Blog

Online stores – storing and processing d

A personal data controller running an online store should pay particular attention to the necessity of processing such data in accordance with the law, i.e. on a specific legal basis.
The General Data Protection Regulation, hereinafter referred to as the RODO has significantly changed the way personal data concerning individuals is obtained and stored. The personal data that are in the resources of online store owners are subject to specific regulations and rules. According to the regulations, it cannot be stored indefinitely, and according to recommendations found on the European Commission’s website, it should be kept for the shortest possible period. According to the rules, personal data as defined by the RODO regulation – that is, all data relating to individuals – can only be kept for the period necessary to fulfill the purposes for which it was collected. It should be noted that, just as in the case of the scope of data and data protection measures, RODO does not impose a specific period of storage of personal data and does not indicate a limit in months or years – each data controller also running an online store must decide on its own how long the data collected by it will be stored. However, it is advisable to specify a minimum time limit for processing, so that the entity processing the data does not store them for several dozen years or indefinitely.
The data controller running an online store may not include in the consent or information clauses information that the data will be stored indefinitely – such a clause will not have the intended legal effect.
The breach of the regulation concerning the principle of limited storage, especially in the case when the entrepreneur will not be able to indicate the reason for too long period of storage, may result in financial penalty imposed on the controller. Other factors also have an impact on the determination of the correct storage period of personal data – first of all, possible special provisions that arise from other acts, an example being the Accounting Act, concerning the minimum period of storage of accounting books.
The data controller running an online store may not include in the consent or information clauses information that the data will be stored indefinitely.
In any case, the entrepreneur running an online store should pay attention to the provisions of the Civil Code concerning the statute of limitations of claims. In view of a possible court trial, the data shall be stored for the period necessary to expire on the expiry of the statute of limitations of claims by and against the data controller. In the case of a personal data controller running an online store, this period will be mostly three years. However, in the case of data acquired by a data controller before 25 May 2018, i.e. before the date of entry into force of the RODO Regulation, each data controller operating an online store should consider whether it was collected in accordance with the principles set out in the current legislation. If a data controller operating an online store has acquired more data than necessary, the most appropriate solution would be to delete it. If the data owner has not consented to the collection and storage of the data, the data controller operating the online store should ensure that proper consent is obtained or, if necessary, updated. The data collected before the aforementioned date should not be stored indefinitely – the data controller running the online store has to adjust the storage period to the new rules.

Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *