IP case law Court of Justice

Referral C-654/25 (Undelam, 6 Oct 2025)

Personal Data Protection > General Data Protection Regulation (GDPR) > Article 4 - Definitions > (1) Personal data
Personal Data Protection > General Data Protection Regulation (GDPR) > Article 82 - Right to compensation and liability

Is Article 4(1) of the GDPR 1 to be interpreted as meaning that, in cases involving the automated transfer of a dynamic internet protocol address (‘IP address’), that IP address already constitutes personal data if a third party has the additional knowledge required in order to identify the data subject?

Or is a finding of personal data conditional upon the controller responsible for its transfer, or the recipient of the transfer, having means that could reasonably be used in order to identify the data subject, where necessary with the aid of a third party?

In the latter case: Does it suffice in that respect that, under certain conditions, there may be legal possibilities to identify the data subject, or must those conditions be fulfilled in both fact and law in the specific case?

Is Article 82(1) of the GDPR to be interpreted as meaning that non-material damage can also occur even if the data subject knowingly causes the controller to commit an infringement of the GDPR for the sole purpose of being able to document the infringement and assert a claim based on that infringement against the controller?

If so: Can the existence of non-material damage also be affirmed if similar infringements are caused intentionally and in large numbers by automated means?

If both questions raised in Question 2 are answered in the affirmative:

Must Article 82(1) of the GDPR be interpreted as meaning that, in a case of the kind described in Question 2, a right to receive compensation for non-material damage resulting from abusive conduct on the part of the data subject can be denied because, despite formal compliance with the conditions laid down in the EU legislation, the objective of that legislation was not achieved and there was an intention to obtain an advantage arising out of the EU legislation by artificially creating the conditions laid down for obtaining that advantage? In that regard, does the answer depend on whether the sole motivation for intentionally causing the infringement of the GDPR was to obtain a financial advantage?


Case details on the CJEU website (external link)

Disclaimer