Annual report
2018

Product safety and customer security

In terms of the products offered, PKO Bank Polski SA and the PKO Bank Polski SA Group pursue a policy which has the objective of ensuring:

  • compliance of the products with the applicable standards;
  • their correct labelling;
  • Customer security while using them.

The scope of this policy at the Bank and in the Bank’s Group encompasses both the stage of formulating the product offering, its presentation to the Customer, its purchase (i.e. signature of the agreement) and the stage of use of the product by the Customer. The principles and mechanisms of pursuing the compliance policy and the appropriate labelling of products apply to the Bank and the whole of the Bank’s Group.

The Bank and the Bank’s Group make every effort to ensure that all products offered meet the requirements set out in the provisions of the law and the accepted market standards. These efforts focus on ensuring that

  • the products offered are appropriate to the needs of the Customers to whom they are addressed;
  • the manner and form of proposing the purchase of products is appropriate to their nature;
  • before concluding the agreement, customers are provided with reliable, transparent and comprehensive information about the product, in particular its nature, design, conditions, benefits and risks, as well as fees, commissions and other costs related to the conclusion, performance and, possibly early termination of the agreement.

These rules apply not only to the Bank and entities from the Bank’s Group, but also to companies to which the Bank has entrusted the performance of specific operations related to product sales or handling.

Managing the risk of the proper sales of the products to Customers (misselling)

As part of ensuring compliance of the products with the applicable regulations, the Bank manages the misselling risk at the stage of creating and introducing the product, and then at the stage of offering the product to Customers. Each product undergoes pre-implementation analysis for the risks it generates and the identification of target Customer groups. The Bank also identifies the groups of Customers to which the Bank should not propose the purchase of
a given product because of its inadequacy to the Customer’s needs or for other reasons (the so-called anti-group). If there are such anti-groups, control mechanisms are implemented to mitigate the risk of misselling. The risk of misselling is also mitigated at the stage of undertaking sales activity – before proposing to a Customer the purchase of a product it is assessed whether a given product is adequate to the needs of this type of Customers (in order to eliminate cases, for example, of selling unemployment insurance to pensioners or long-term investment products to elderly persons). Additionally, the Bank always provides reliable and comprehensive information to Customers so that they can make an informed choice of a specific product. The bank acquaints Customers with the benefits as well as the risk arising from the purchase of individual products.

The Bank considers any irregularities reported by the Bank’s Customers, in particular in the form of a complaint, within the deadlines arising from the provisions of the law. Depending on the findings, the Bank takes steps to fix them, prevent them from taking place in the future and improving the quality of service (more in sub-chapter 11.2.3).

Similar solutions concerning managing the risk of misselling, in keeping with the principle of proportionality, are also in place in the remaining entities from the Bank’s Group which produce financial products or are involved in the process of their sale, i.e. in: PKO Życie Towarzystwo Ubezpieczeń SA, PKO Towarzystwo Ubezpieczeń SA, PKO Bank Hipoteczny SA, PKO Towarzystwo Funduszy Inwestycyjnych SA and in PKO BP Finat sp. z o.o.

Administrative proceedings 

In 2018, the Bank was a party to three administrative proceedings conducted before the Office of Competition and Consumer Protection (UOKiK) regarding compliance of the Bank’s products with the applicable regulations. One of these proceedings was closed. At present, two proceedings with the Bank’s participation, initiated in 2017, are in progress. In 2018, no new administrative proceeding was initiated.

Administrative proceedings related to the principle of compliance of the PKO Bank Polski SA Group’s products, including PKO Bank Polski SA’s products with the applicable provisions of the law.*

Description of administrative proceedings pending or completed in 2018 Status
Bank
1. Proceedings initiated by the President of the UOKiK ex officio regarding the Bank’s application of practices breaching collective consumer interests by providing notice of proposed changes to the terms and conditions of the payment service agreement exclusively with the use of electronic messages and failing to attach the contractual legal basis and factual circumstances justifying the change (regulations and rates of the bank’s fees and charges to individuals) in the messages sent to consumers, therefore making it impossible for consumers to verify the acceptability of changing the terms of the agreement. The proceedings are closed (no administrative penalties).

