Collection of personal data and the obligation to register it by the e-shop

Service Business

Many people who open an online store struggle with the question of whether it is necessary to register a personal data set with the Inspector General for Personal Data Protection (GIODO). Pursuant to Art. 43 sec. 1 point 8 of the Personal Data Protection Act data files containing personal data processed solely for the purpose of issuing an invoice, bill or financial reporting are not subject to registration. According to the position represented by GIODO, this provision should be interpreted strictly. Only such a set of personal data, which was created solely for the purpose of issuing an invoice, bill or financial reporting, will be exempted from the registration obligation. If personal data is still processed for marketing purposes, the collection of personal data should be submitted for registration on general terms.

To issue an invoice or bill, you need data such as: name and surname, company / name, address, tax identification number. Online stores often require registration, requiring a wider catalog of customer information. Even if a given store does not require registration, we additionally need an e-mail address, telephone number, etc. to ship the goods. The scope of data thus far exceeds the list of personal data needed to issue an invoice. Therefore, the online store will not avoid the obligation to register a set of personal data of its customers. in addition a set of personal data of customers collected in connection with the complaint procedure is subject to registration (Supreme Administrative Court judgment of April 21, 2006, OSK 726/05).

Collection of personal data - mandatory registration with the Inspector General for Personal Data Protection

On January 1, 2015, the Act of November 7, 2014 on Facilitating Business Activities, which amended the Personal Data Protection Act, entered into force. The most important changes included the regulation on the information security administrator (ABI). In the event that the administrator of personal data has appointed an ABI and reported it to the register kept by GIODO, such administrator becomes then released from the obligation to register personal data files. In the organizational structure of the data controller, ABI reports directly to the head of the organizational unit or the natural person who is the data controller. What does this mean for online stores? The data administrator is usually the owner of the online store, and in the case of companies, board members / CEOs. These entities will be entitled to control and issue binding orders from ABI. Establishing an ABI is a right, not an obligation, of the data controller. In the event of failure to appoint an ABI, its tasks are performed by the data administrator himself.

Tasks of the Information Security Administrator (ABI)

An information security administrator should be appointed prior to processing personal data. What are his duties?

  • checking the compliance of personal data processing with the provisions on the protection of personal data,

  • preparation of documentation regarding the protection of personal data,

  • ensuring that persons authorized to process personal data are familiarized with the provisions on the protection of personal data,
  • making checks at the request of GIODO.

ABI is also obliged to constantly monitor the processing of personal data in terms of their compliance with the provisions on the protection of personal data. If any irregularities are found, he should report it to the data administrator. This is related to the need for ABI to prepare a report for the data controller.

When is the calling of ABI not enough?

However, the exemption does not apply to those personal data files in which sensitive personal data are processed. Which means that even when we have established ABI, we will be obliged to register the personal data set containing sensitive data ourselves.

Pursuant to Art. 27 of the Personal Data Protection ActSensitive data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade union affiliation, as well as data on health, genetic code, addictions or sex life, as well as data on convictions, punishments and penalties as well as other judgments issued in court or administrative proceedings.

It should be assumed, however, that in the case of online stores, the processing of this type of personal data will be rare.