The heads of the Bank’s business units and information owners are fully liable for the organization, security, and processing of personal data in their reporting units. In turn employees must process personal data in accordance with their authorization arising from their job description. To this end, Bank Pekao develops and implements mandatory training programs for employees on personal data protection, systematically monitoring the progress of completed training.
-
3-3
The Bank and entities of the Pekao Group comply with generally applicable laws and principles specified in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – General Data Protection Regulation (hereinafter: GDPR).
Personal data are processed at Bank Pekao in accordance with the provisions of law and with due diligence in order to protect the interests of data subjects.
Bank Pekao is both a data controller and a processor within the meaning of the GDPR and bears full responsibility for compliance with personal data protection regulations, in particular taking into account the principles concerning the processing of personal data specified in GDPR, such as:
- The principle of lawfulness, fairness, transparency and accuracy of personal data processing in accordance with the law and reliably, fairly and in a transparent manner in relation to the data subject (Art. 5.1 (a) and (d) of the GDPR),
- The principle of purpose limitation by ensuring that the data is collected for specified, explicit, and legitimate purposes (Art. 5.1 (b) of the GDPR),
- The principle of data minimization by ensuring that the data are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (Art. 5.1 (c) of the GDPR),
- The principle of integrity and confidentiality by ensuring that the data controller uses appropriate technical and organizational measures to ensure the appropriate security of the data (Art. 5.1 (f) of the GDPR),
To warrant comprehensive actions in relation to personal data protection, the Bank implemented a project to prepare the organization to meeting the GDPR requirements. As a result of the project, the Bank’s operations were analyzed in terms of their compliance with the GDPR requirements for IT systems, processes, internal regulations, operations and specimens of documents.
As a result of the analysis, the scope of actions that must be carried out by the Bank was defined and a number of internal regulations applicable to particular areas of the Bank’s activities were adopted. These regulations include:
- Information Security Policy with the Information Security Policy Documents,
- Methodology for managing the risk of violation of rights and freedoms of natural persons at Bank Pekao S.A. (PIA Methodology),
- The Principles for personal data protection and obtaining consents to take actions for direct marketing purposes at Bank Polska Kasa Opieki Spółka Akcyjna,
- The Register of processing activities and the Register of categories of processing activities kept by Bank Polska Kasa Opieki Spółka Akcyjna,
- The Principles for authorizing persons employed by the Bank to process personal data and access the Bank’s information,
- The Procedure for handling requests made by data subjects under the GDPR at Bank Polska Kasa Opieki Spółka Akcyjna,
- The Personal data retention policy of Bank Polska Kasa Opieki Spółka Akcyjna,
- The Procedure for managing personal data breaches at Bank Pekao S.A.,
- The Principles and procedures to be adopted by Bank Polska Kasa Opieki Spółka Akcyjna in connection with the outsourcing of services involving the processing of personal data,
- Application security policy of Bank Polska Kasa Opieki Spółka Akcyjna,
- Principles for information protection and management at Bank Polska Kasa Opieki Spółka Akcyjna,
- Electronic Information Protection at Bank Polska Kasa Opieki S.A.
The personal data protection aspect is also taken into account in the current activities of the Data Protection Officer’s Department (hereinafter: “DPO”) when issuing opinions on new processes, designs and initiatives, as well as analyzing internal regulations or agreements concluded by the Bank in terms of personal data. The Data Protection Officer, the Data Protection Officer’s Department, and the Bank Security Department verify new technological solutions in order to ensure compliance with requirements and principles set out in the GDPR and the highest possible level of security of processed personal data.
In addition, the Bank has decided to implement data protection principles for the application of technical and organizational measures to ensure the protection of processed data. An Operational Security Center (OSC) has been established, a unit watching over unauthorized access to data (including personal data), and (through systems in place at the Bank) preventing the leakage of such data.
-
418-1
BANK PEKAO | 2021 | 2022 |
---|---|---|
Complaints received from external parties and supported by the organization | 0 | 0 |
Complaints from regulatory bodies in 2022 | 61 new complaints (without continuation) |
47 new complaints (without continuation) |
Total number of identified leaks, theft or loss of customer data | 20 | 17 |