Polish court says dentist office address is not personal data

Poland's Supreme Administrative Court ruled on October 15, 2025 that basic business information does not automatically count as personal data under GDPR. The case involved a dentist who wanted a commercial website to remove his practice's name, address, and phone number.

The court found that listing a practice name like "Private Dental Office" along with its address and phone number is not enough to identify a specific person. Without the dentist's actual name or other identifying details, the information only describes a business activity, not an individual.

The ruling came in case III OSK 2357/22. The Polish Data Protection Office (UODO) had originally ordered the website to delete the dentist's business details, treating them as personal data. The company running the website challenged this decision, arguing that generic business information without personal identifiers should not fall under GDPR protection.

Why the court disagreed with the data protection office

The Warsaw Provincial Administrative Court first examined this case in July 2022 and sided with the website company. The judges found that a generic name like "Private Dental Office" combined with a business address doesn't reveal who the actual dentist is.

The court determined that this type of information describes a professional activity rather than a person's private life. The phone number was a public contact line required by healthcare law. Multiple staff members could answer it, not necessarily the dentist.

The business address was also shared by other entities. According to the case files, the same location housed two shops and another service provider. This meant the address itself couldn't identify a specific individual.

UODO appealed, arguing that professionals running their own businesses still deserve privacy protection for their business information. The data protection office maintained that when private companies take information from public registers and use it commercially, they need proper legal basis under GDPR.

The Supreme Administrative Court dismissed the appeal but clarified important principles. The October 15, 2025 ruling emphasized that GDPR only protects data about people who can be identified or are identifiable. A business name, address, or phone number without additional identifiers doesn't allow identification of a specific natural person.

The test for identifying individuals through business data

The court explained that the key question is whether someone could reasonably connect business information to a specific person. Just because it might be theoretically possible doesn't mean it automatically counts as personal data. The connection must be practical and realistic.

This interpretation follows GDPR Recital 26, which refers to "means reasonably likely to be used" for identification. If identifying someone would require excessive effort, multiple steps, or access to additional databases, the original information doesn't qualify as personal data.

The Supreme Administrative Court clarified that healthcare professionals listed in public registers maintain data protection rights even though their information is publicly available. Article 86 of GDPR acknowledges that making information public doesn't eliminate all privacy protections.

However, these provisions don't give commercial companies unlimited permission to republish data from official registers however they want. Companies still need proper legal justification for processing such information.

The court found that UODO failed to demonstrate how a generic practice name, shared business address, and public phone number could actually identify the dentist. The data protection office never explained why there was a "reasonable likelihood" of identification through this basic business information alone.

The fact that the dentist later revealed his name when filing the complaint didn't change this analysis. The court focused on whether the information could identify him at the time it appeared on the website, not on events that happened afterward.

Professional registers and privacy protection

The ruling examined how public disclosure requirements interact with data protection rights. Polish healthcare laws require doctors to publish certain professional information in official registers. These registers are public and accessible to anyone.

The court clarified that GDPR doesn't stop applying just because information appears in public registers. Article 86 of the regulation allows sharing data from official documents, but only when legal frameworks properly balance transparency with privacy protection.

Poland's law about reusing public sector information gives people and companies access to government data. However, Article 7 of that law makes clear that access rights don't override data protection requirements. Companies can't simply republish everything from public registers without evaluating their legal basis.

The Supreme Administrative Court referenced an important precedent from May 19, 2011 (case I OSK 1079/10). That earlier ruling established that not all information linked to professional activities automatically qualifies as personal data requiring GDPR protection.

The key factor is whether the information enables identification of a specific individual. Professional listings in public registers often contain names, which clearly identify people. But when information from those registers is republished without names—showing only practice names, addresses, and phone numbers—the identification element disappears.

The case files showed that UODO assumed the business information constituted personal data without properly investigating whether identification was actually possible through the data as presented on the commercial website.

How the website defended its business listings

The website company argued that its business directory couldn't identify individual dentists from the information it displayed. The listings showed practice names, addresses, and phone numbers—standard business directory information—but no personal names or other identifying details.

In August 2021 correspondence, the company explained that someone viewing "Private Dental Office" at a particular address couldn't determine who owned or operated that practice. Multiple dentists could work at the same location. The practice name itself was generic and descriptive rather than identifying.

The company provided documentation showing it compiled business information from publicly available sources, including official healthcare registries. It maintained that displaying this type of professional information without personal identifiers didn't constitute processing personal data.

UODO didn't investigate whether the disputed information could actually identify a real person as defined in GDPR Article 4(1). The authority cited legal standards from previous cases but never demonstrated how those standards applied to this specific situation.