By a letter dated 11 July 2018, the Bank submitted a motion to issue an obligating decision, together with proposals of actions intended to end the breach and remedy its consequences. The President of the UOKiK acceded to the motion and on 27 August 2018 issued an obligating decision to the Bank. The decision became valid on 4 October 2018.

2. Proceedings initiated by the President of the UOKiK ex officio for regarding the provisions of the model agreement as inadmissible on the Bank’s application in model agreements, annexes to loan and mortgage loan agreements which are revalued/indexed/denominated in foreign currencies and appendices thereto, the contractual provisions concerning the method of establishing the buying and selling rates of foreign currencies which in the opinion of the President of UOKiK may be considered inadmissible in the light of Article 385 § 1 of the Polish Civil Code. The proceedings are pending.

By a letter dated 31 July 2018, the Bank submitted a motion to issue an obligating decision, together with proposals of actions intended to end the breach and remedy its consequences.

3. Proceedings initiated by the President of the UOKiK ex officio on the Bank applying practices breaching collective consumer interests. The Bank is charged with collecting higher instalments on loans and foreign currency loans than those arising from the instructions concerning forex risk presented to the consumers before concluding agreements and transferring to the consumers of the possible forex risk. The proceedings are pending.

By a letter dated 27 September 2017, the Bank responded to the allegations of the President of the UOKiK, requesting the discontinuation of the proceedings due to the fact that the proceedings were initiated after the passage of the strict deadline or (alternatively) because of the irrelevance of the Bank’s alleged practice or (in the event of the failure to discontinue the proceedings) to take evidence from an expert opinion or a legal person (scientific unit) to present the circumstances specified in the Bank’s response.

Other entities from the Group
No proceedings.

* Does not include cases before common courts and explanatory proceedings.

Litigation

In 2018, two court proceedings were conducted at the Bank related to the application unfair competition practices (one is before the Court of Appeal and the other one before the Supreme Court). No new court proceedings were initiated in 2018 concerning anti-competitive or anti-market practices.

Court proceedings concerning PKO Bank Polski SA

Description of court proceedings pending in 2018 Status
The Bank is a party to a court proceeding brought by the President of the Office of Competition and Consumer Protection (UOKiK) by the decision dated 23 April 2001 based on a motion by the Polish Organization of Trade and Distribution – the Employers Association against the operators of the Visa payment system, Europay and banks – issuers of Visa cards and Europay/ Eurocard/ Mastercard. The proceeding relates to practices restricting competition on the market of card payments in Poland, consisting of jointly agreeing upon an interchange charge for transactions concluded using Visa and Europay/ Eurocard/ Mastercard/ cards, and restricting access to the market for other entities. The court proceedings are pending.

On 29 December 2006, UOKiK concluded that the practice of jointly agreeing upon an interchange charge restrict competition and ordered their discontinuation, at the same time imposing a fine of PLN 16.6 million on the Bank. The Bank appealed against the said decision of the President of UOKiK to the Court of Competition and Consumer Protection (SOKiK). By the ruling of 21 November 2013, SOKiK reduced the fine imposed on the Bank to PLN 10.4 million. The parties to the proceedings filed an appeal. The Court of Appeal in Warsaw in its ruling dated 6 October 2015 reinstated the initial amount of the imposed fines set in the decision of the UOKiK, i.e. the fine of PLN 16.6 million (the fine imposed on PKO Bank Polski SA) and the fine of PLN 4.8 million (the fine imposed on Nordea Bank Polska SA). The Bank paid the fine in October 2015. As a result of a cassation appeal brought by the Banks, the Supreme Court by the ruling of 25 October 2017 annulled the contested ruling of the Court of Appeal in Warsaw and remanded the case. The fines paid by the Bank were returned to the Bank on 21 March 2018. The case is currently pending before the Court of Appeal in Warsaw. The hearing was postponed without setting the date of the next hearing.

