In accordance with the generally applicable regulations, including the Personal Data Protection Act, PKO Bank Polski SA has internal personal data protection regulations, including instructions on managing the IT system used to process personal data.
These regulations apply to the principles of personal data processing at the Bank, in particular the method in which they are processed, as well as the technical and organizational measures ensuring security of the data being processed. Additionally, the Bank applies regulations regarding, inter alia:
- security of protected information;
- IT System security;
- protection of people and property;
- security incident management;
- conducting clarification proceedings;
- preparation and implementation of security mechanisms.
These regulations are supplemented by:
- the regulations that directly apply to personal data regarding physical and IT security, and
- the regulations on clarification proceedings related to breaches of personal data security;
thereby creating a network of provisions comprehensively regulating the issue of personal data protection at the Bank.
Management of the risk of unauthorized access to customer information
The risk of unauthorized access to customer information is managed in accordance with the Bank’s security policy. This policy regulates the principles of confidentiality of information and the maintenance of bank secrecy, as well as personal data security, including, in detail, the liability of the Bank’s employees regarding personal data protection.
In accordance with these principles:
- Access to protected information at the Bank is only given to employees within the scope of their corporate tasks and duties.
- The employees undergo training on security of protected information before starting to process protected information.
- If materials containing protected information are provided to external entities, a non-disclosure agreement is concluded between the parties, whereas, in the case of entrusting the processing of personal data, an agreement is concluded on entrusting the processing of personal data.
Each of the Group’s entities processing personal data, which is required to have appropriate regulations on this, has such regulations and applies them in practice. They are in line with the generally applicable regulations and standards applied at the Bank and, to the extent necessary, contain specific regulations which are adequate to the specific nature of the particular entity’s business.
None of the Group’s entities, including the Bank, recorded a case of a “leak” or unauthorized use of personal data processed in these organizations in 2017 and no administrative procedures were conducted in this area (e.g. by the Inspector General for Personal Data Processing), which could result in the imposition of a fine.