An amendment to the law that entitles sole traders to a greater protection of their privacy, which has been postponed several times, has finally come into force. From 1 January 2012, the Personal Data Protection Act (PDPA) has applied to all personal data of sole traders.
The practical significance of the amendment is yet to be determined. Up until now the case law has not been consistent in determining the scope of protection of sole traders’ data.
Whilst in law sole traders’ personal data are now protected at the same level as the data of private individuals, in practice, jurisprudence will need to decide if the same rules should apply in all circumstances. This is because the basic personal data of sole traders’ is also the information which identifies their businesses. If personal data of sole traders’ are protected equally to personal data of private individuals, the freedom to do business and fair competition may be hindered in some circumstances (e.g. if a sole trader may demand that negative reviews of their services cannot be made public under the cover of personal data protection).
The amendment had been deemed necessary as many companies had been using the personal data of sole traders to inundate them with all kinds of advertisements and offers unconnected with their business, based on the assumption that their personal data could be freely and legally used for all purposes, including marketing.
(i) Personal data of entrepreneurs before 1 January 2012
Between 2003 and 2011, the law expressly provided that the PDPA did not apply to the data of sole traders entered into the municipality registers of sole traders. As a result, basic information about sole traders was not protected by the PDPA. However, in 2010 the Supreme Administrative Court ruled that sole traders’ data that was not entered into municipality registers of sole traders (e.g. data received through business dealings with sole traders) should be protected by the PDPA (case No. I OSK 756/09).
In consequence, basic sole traders’ data were used freely by various businesses because data controllers believed that the PDPA did not apply to them, and that they did not have to apply the proportionality principle (i.e. to process only adequate, relevant and inexcessive data in relation to the purposes for which they were collected and/or further processed) or justify processing of sole traders’ data. Also sole traders were not informed on who and for what purpose processed their data.
(ii) Current rules on processing of sole entrepreneurs personal data
As of 1 January 2012 the PDPA applies to all sole traders’ personal data, however sourced. Currently it should be clear that all information regarding sole traders, including those contained in the Central Register and Information on Business Activities of Sole Traders (the “Central Register”), which has replaced the municipality registers of sole traders, should be treated as personal data and protected by the PDPA.
As a result, data controllers that collect and process sole traders’ data will have to comply with the obligations stipulated in the PDPA. In particular, data controllers should:
- process sole traders’ data only if there is a legitimate ground for doing so;
- inform sole traders about the scope and the purpose of processing their data and their right to access and modify their data;
- grant sole traders the right to access and modify their data;
- process sole traders’ data in compliance with the proportionality principle; and
- provide adequate security measures in compliance with the PDPA.
The Central Register: As the sole traders’ basic personal data is collected in the national and publically available online database – the Central Register - data controllers have easy access to the personal data of sole traders. The Central Register contains information on all sole traders in Poland, including their: (i) name and surname; (ii) registered office; (iii) email address; (iv) telephone number; and (v) tax identification number. All data from the Central Register are publicly available online, except for sole trader’s personal identification number (PESEL) and a place of residence if it is not the same as the registered office.
In practice it means that controllers may collect sole traders’ data that are publically accessible in the Central Register, provided that there is a legitimate ground for processing such data (e.g. the legitimate interest of data controllers) and provided that data controllers inform every sole trader about the commencement of processing of their data.
The most burdensome obligation under the amended law relates to informing sole entrepreneurs about the processing of their data. In Poland there are no exemptions that allow data controllers to avoid informing data subjects if it involves disproportionate effort, except when personal data are necessary for scientific, educational, historical or statistical research or for public opinion research.
Exemption from notification of data filing system: Data controllers in Poland are obliged to notify/register any data filing systems, unless one of various exceptions apply. For example data that are publicly available are exempt from notification/registration. As the sole traders’ data in the Central Register are publicly available online, data controllers who process such data for their purposes will not need to notify those data filing systems. If, however, data controllers process more data than is available in Central Register, the data filing system may be subject to notification/ registration.
Data collected before 1 January 2012: It remains unclear how controllers should approach sole traders’ data that was collected before 1 January 2012. We believe that processing sole traders’ data collected and processed before 1 January 2012 was legitimate even if a data controller did not consider the relevant grounds for such processing or did not apply the proportionality principle.
However, data controllers should now re-examine sole traders’ data that they process and continue to process to assess whether (i) they have legitimate grounds for further processing and (ii) such processing would be in line with the proportionality principle. If a data controller cannot identify a legal basis for further processing of the sole traders’ personal data, it should erase them.
It does not appear necessary to inform sole traders about the scope and purpose of processing of their data by data controllers who collected their data before 1 January 2012, as data controllers did not have such obligation when they collected the data.
Failure to comply with the PDPA obligations in relation to sole trader data may result in the data controller being subject to administrative or even criminal liability (punishable by a fine or imprisonment of up to 2 years).
Although currently the PDPA applies to all sole traders’ data, this protection is not without limitation.
Sole traders’ basic personal data is also the information which identifies their business to the market. According to a ruling of the Supreme Administrative Court of 2002 (based on law that did not explicitly exclude application of data protection law to sole traders), information that identify businesses on the market (even if they are the personal data of sole traders) are not afforded protection under the PDPA. Such information (called identification data) may only be protected as moral rights. This conclusion has been followed by the administrative courts ever since (with the exception of a ruling by the Supreme Administrative Court’s in 2010 - case No. I OSK 756/09).
In October 2011, the Administrative Court (case No. II SA/Wa 1009/11) ruled on the limitations of the privacy of people running their own businesses on the basis of the previous law.
The case surrounded the rights of a farmer, who ran an agritourism business. He was not registered as a sole trader, and his data did not appear on such a register. He provided information about himself on his agritourism website. His data was copied and published on a website with contact details of people running agritourism businesses, advertising agritourism and allowing users to rate and comment on the agritourism services. The farmer received some negative comments and tried to block them by invoking his personal data protection. The Court refused to grant the farmer protection. The Court held that farmer had revealed his data in relation to running his business and not as a private individual (even though he was not registered as a sole trader) in order to promote his services. In that regard the farmer should take into account that his data would receive be much weaker protection. The farmer should be prepared that his services could be rated, positively or negatively. If the farmer considered the comments as infringing his moral rights, it was up to the farmer to sue for such infringement in civil proceedings.