Fewer obligations on data protection of sole traders | Legal Alert 24.05.2016
On 19th May 2016, the amendment to Poland’s Freedom of Establishment Act entered into force. In accordance with the new regulations, the provisions of Poland’s Data Protection Act (“DPA”) do not apply to such categories of sole traders’ (i.e. individuals conducting economic activities under their own name) data as are revealed in the Central Register and Information on Economic Activity (“CEIDG”). It seems that such a solution will be advantageous for data controllers who process sole traders’ data.
In accordance with the previous statutory provisions, the DPA also applied to those categories of sole traders’ data that were revealed in the CEIDG. Consequently, when processing such data within filing systems, data controllers were bound to comply with all of the obligations arising from the DPA. After 19th May 2016, this situation has changed.
Pursuant to the amendment, the DPA provisions are inapplicable to sole traders’ data and information which is revealed in the CEIDG. However, data controllers remain obliged to observe the DPA’s provisions regarding the inspection competences of the DPA and the applicable statutory provisions governing data security.
In practice, this means that the DPA no longer applies to such categories of data in CEIDG as: the sole tradership’s name (including the sole trader’s name and surname), statistical number (REGON), tax identification number (NIP), e-mail address (if such address was registered and revealed in CEIDG), information regarding the existence of property jointly-owned with a spouse, the address from which business activity is conducted, correspondence address or citizenship details.
The DPA nevertheless still applies to those categories of data that are subject to registration in the CEIDG but are not revealed publicly, i.e.: the sole trader’s national identification number (PESEL), date of birth, residential address or contact data if the sole trader opposes revealing such information.
These changes should significantly facilitate the everyday activities of data controllers who process sole traders’ data (e.g. sole trader clients). Provided that controllers process sole traders’ data within the scope that was already revealed in the CEIDG, they are not bound by obligations arising from the DPA with respect to such data. In practice, the processing of such data will not be dependent on the fulfilment of any statutory conditions, nor will it be subject to so-called informational duty. Furthermore, the transfer of data to a recipient located in a third country will not be subject to the DPA’s statutory provisions. Moreover, data controllers will not be required to register filing systems involving such data, nor to include them in data filing registers maintained by their data protection officers (if such officers have been appointed).
Although the aforementioned changes should be assessed positive from the perspective of data controller, the less burdensome regime should be approached with some care. It may frequently occur that the same data filing system contains some data concerning a sole trader which is exempt from the DPA’s provisions and also other data which is not exempted. When processing such mixed data, the DPA’s provisions will continue to apply.
Joanna Tomaszewska Ph.D., Partner, Attorney at law
Filip Drgas, Junior Associate