The Bank is a party in a court proceeding brought by the decision of the President of the UOKiK in connection with the suspicion of applying illegal contractual provisions in template agreements for granting consumer loans, excluding credit card agreements. The court proceedings are pending.

By the decision of 31 December 2013, the President of UOKiK concluded that the Bank’s practices violated the collective interests of the consumers and imposed a fine on the Bank of PLN 29 million. The Bank appealed against this decision to SOKiK. By the ruling dated 9 July 2015, SOKiK annulled in full the decision of the President of UOKiK. On 21 August 2015, the President of UOKiK brought an appeal against this ruling. On 31 May 2017, the Court of Appeal in Warsaw upheld the decision of SOKiK favourable to the Bank on annulling of the decision in which the UOKiK concluded that the Bank breached the collective interests of the consumers by applying the so-called variable interest rate clauses, and in consequence annulling the penalty of PLN 17 million. As regards the second alleged practice of the Bank of using an information form the Court of Appeal considered that the appeal was partly reasonable, and at the same time reduced the penalty imposed by UOKiK on the Bank from PLN 12 million to PLN 6 million. The penalty was paid on 17 July 2017. On 23 October 2017, the Bank brought a cassation appeal against the ruling of the Court of Appeal. The cassation appeal was also brought by the President of UOKiK. The Bank is waiting for the decisions of the Supreme Court concerning acceptance of the cassation appeals for consideration.

 

The PKO Bank Polski SA Group, including PKO Bank Polski SA, fulfils the requirements concerning correct labelling of the bank products and investment products by providing the Customers with all the necessary information about them, especially at the pre-contract stage.

The scope of information provided about the products is specified by the applicable provisions of the law and the recommendations of the Polish Financial Supervision Authority. The general rule is that the highest level of protection is available to retail Customers – consumers. This information is formulated in such a way that it is understandable to the so-called “Average consumer”, namely – in accordance with the Act on counteracting unfair market practices – a consumer who is sufficiently well-informed, attentive and cautious. However, the scope of information provided to financial institutions and other professional recipients of products and financial services is narrower.

The Bank performs its statutory information obligations

a) in relation to deposit products, including by:

  • informing Customers about the principles of the deposit guarantee system;
  • informing Customers about the possibility of submitting instructions in the event of death;
  • reminding customers about accounts held at the Bank, on which there have been no transactions for many years, no later than 6 months before the end of the 10-year period in which there were no transactions on the account, indicating that the agreement will be terminated if there is no further activity;
  • providing template agreements used for concluding agreements with Customers before the conclusion of the agreement using a given template, and during the agreement, at the Customer’s every request.

b) in relation to investment products, including by:

  • providing the Customers with the required information arising from the MiFID Regulation (including in the form of an Information Brochure on the Requirements of MiFID);
  • the provision of the “Key Information Documents” to Customers before concluding the agreement/transaction for the FIZ funds, in accordance with the requirements of the Regulation (EU) No 1286/2014 of the European Parliament and of the Council on key information documents for packaged retail and insurance-based investment products;
  • the provision of the “Key Information for Investors” to Customers before concluding the agreement/transaction for the FIO and SFIO funds, in accordance with the requirements of the Act on investment funds and managing alternative investment funds and the Directive UCITS IV;
  • providing template agreements used for concluding agreements with Customers before the conclusion of the agreement using a given template, and during the agreement, at the Customer’s every request.

c) in relation to loan products, in accordance with the provisions of the Act on consumer credit, the Mortgage Loan Act and supervision over mortgage brokers and agents), including by:

  • providing an information form to Customers at the pre-contractual stage, together with a personalized draft loan agreement and, in the case of applying for a mortgage loan – also a loan decision;
  • providing general information on the mortgage loan agreement to Customers at any time;
  • informing the Customers who are late in repaying the loan liabilities, about the ability to submit a debt restructuring request.

