GDPR, in particular the data subject’s consent (Article 6(1)(a)) or the controller’s legitimate interest (Article 6(1)(f)).
9. Transfers of personal data to third countries based on standard contractual clauses
In a judgment of 16 July, 2020 in Schrems II (case C-311/18), Data Protection Commissioner v Facebook Ireland and Maximilian Schrems, the CJEU invalidated Commission Decision 2016/1250 approving the EU–US Privacy Shield as a mechanism ensuring adequate protection for data transfers to the United States. At the same time, the Court confirmed the validity of standard contractual clauses (SCCs) as a transfer mechanism, provided that in the specific circumstances, they ensure a level of protection essentially equivalent to that guaranteed within the EU.
While upholding SCCs, the Court imposed on controllers an obligation to carry out an individual assessment of each transfer, in particular as regards whether the law and practices of the third country (e.g. the United States) provide safeguards equivalent to those set out in the SCCs. In practice, prior to transferring data, the exporting controller must conduct a separate analysis known as a Transfer Impact Assessment (TIA). If the outcome of that analysis is unfavourable, the controller must implement additional technical and organisational safeguards (e.g. strong end-to-end encryption, pseudonymisation).
This judgment is of fundamental importance for the internet industry, as statistics show that over 90% of transfers to third countries are carried out on the basis of standard contractual clauses.
10. Compensation for non-material damage in cases of GDPR breach on the Internet
The CJEU judgment of 14 December, 2023 (case C-340/21), VB v Natsionalna agentsia za prihodite, concerned the civil liability of controllers under Article 82 GDPR for data breaches. The Court first held that the mere fact that a successful hacking attack by third parties occurred does not automatically mean that the technical and organisational measures implemented by the controller were inappropriate.
A controller may be exempt from liability under Article 82(3) GDPR if it demonstrates that it was not in any way responsible for the event giving rise to the damage (e.g. it implemented risk-appropriate measures and the attack was exceptional and unforeseeable).
At the same time, the Court held that the burden of proof regarding the absence of fault lies with the controller, which must present evidence that appropriate measures were implemented and that it responded properly to the breach (e.g. mitigation, notification).
The CJEU also ruled that feelings of fear, distress, or a sense of insecurity experienced by a data subject due to the potential future misuse of their data may, in principle, constitute non-material damage within the meaning of Article 82 GDPR, provided that the affected person demonstrates that this constitutes real and individual harm rather than a purely abstract concern.
This judgment is of major importance for the internet sector, as analyses of civil liability cases under the GDPR show that the majority concern various irregularities that have materialised online (e.g. data breaches from network-connected servers).
The presented case law is of significant importance for the practical application of the GDPR on the Internet. If you would like to assess how the latest positions of the Supreme Administrative Court (NSA) and the Court of Justice of the European Union (CJEU) affect data processing in your organization, we invite you to contact our personal data protection team.