The protection of customer personal data as an element of entrepreneurs’ ethical conduct

• Main Author: Ewa Kulesza
• Format: Article
• Language: English
• Published: Lodz University Press 2018-11-01
• Series: Annales Etyka w Życiu Gospodarczym
• Subjects: personal data protection; rights of data subjects; right to information; duties of personal data controller; GDPR; administrative fines; criminal liability; compensation for a violation of the right to personal data protection
• Online Access: https://czasopisma.uni.lodz.pl/annales/article/view/4554

The right to the protection of personal data, which is part of the right to privacy, is a fundamental human right. Thus, its guarantees were included in the high-level regulations of the European Union as well as the legal norms of the EU Member States. The first Polish law regulating the protection of personal data was adopted in 1997 as the implementation of EU Directive 95/46. The law imposed a number of obligations on public and private entities which process personal data in order to protect the rights of data subjects and, in particular, to guarantee them the ability to control the correctness of processing of their personal data. Therefore, the law obliged data controllers to process data only on the basis of the premises indicated in the legislation, to adequately secure data, and to comply with the disclosure obligation concerning data subjects, including their right to correct false or outdated data or to request removal of data processed in violation of the law. However, as complaints directed by citizens to the supervisory body—the Inspector General for Personal Data Protection—showed, personal data controllers, especially those operating in the private sector, did not comply with the law, acting in a manner that violated their customers’ rights. In the hitherto existing unfair business practices of entrepreneurs, the violations of the data protection provisions that were the most burdensome for customers were related to preventing them from exercising their rights, including the right to control the processing of data, as well as the failure to provide the controller’s business address, which made it impossible for subjects whose data were used in violation of the law or for the inspecting authorities to contact the company, a lack of data security and a failure to follow the procedures required by law, the failure to secure documents containing personal data or their abandonment, a lack of updating customer data, the use of unverified data sets and sending marketing offers to deceased people or incorrect target recipients, and excessive amounts of data requested by controllers. The violations of the rights of data subjects recorded in Poland and other EU Member States—among other arguments—provided inspiration for the preparation of a new legal act in the form of the EU General Data Protection Regulation (GDPR) (which entered into force on 25 May 2018). The extension of the rights of people whose data are processed was combined in the GDPR with the introduction of new legal instruments disciplining data controllers. Instruments in the form of administrative fines and the strongly emphasised possibility to demand compensation for a violation of the right to data protection were directed in particular against economic entities violating the law.