The privacy policy is a document that every website should have. It contains information about who is the administrator of personal data, what data of website users is collected, what is the purpose of data processing and for what period the data will be processed. In addition, it informs about cookies and the security of collected personal data.

If the website also provides for the sale of goods or services, it should also contain the regulations of the online store. In addition, it is recommended that the website also has the General Terms and Conditions of Use of the website.

Entrepreneur with consumer rights:

As of January 1, 2021, an amendment to the regulations entered into force, which extended the scope of consumer rights also to some entrepreneurs. Therefore, consumer protection regarding:

return goods purchased remotely, within 14 days, without giving a reason;
prohibited clauses;
a wider scope of rights under the warranty;

existing consumers, understood as natural persons who conclude legal transactions with the entrepreneur, e.g. purchase of a washing machine, printer, food products, purchase of services, etc. (hereinafter referred to as: “consumer in the strict sense”);
natural persons concluding a contract directly related to their business activity, if the concluded activity (e.g. sales contract) is not of a professional nature for these entrepreneurs (hereinafter referred to as “entrepreneur with consumer rights”). Interpretation of whether the entrepreneur is covered by consumer protection in a given case or not, is based on the subject of the entrepreneur’s business activity, disclosed in the CEiDG register.
The aim of the amendment is to counteract the disproportion in the rights of entrepreneurs – natural persons who conclude a contract with another entrepreneur, not directly related to the industry or specialization of these entrepreneurs – natural persons. Therefore, under contracts that are not directly related to their industry or specialization, they are no longer treated as “professionals” who are required to have more knowledge, e.g. a construction worker purchasing construction materials as part of a business activity will still be considered considered a professional entity (not a consumer). However, if the same construction worker purchases goods classified as non-professional, e.g. an office coffee machine, he will be treated as a non-professional entity (consumer).

However, as it is unanimously noted in the legal doctrine (including Commentary on the Act on Consumer Rights edited by Osajda 2020, ed. 3/P. Mikłaszewicz), a person conducting business or professional activity who concluded a contract before January 1, 2021 r., pursuant to Art. 22[1] of the Civil Code and in accordance with the provisions of EU law and the case law of the CJEU, was already considered a consumer if she acted outside the framework of her professional activity, for purposes unrelated to her business or professional activity.

How to use the document?

The privacy policy meets the information obligations of the personal data administrator, who is usually the owner of the website. It specifies:

who is the data controller and how to contact him/her;
who is the personal data protection officer (if the company has appointed one);
for what purposes personal data is collected;
which personal data is collected;
the period of storage of personal data for a specific processing purpose;
users’ rights related to the collection of their data (the possibility of withdrawing consent to processing, requests to delete data from the administrator’s database, the possibility of rectifying and changing data, limiting their processing and raising objections);
the website’s use of cookies.
The document must be completed, answering all questions, and posted on the website to which the document relates.

The privacy policy should be available for viewing by website users at all times. In particular, users should be able to read its provisions before providing any personal data on the website.

It has become common practice for every person who visits a website to accept the Privacy Policy, even before they start sharing their personal data. This is done the moment a person appears on a given website. This practice is completely principled. Its justification is the fact that the Privacy Policy very often also contains information about the use of cookies, of which the user should be informed when entering a given website (he can then disable the use of cookies in his browser).

Legal basis:

The obligation to include information on the processing of personal data on the website results from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing