Indeed, in a judgment of April 9, 2025 (No. 23-13.159), the Social Chamber held that an internal IP address does indeed qualify as personal data within the meaning of the GDPR, but on the essential condition that this qualification applies only “when it is used by the employer to indirectly identify an employee by cross-referencing it with other information at its disposal.”
🔍 Case background: An employee was dismissed for gross misconduct based on a report attesting to connections to unauthorized websites. That report mentioned only internal IP addresses, which the employer used to identify him.
🧩 Unlike public IP addresses (allocated by Internet Service Providers (ISPs)), internal IP addresses are generated by routers within a private local network (e.g., 192.168.1.1).
⚖️ Two corrected errors in assessment:
1️⃣ The Court of Appeal had held that an internal IP address could not, even indirectly, identify a natural person.
2️⃣ The Court of Cassation amends this reasoning but itself makes a debatable interpretation by adding a condition not provided for in the GDPR: the intention to identify.
Indeed, the Court specifies that the IP address becomes personal data “when it is used BY the employer IN ORDER TO identify…” – thus introducing an intentionality criterion absent from the European regulation.
📋 In practice:
Does your internal logging system collect IP addresses? These data must be treated as personal data if they can be linked to identifiable individuals.
You must update your processing records to include these addresses in your personal data mapping.
Retention periods for these logs must be justified and limited in accordance with the principle of data minimization.
For monitoring employee activity, ensure your IT policy explicitly mentions the processing of internal IP addresses.
Review your anonymization procedures if you share these data with third parties.
💡 Note: This ruling follows the CJEU’s “Breyer” decision (2016), which already classified dynamic IP addresses as personal data when an ISPs has legal means to identify the individual.
In any event, this decision reinforces the broad interpretation of personal data advocated by supervisory authorities, while adding an intentionality criterion that will (undoubtedly) spark future debates.
What do you think: a revolution or just a jurisprudential adjustment? Does your company treat internal IP addresses as personal data?
Source : https://www.legifrance.gouv.fr/juri/id/JURITEXT000051464959
