At our Bank, we strictly adhere to applicable legal regulations, including the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC – the General Data Protection Regulation (hereinafter the “GDPR”).
Consumer Privacy and Data Protection

In the era of digitalisation and the increasing threats to cybersecurity, responsible management of customer data is a top priority. Privacy is not merely a matter of regulatory compliance but also a fundamental aspect of the Bank’s reputation. Every employee is obligated to maintain the confidentiality of legally protected information concerning the Bank, other entities within Pekao Group, customers, transactions, contractors, and fellow employees that they gain access to in the course of their work at Pekao Group.
We process personal data in full compliance with the law and with particular diligence to safeguard the interests of data subjects. The Bank acts both as a data controller and a data processor within the meaning of GDPR and bears full responsibility for compliance with data protection regulations, particularly by adhering to the following principles of personal data processing set out in GDPR:
- Lawfulness, fairness, transparency, and accuracy – ensuring that personal data is processed lawfully, fairly, and in a transparent manner for the data subject (Article 5(1)(a) and (d) of the GDPR);
- Purpose limitation – personal data is collected for specified, explicit, and legitimate purposes (Article 5(1)(b) of the GDPR);
- Data minimisation – ensuring that the scope of processed data is adequate and limited to what is necessary to achieve the specified purpose (Article 5(1)(c) of the GDPR);
- Integrity and confidentiality – implementing appropriate technical and organisational measures to ensure data security (Article 5(1)(f) of the GDPR).
We take all necessary precautions to prevent unauthorised access to legally protected information. In particular, we maintain the confidentiality of information classified with appropriate confidentiality clauses and use it strictly for the performance of official duties.
The Bank has implemented a range of internal regulations covering various operational areas to ensure the security of customers and their data. These include:
- Information Security Policy, along with supporting security documentation,
- Risk Management Methodology for Violations of Rights or Freedoms of Natural Persons at Bank Pekao S.A. (PIA Methodology),
- Personal Data Protection Principles and Rules for Obtaining Consent for Direct Marketing Activities at Bank Polska Kasa Opieki Spółka Akcyjna,
- Register of Processing Activities and Register of Categories of Processing Activities maintained by Bank Polska Kasa Opieki Spółka Akcyjna,
- Rules for Granting Authorisations to Process Personal Data and Access Bank Information,
- Procedure for Handling Data Subject Requests under GDPR at Bank Polska Kasa Opieki Spółka Akcyjna,
- Personal Data Retention Policy at Bank Polska Kasa Opieki Spółka Akcyjna,
- Procedure for Managing Personal Data Breaches at Bank Pekao S.A.,
- Rules and Procedures for Commissioning Services Involving the Processing of Personal Data at Bank Polska Kasa Opieki Spółka Akcyjna,
- Rules for Protecting and Handling Information at Bank Polska Kasa Opieki Spółka Akcyjna,
- Electronic Information Security at Bank Polska Kasa Opieki S.A.

The aspect of personal data protection is also embedded in the day-to-day operations of the Data Protection Officer’s Department, which reviews new processes, projects, and initiatives, as well as internal regulations and contracts entered into by the Bank from a data protection perspective. The DPO, DPO Department, and the Bank’s Security Centre assess new technological solutions to ensure compliance with GDPR requirements and maintain the highest level of personal data security.