The Supreme Administrative Court found that UODO's explanation was technically well-formatted but lacked substance. The data protection office never adequately explained why generic business information without personal names should receive the same privacy protection as actual personal data. The authority failed to show a "reasonable likelihood" that website visitors could identify the dentist from a practice name, shared address, and public phone number.

European enforcement on business data and identification

German courts have established frameworks for evaluating when business and professional information requires privacy protection under GDPR. The Hannover Administrative Court ruled on March 19, 2025 that companies must obtain valid legal basis before processing personal data for commercial purposes. That decision emphasized the distinction between information that identifies individuals and information that merely describes business activities.

French data protection authority CNIL took enforcement action on December 12, 2024 against multiple website publishers for consent mechanism violations. The authority issued formal notices requiring compliance within one month. Article 82 of the French Data Protection Act establishes consent requirements for data processing that can identify individuals.

McDonald's Poland faced €3.89 million in fines from the Polish Data Protection Authority on July 21, 2025 for processor oversight failures. The enforcement action addressed how employee data was exposed through publicly accessible systems. The case demonstrated that companies must properly assess whether information processing involves personal data before implementing commercial systems.

Austrian courts ruled on August 18, 2025 that consent mechanisms must provide genuine choice for data processing purposes. The decision against DerStandard.at's payment model established that economic coercion undermines consent validity when companies process personal information for commercial purposes.

The Polish judgment contributes to evolving European jurisprudence on personal data boundaries. Courts across member states continue refining standards for when professional and business information crosses thresholds into protected personal data categories requiring GDPR compliance frameworks.

What this means for marketers and businesses

The Supreme Administrative Court's decision focuses on practical reality rather than theoretical possibilities. Companies that collect data need to evaluate whether they can actually link that information to specific people using data they have or can reasonably get. They should consider costs, time, available technology, and legal methods for making those connections.

The ruling makes a distinction. Information about someone you've already identified is different from information that lets you identify them in the first place. Once you know who someone is, additional details expand your knowledge about them. But business addresses and practice names that describe activities need extra information to identify individuals.

Professional service providers keep data protection rights even when they're in public registers. However, when commercial companies republish official information, they need to evaluate whether they have proper legal reasons. Just because information is public in government databases doesn't mean companies can reuse it however they want without following privacy rules.

Marketing technology systems must check whether the identifiers they collect can reasonably identify real people. Generic business information that lacks personal characteristics doesn't need GDPR protection when identification would require excessive investigation. Dynamic technical identifiers that change with each session are fundamentally different from permanent unique markers that enable persistent tracking.

The judgment reinforces that data protection authorities must prove information counts as personal data by showing it can identify people. Assumptions about identification need actual investigation and clear reasoning about practical methods available to companies. If someone reveals identifying information later, after data was collected, that doesn't retroactively make the original collection count as personal data processing.

Timeline

• May 19, 2011: Supreme Administrative Court rules IP addresses cannot always qualify as personal data in case I OSK 1079/10
• November 2022: Lower Saxony data protection authority issues orders requiring consent mechanisms and Google Tag Manager removal
• July 11, 2022: Warsaw Provincial Administrative Court rules practice information insufficient for personal data status
• August 13, 2021: Company responds to UODO explaining user IP/ID numbers do not enable identification
• September 26, 2022: UODO files cassation appeal challenging lower court interpretation
• December 12, 2024: CNIL takes enforcement action against multiple publishers for deceptive cookie consent practices
• March 19, 2025: Hannover Administrative Court clarifies cookie consent obligations and automated data collection restrictions
• July 21, 2025: Polish authority imposes €3.89 million fine on McDonald's Poland for processor oversight failures
• October 15, 2025: Supreme Administrative Court dismisses UODO cassation appeal in case III OSK 2357/22

Summary

Who: Poland's Supreme Administrative Court ruled on a data protection dispute between UODO and a website operator regarding dentist practice information classification.

What: The court determined that business names, addresses, and phone numbers lacking direct identifiers do not constitute personal data under GDPR when identification requires unreasonable supplementary efforts.

When: The October 15, 2025 ruling concluded proceedings beginning with the dentist's removal request and UODO's subsequent enforcement order.

Where: The case originated in Poland's administrative court system, with the Supreme Administrative Court providing final interpretation of GDPR Article 4(1) personal data definitions.

Why: The judgment matters for marketing professionals because it establishes stricter standards for personal data classification, affecting how commercial platforms handle professional service provider information and requiring clear identification pathways rather than theoretical possibilities for GDPR protections to apply.