d) in relation to insurance products, in accordance with the provisions of the Act on insurance agencies and the Recommendation U of the Polish Financial Supervision Authority regarding good bancassurance practices, including by:

  • showing Customers a power of attorney document and, in the case of natural persons performing agency activities, a document authorizing it to represent the insurance agent, at the time of performing the first agency activity and at every request of the Customer;
  • notifying Customers as to whether the Bank is representing one or multiple insurance companies;
  • informing Customers about the wording of the entry into the register of insurance agents and the method of checking the entry in the register and about the stocks or shares held by the Bank in the insurance company entitling it to at least 10% of the votes at the general meeting;
  • providing information to Customers regarding their rights and obligations related to obtaining insurance protection, including the provision of an information card about an insurance product.

The proper product labelling also applies to the Bank’s advertising messages which support its sales activities and shape its brands’ image. All marketing materials published by the Bank take into account the specific obligations arising from the commonly binding provisions of the law (e.g. the Consumer Credit Act – within the scope of advertising this type of loans) as well as market standards and the PFSA guidance formulated in the enacted “Rules of advertising banking services”.

The Bank makes every effort that the marketing communications about products should clearly indicate to which product or service they relate, that they should be formulated reliably and not mislead their recipients, as well as show the recipients how to access the complete information about the advertised product and about the benefits and risks related to it.

One of the Bank’s priorities is to set the highest security standards. Customer security in the process of using the Bank’s and the Bank Group’s products primarily includes security of the funds of Customers, as well as physical security of Customers in the Bank’s facilities. The matter of security is regulated by the internal regulations, including the Security Policy at PKO Bank Polski SA and – in detail – the provisions regarding specific areas of security, i.e.:
(i) protection of people and property; (ii) IT System security; (iii) managing safety incidents.

Security of Customer funds

The activities of the Bank and other entities of the Bank’s Group related to ensuring the security of Customer funds apply to both the assurance of security of the funds entrusted, as well as the funds invested with the use of the products offered. The initiatives implemented regarding the assurance of a stable and secure ICT infrastructure enabled the achievement of very high reliability indicators for the operation of the IT infrastructure applications in 2018.

Security of funds invested:The Bank makes every effort to ensure that the products offered to Customers do not generate the risk of a loss of funds. This is particularly important for investment products. Therefore, within the framework of the obligations imposed by the MiFID Directive, the Bank informs Customers before conducting a transaction on financial instruments as to whether the given product is suitable for them.

Security of entrusted deposits:With respect to deposit products, the main mechanism guaranteeing security of funds entrusted by Customers is the stability of the Bank’s financial result and the result of the other entities belonging to the Bank’s Group. An additional mechanism is the Bank’s involvement in the obligatory deposit guarantee system, operating under the Act on the Bank Guarantee Fund, the term deposit guarantee system and forced restructuring.

The security of Customer funds is also guaranteed at the Bank by such procedural solutions which ensure the correct identification of the Customer in every case of performance of his instructions.

The risk of unauthorized access to Customer funds through electronic banking

The most important threat identified by the Bank and PKO Towarzystwo Funduszy Inwestycyjnych SA to the security of Customers benefiting from the Bank Group’s products are potential criminal activities of third parties targeted at Customers using electronic channels of access to banking and investment services.

First, the Bank uses the latest ICT security solutions guaranteeing secure access to funds held by Customers, while the Bank is constantly improving the quality of IT systems security, in particular, regarding the applications used by the Bank’s customers. This applies, among others to actively combating phishing websites pretending to be Bank’s websites, tracking the development of malware attacking the Bank’s Customers, developing mechanisms of detecting infected Customer computers, improving the rules and extending the scope of monitoring of electronic transactions.

