Annual Report 2023

Responsibility

Customer safe online

GRI[ ]
GRI[
  • 3-3
  • 418-1
]

Mobile banking

The safety of our customers is one of the key elements we take care of in our business. We want our customers to feel safe when they call the bank. Bank Pekao S.A. is committed to even greater security and convenience for its customers, protecting them from spoofing, i.e. attempts to impersonate bank employees or hotline phone numbers. Therefore, we implemented a new solution. The customer can verify the identity of the calling employee in the PeoPay app or in the Pekao24 web service. During the call, the contacting bank employee sends the customer a push notification in the PeoPay app or information in the Pekao24 web service. After logging in, the customer receives an electronic business card with detailed employee data. Then the customer asking for these data makes sure that he or she is actually talking to a bank employee. At the same time, the bank employee can ask the customer to authorize the business card sent to him, so that he can freely continue the conversation without verifying additional customer data.

To increase financial security, we have also made changes to online banking that allow customers to update their ID card. Customers whose ID card expires are prompted when logging in to enter details of a new document under pain of being blocked from accessing electronic channels. A customer who fails to update his or her data within the specified period may not use electronic banking until the data are updated.

  • Communication via Pekao24 e-banking – throughout the year, we systematically provide our customers with content containing reminders of security rules and educational content to sensitize customers to situations that may put their data and funds at risk. The content deals, for example, with phishing, vishing and safe online shopping.
  • Content on the website pekao.com.pl – we attach great importance to ensuring that on our website everyone can always find up-to-date information on security rules and recommendations (also in English and Ukrainian), as well as current announcements about possible risks. The security subpages are the ones whose page views have steadily increased year after year and are among the most visited on our website.
  • Educational game in the PeoPay KIDS app – in a new module, which is an educational game in the app for children aged 6 to 12, one of the seasons is devoted entirely to security issues, so that our youngest group of customers can learn the basics of taking care of their money and data.
  • The #CYBERczujni campaign on social media – social media users can learn about the most common scam methods and how to protect themselves from them in posts published as part of the “#CYBERczujni – don’t be fooled” campaign. An additional website dedicated to the campaign introduces Internet users to security issues in a creative and accessible way.

All activities implemented in the area of security communication and education boil down to one key denominator: how our customers and Internet users should keep their data and funds safe.

Personal data

The Bank and entities of the Pekao Group comply with generally applicable laws and principles specified in Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – General Data Protection Regulation (hereinafter: GDPR).

Personal data are processed at Bank Pekao in accordance with the provisions of law and with due diligence in order to protect the interests of data subjects.

  • The principle of lawfulness, fairness, transparency and accuracy of personal data processing in accordance with the law and reliably, fairly and in a transparent manner in relation to the data subject (Art. 5.1 (a) and (d) of the GDPR),
  • The principle of purpose limitation by ensuring that the data is collected for specified, explicit, and legitimate purposes (Art. 5.1 (b) of the GDPR),
  • The principle of data minimization by ensuring that the data are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (Art. 5.1 (c). the GDPR),
  • The principle of integrity and confidentiality by ensuring that the data controller uses appropriate technical and organizational measures to ensure the appropriate security of the data (Art. 5.1 (f) of the GDPR).

To warrant comprehensive actions in relation to personal data protection, the Bank implemented a project to prepare the organization to meeting the GDPR requirements. As a result of the project, the Bank’s operations were analyzed in terms of their compliance with the GDPR requirements for IT systems, processes, internal regulations, operations and specimens of documents.

  • Information Security Policy with detailed information security documents,
  • Methodology for managing the risk of violation of rights and freedoms of natural persons at Bank Pekao S.A. (PIA Methodology),
  • The Principles for personal data protection and obtaining consents to take actions for direct marketing purposes at Bank Polska Kasa Opieki Spółka Akcyjna,
  • The Register of processing activities and the Register of categories of processing activities kept by Bank Polska Kasa Opieki Spółka Akcyjna,
  • The Principles for authorizing persons employed by the Bank to process personal data and access the Bank’s information,
  • The Procedure for handling requests made by data subjects under the GDPR at Bank Polska Kasa Opieki Spółka Akcyjna,
  • The Personal data retention policy of Bank Polska Kasa Opieki Spółka Akcyjna,
  • The Procedure for managing personal data breaches at Bank Pekao S.A.,
  • The Principles and procedures to be adopted by Bank Polska Kasa Opieki Spółka Akcyjna in connection with the outsourcing of services involving the processing of personal data,
  • Principles for information protection and management at Bank Polska Kasa Opieki Spółka Akcyjna,
  • Electronic Information Protection at Bank Polska Kasa Opieki S.A.

The heads of the Bank’s business units and information owners are fully liable for the organization, security, and processing of personal data in their reporting units. In turn employees must process personal data in accordance with their authorization arising from their job description. To this end, Bank Pekao develops and implements mandatory training programs for employees on personal data protection, systematically monitoring the progress of completed training.

The personal data protection aspect is also taken into account in the current activities of the Data Protection Officer’s Department (hereinafter: “DPO”) when issuing opinions on new processes, designs and initiatives, as well as analyzing internal regulations or agreements concluded by the Bank in terms of personal data. The Data Protection Officer, the Data Protection Officer’s Department, and the Bank Security Department verify new technological solutions in order to ensure compliance with requirements and principles set out in the GDPR and the highest possible level of security of processed personal data.

In addition, the Bank has decided to implement data protection principles for the application of technical and organizational measures to ensure the protection of processed data. An Operational Security Center (OSC) has been established, a unit watching over unauthorized access to data (including personal data), and (through systems in place at the Bank) preventing the leakage of such data.

GRI[
  • 418-1
]
BANK PEKAO 2022 2023
Complaints received from external parties and supported by the organization 0 0
Complaints from regulatory bodies 47 new complaints
(without continuation)		 31 new complaints
(without continuation)
Total number of identified leaks, theft or loss of customer data 17 25
Previous page
Consumer protection
Next page
Development of innovation in business operations

Search results