We protect personal data - “Personal data of all persons, in particular our clients, employees, counterparties and users of our websites, are subject to rigorous protection. This concerns all data that may be used to identify a person.
Personal data protection regulations apply to all workstations and all IT systems used by our employees. Access to such data is granted only to persons who need them because of the duties they perform.”
We safeguard information - “We should remember that these days information may be accessed very easily, which fact entails a number of risks. Therefore, the principle of maintaining confidentiality is extremely important to us. Each one of us is under the obligation to ensure security of, safeguard and properly supervise any electronic equipment provided to us by PZU.
It is inadmissible to provide to third parties any passwords to such electronic equipment. Passwords are equivalent to electronic signatures, therefore every employee is liable for all operations performed by third parties while using his or her password.
PZU permits the use of hardware or software for personal purposes provided that such use is limited and sporadic. However, it is forbidden to use any hardware or software for illegal activities or for one’s own business activity unrelated to collaboration with PZU.
No communication may contain inappropriate or illegal information.”
PZU and PZU Życie pay particular attention to the protection of personal data processed by each of them. In order to prepare as best as possible to the changes that will be brought about by the entry into force of the GDPR, a special project has been launched at PZU and PZU Życie. Work under the project has been distributed into stages which cover specific changes in the distinct business areas in which personal data are processed. The provisions of the GDPR affect the majority of processes and areas of insurance activity, most notably sales and client service, on-line services, cross-selling, underwriting, marketing, CRM, counteracting insurance fraud and IT systems supporting business processes. To ensure an appropriate level of data protection and to prepare and implement new procedures and guidelines in both companies, representatives of the majority of business areas have been involved in the work under the project.
Similar projects, intended to ensure compliance with the new legal requirements, are being executed in other member companies of the PZU Group.
Bank Pekao puts into practice the rules associated with the processing and protection of personal data, as enacted in the form of national and EU regulations, through a numer of internally implemented regulations. Key regulations in this area are the personal data protection rules and the rules for obtaining consents to the bank’s direct marketing activities. Moreover, in order to ensure that comprehensive actions are taken in the area of personal data protection, a number of internal regulations have also been implemented related to the various areas of the bank’s business.
Moreover, within the framework of preventive activities, the bank has developed appropriate training programs. In 2017, the following topics were covered during the training classes:
Bank Pekao carries out regular inspections of the processing of personal data and information by various information owners.
As a follow-up to the 2015 recommendation, other members of the Pekao Group have implemented personal data protection regulations similar to the policies adopted by the bank.
Throughout the Alior Bank Group, stringent security procedures are in place to ensure confidentiality, integrity and availability of processed information. The security policy and all procedures in this area are updated on an ongoing basis in response to the changing market circumstances in the cybersecurity area as well as new requirements and guidelines issued by the regulatory authorities. In 2017, abundant inspections and tests of the security of IT systems and sensitive internal processes were carried out. A dedicated unit at Alior Bank is responsible for continuous monitoring of electronic banking systems and applying active response procedures in cases of attempted attacks.