Second, the Bank attaches a great deal of importance to informing and raising Customer awareness of the safe use of electronic banking services, as well as payment cards, as security in this respect depends to a large extent on the user’s actions. These activities include, in particular:

  • mass educational campaigns, e.g. by initiating texts on the safe use of electronic banking (Bankomania magazine distributed in a paper version in over 1200 branches (i.e. in almost 2/3) and the educational portal bankomania.pkobp.pl),
  • ongoing provision of responses and explanations to Customer enquiries (e-mail, social media);
  • ongoing provision by the mass media of the Bank’s position regarding false e-mails containing educational elements;
  • ongoing response to other signals regarding threats;
  • publication of information on the Bank’s website, in the transaction website and distributed to Customers by e-mail on securely logging in and the principles of using electronic banking.

In 2018, the Bank began works on creating the platform supporting the SIEM class system (Security Information and Event Management). This will enable better detection of incidents and anomalies, and automation of many activities related to incident handling. The process of implementing the solution monitoring threats on the Bank’s workstations was completed. This enabled, among other things detection of advanced types of malware.
After integrating the solution with the Bank’s SIEM system, it will be possible to immediately respond to the incidents detected.

The specialist CERT unit operating within the Bank’s structures executes a strategy of ensuring IT security of the services provided. CERT PKO Bank Polski is a member of an international forum of responders – FIRST, and belongs to the task force of European responding teams – TERENA TF-CSIRT and the related Trusted Introducer organization. In 2018, the Bank initiated the CERT certification process for compliance with the requirements of SIM3 methodology: Security Incident Management Maturity Model. As a result of these actions, the Bank will be the first organization in the financial sector in Poland to hold the CERT certificate.

Joining the international organizations enables the Bank’s CERT team to respond faster and more effectively to cybersecurity threats by operational collaboration and exchange of experience and knowledge with similar entities throughout the world. The membership is also a confirmation of a high level of the services rendered and acknowledgement of the professionalism and skills in the area of ensuring IT security at the Bank.

In 2018, the Bank’s Cybersecurity Centre appointed the CERT team operating as part of ZBP – FinCERT.pl. As a result of the support granted by PKO Bank Polski SA, the team joined the Trusted Introducer.

The high organizational maturity in the area of handling cybersecurity incidents is particularly important in the light of the decision of the PFSA of 2018 concerning acknowledging PKO Bank Polski SA as an operator of a key service as defined by the Act on the national cybersecurity system.

Physical security of Customers

The Bank and the remaining entities from the Bank’s Group fulfil the condition of ensuring the highest quality of direct services to the Customers, among other things, by ensuring proper standards of comfort and safety.
The sites of the Group’s entities conducting retail operations, including the Bank, use state-of-the-art technical solutions in the area of physical security of customers and their funds, including physical protection and monitoring.

The Bank holds training for the employees of its branches and agencies named “Counteracting robberies and dealing with security threats.”

Being concerned about the safety of Customers and employees, an obligatory first aid course was introduced at the Bank in 2010, as part of the health and safety training. In 2018 alone, 5477 of the Bank’s employees were trained (as part of obligatory periodic trainings) and additionally 39 persons were trained in first aid as part of individual presentations organized on approval by the Director of the Health and Safety at Work Office.Since starting the programme, more than 25 thousand persons were trained.

During the dialogue with Customers regarding, among others, the products offered, Customer satisfaction surveys are conducted at the Bank, which are divided into two main segments: the retail Customer and corporate Customer. Most of the surveys at the Bank’s Group are conducted by the Bank. The companies do not conduct their own survey processes. KREDOBANK SA is an exception.

Retail Customer satisfaction surveys

In 2018, the Bank continued the strategic approach to the issue of Customer satisfaction, which resulted not only in carrying out the former surveys aimed at identifying the level of Customer satisfaction but also in implementing a mechanism that would take into account the aspect of Customer satisfaction in designing and implementing the most important products and solutions offered to the Customers by the Bank. 

With regard to retail customers, the Bank conducted two types of satisfaction survey:

  • Relational research – conducted in all Customer segments, including firms and enterprises, measuring the strength of the relationship with the Bank and satisfaction with the cooperation with the Bank in general terms, encompassing the whole of the Customer’s experience.
  • Transactional research – performed at the key points of contact between the Customer and the Bank, immediately after the event, measuring satisfaction with a given interaction, which is defined in space and time, also including surveys for the needs of process design and implementation.

