Personal data protection

The Bank and the Pekao Group entities shall comply with the generally applicable laws and principles set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC – General Data Protection Regulation (hereinafter the „GDPR”).

Personal data is processed in Bank Pekao in accordance with the provisions of law and with due diligence in order to protect the interests of the data subjects.

• The principle of lawfulness, fairness, transparency and accuracy through the processing of personal data in accordance with the law, fairly and transparently for the data subject (Article 5 (1) (a) and (d) of the GDPR),
• The principle of purpose limitation by taking into account that data are collected for specific, explicit and legitimate purposes (Article 5 (1) (b)). GDPR),
• The principle of minimization by considering that the scope of the processed data must be adequate and limited to the minimum necessary to achieve the indicated purpose. (Article 5(1)(c). GDPR),
• The principle of integrity and confidentiality through the application by the controller of appropriate technical and organizational measures ensuring data security (Article 5 (1) (f) of the GDPR),

In order to ensure comprehensive measures in the area of personal data protection, the Bank carried out a project aimed at preparing the organization to meet the requirements resulting from GDPR; as a result, the Bank’s activities were analysed for compliance with the requirements indicated in GDPR with respect to IT systems, processes, internal regulations, as well as operations performed and document templates.

As a result of the analysis, the scope of necessary actions to be taken by the Bank was defined and a number of internal regulations relating to particular areas of the Bank’s operations were implemented.

Directors of the Bank’s organizational units and information owners are fully responsible for the organization, security, processing of personal data in their subordinate units. Employees, on the other hand, are obliged to process personal data in accordance with the authorization given to them resulting from the scope of activities specified for their position. To this end, Bank Pekao develops and implements mandatory training programmes for employees on the protection of personal data, systematically monitoring the progress of the training courses

The aspect of personal data protection is also taken into account in the current activities of the Data Protection Inspector’s Office (hereinafter referred to as DPO) when giving opinions on new processes, projects and initiatives as well as analysing internal regulations or contracts concluded by the Bank in terms of personal data. The DPO and the DPO Office, as well as the Bank’s Security Department, verify new technological solutions in order to ensure compliance with the requirements and principles set out in the GDPR and the highest possible level of security of personal data processed.

Moreover, the Bank decided to implement the principles of personal data protection with regard to the application of technical and organizational measures ensuring the protection of the processed data. The Operational Security Centre (OCC) was established, a unit that supervises unauthorized access to data (including personal data), as well as (through the systems operating at the Bank) to prevent leakage of such data.