ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
Cookie Files

Are cookies personal data?

ANSWER

Cookies may constitute personal data.

To answer this question, let us begin with some theoretical considerations. According to Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Recital 30 of the GDPR further states that natural persons may be associated with online identifiers such as IP addresses, cookie identifiers, or other identifiers generated by their devices, applications, tools, and protocols, as well as identifiers generated by technologies such as RFID tags. How should this be interpreted? If cookies can identify a person through their device, they should be regarded as personal data. This is confirmed by Recital 26 of the GDPR, which states that even pseudonymized personal data that can be attributed to a natural person through the use of additional information should be considered information relating to an identifiable natural person.

When might this occur? For example, when cookies are used to authenticate a user. In such a case, personal data is being processed because the cookies enable the user to log in to their account within an online service.

Another example where cookies constitute personal data is the use of third-party cookies placed on an organization's website (e.g., Google Analytics). On this issue, the French supervisory authority has stated that, within the Google Analytics service, the following categories of personal data are processed:

  • the identifier of the website visitor (the Google Analytics cookie identifier, i.e., the Google Analytics client ID);
  • for users who have logged into the website using a user account – the internal user identifier;
  • potential transaction identifiers;
  • IP addresses.
Show all
PreviousNext

Read also:

07 June 2026

Przygotuj się na atak phishingowy, nim będzie za późno

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

02 June 2026

Czy do spełnienia wymogów ustawy o krajowym systemie cyberbezpieczeństwa (KSC / NIS2) potrzebne jest Security Operations Center (SOC)?

Ranking aplikacji dla sygnalistów

Ochrona sygnalistów - ranking aplikacji

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.