New rules for processing personal data of individuals operating their own businesses

From 1 January 2012, personal data of individuals operating their own businesses are now covered by the Personal Data Protection Act of 29 August 1997. Previously, such data were published in the local business registers maintained by municipalities in Poland, and excluded from the data protection scheme. The local business registers have now been replaced by the Central Registration and Information on Business.

We discuss below some of the consequences of this change in the regulations.

Given the lack of a grace period, entities that from 1 January 2012 are controllers of personal data of businesses operated by individuals (i.e. sole proprietorships and partnerships) must promptly comply with all of the relevant obligations under the Personal Data Protection Act:

Legality obligation

Any data controller in possession of personal data of individual businesses must demonstrate a legal basis for processing the data. (Personal Data Protection Act Art. 23 lists the instances in which processing of personal data is permissible.) It is not permissible to freely obtain and process such data for any arbitrary purpose. Impermissible process of personal data may even be punishable with criminal sanctions.

Information obligation

When collecting personal data of individual in the case of individuals who do not operate businesses – a data controller must provide the person with certain information, i.e. the data controller’s name and registered office, the purpose (and scope) of collecting the data, the potential recipients of the data, the right to review and correct the data, and whether providing the data is voluntary or mandatory (together with the legal basis). If data are obtained indirectly (e.g. through acquisition of a database) the information obligation is even broader.

Registration obligation

Data controllers are required to register their filing systems of personal data concerning individual businesses with the Polish Inspector General for Personal Data Protection, unless an exception provided in the Personal Data Protection Act applies—for example, if the data will be processed only in order to issue a bill or invoice. Criminal sanctions may also be imposed for failure to comply with the registration requirement.

Security obligation

A controller processing personal data of individual businesses must comply with all security requirements provided by the Personal Data Protection Act and the executive regulations issued under the act, including use of technical and organisational measures to protect the data adequately. Among other requirements, the data controller must:

• Maintain required documentation in the form of a data protection security policy and instructions for operation of the IT system used for processing personal data
• Provide authorization to persons employed in processing such data and maintain a record of the persons authorized to process the data
• Appoint an information security administrator and follow a number of other security measures.

Summary

The lack of a grace period during which to implement the changes discussed above will no doubt present an inconvenience for data controllers who process personal data of individual businesses. The only solution available in the current situation is to accept the change adopted by the Parliament and promptly implement the technical, legal and organizational solutions discussed above.