Openness of personal data in CEIDG poses a risk to the rights and freedoms of registered persons
The model of public openness of personal data of entrepreneurs subject to entry in the Central Registration and Information on Business (CEIDG) requires revision from the point of view of the purposes for which personal data are obtained and used, in the perspective of risks to the rights and freedoms of registered persons.
The Central Registration and Information on Business collects data of entrepreneurs regardless of the nature and scale of their business. The following data are publicly available there: name and surname, REGON number (Business Identification Number), NIP number (Tax Identification Number), address for service, address for electronic service, permanent address of a the place of business. The register has been operating in this way since its inception, i.e. since 2011. Meanwhile, rapid technological progress is accompanied by the development of methods of personal data processing, and with it also a number of new threats to the rights and freedoms of data subjects, wrote the President of the Personal Data Protection Office, Mirosław Wróblewski, in his address to the Minister of Finance, Andrzej Domański.
The main problem is that in the case of many entrepreneurs, the address of business [WS1] is also the address of residence. This causes a number of threats to private and family life. These threats remain particularly important in the case of entrepreneurs who, due to the type of business or holding certain social functions, may be particularly exposed to dangerous behaviour. We are talking about directing intrusive marketing, disseminating information on the Internet, but also stalking, harassment, or directing threats, insults, and even violent attacks. These include, for example, doctors, psychologists, publicists, mediators, auditors, accountants, real estate agents, therapists, but also people in other professions.
The adoption of the model of transparency of the public register, which contains personal data, should be preceded by a factual demonstration of the reasons for which such a model was considered necessary. It would also be necessary to analyse the risks to the protection of personal data. The supervisory authority proposes possible solutions:
- This requires consideration whether to limit the universality of access to address data, e.g. by introducing the possibility of restricting access to data by the entrepreneur, or by introducing voluntary disclosure – if the business address is also the place of residence of the entrepreneur.
- Another solution may be to introduce a procedure for requesting access to address data – limiting access only to entities formally requesting access to data, at least in the case of entrepreneurs conducting a specific type of activity.
- Another problem is that the entrepreneur's personal data remain public also after suspension and after the termination of business activity – the data is erased after 10 years from the deletion of the entrepreneur from the register. The need to store data in the Central Registration and Information on Business system after the termination of business activity is understandable due to the need to ensure the stability of business transactions. Information about the former entrepreneur may be necessary in order to, for example, pursue civil claims in connection with the terminated activity. However, it should be considered whether it is necessary to maintain full openness and universal access to all data of the former entrepreneur for this purpose.
DPNT.413.32.2025