Both the Net Promoter Score (NPS) and Customer Satisfaction Index (CSI) indicators are used in both types of survey.

Customer satisfaction surveys are usually conducted using telephone interviews. Relational research is most frequently outsourced to external research companies, while transactional research is conducted with the Bank’s own resources through the Call Center.

Overall, in 2018, the Bank held almost 130k interviews with retail Customers using various methods. The plans encompass continually increasing the number of processes monitored for Customer satisfaction (products and sales channels) – in 2019 approx. 170k interviews will be conducted.

Also KREDOBANK SA in its daily operations takes measures aimed at monitoring the satisfaction level of its retail Customers. The basic measure of satisfaction in KREDOBANK SA’s surveys is the Net Promoter Score (NPS). In 2018, KREDOBANK SA conducted more than 3.5k interviews, and it plans further extension of the surveys in 2019,
i.e. conducting more than 4k interviews.

Corporate Customer satisfaction surveys

The year 2018 was the second full year of the operation of the NPS Programme (implemented also in PKO Leasing SA and PKO Faktoring SA) for the corporate Customer segment. The Bank continued to conduct telephone interviews with the Customers of corporate, strategic and international banking in order to better understand how they perceive their relationship with the Bank’s Group, the individual products and service channels. The Customers respond well to this form of dialogue, as confirmed by the continued high Response Rate of 64%.

The purpose of the Programme is to respond to the Customers’ needs, both through contact with the individual entities and by developing long-term solutions. Since the programme was started, 71 initiatives have been completed, including 31 in 2018. The changes were implemented, among others, in the area of further digitization of service processes, the settlements system of PKO Leasing SA, the service model and the system in PKO Faktoring SA. The measures undertaken render measurable effects – compared with 2017, the NPS for corporate Customers increased by 5 percentage points.

PKO Bank Polski SA operates within the limits of the Bank’s internal regulations concerning the principles of conducting marketing activities. In marketing communications, the Bank complies with the norms, which are described in the Appendix to these principles named “General requirements for creating advertising messages regarding trading in financial instruments”.

The Bank’s internal regulations concerning the principles of conducting marketing activity define the features of the appropriate advertising message, as well as the list of undesirable actions. According to detailed provisions, the advertising message (inter alia):

  • should be designed in a reliable manner, not be misleading, and should feature respect of the generally applicable laws, principles of fair trading and good practices;
  • must not present benefits in such a way that would diminish the significance of costs and risks associated with the purchase of a product or service.

In addition to the accepted internal regulations, in its marketing communications the Bank follows:

  1. “The Code of Banking Ethics (Principles of Good Banking Practice)” by the Polish Bank Association;
  2. “Good Practices in consumer credit advertising standards” developed within the framework of the cooperation of the Polish Bank Association, the Conference of Financial Enterprises and the Association of Lending Companies;
  3. “The principles of advertising banking services” by the Polish Financial Supervision Authority;
  4. “The canon of good financial market practices” prepared by entities from the financial and insurance sector.

In its marketing activities, the Bank has mechanisms that prevent the creation of unethical and unreliable messages. The units, which have the task of verifying the compliance of messages with the generally applicable laws as part of their duties, are consulted on the correctness of the communication every time.

The principles of ethics in marketing communication and the mechanisms for preventing the risk of unethical and unreliable communications also apply to materials prepared at the request of the Bank by external entities (advertising agencies, event agencies).

The same standards apply to all Customer groups. Each message must be formulated in a comprehensible, reliable, credible way, regardless of the Customer to whom it is addressed.

Within the Bank’s Group, entities have internal regulations and provisions which require them to design messages with the observance of ethical standards (this does not apply to entities that do not conduct active marketing activities). These standards coincide with those adopted by the Bank. In addition, the other entities in the Bank’s Group, which have signed agency agreements with the Bank concerning commissioning of marketing services, are required to apply the internal regulations on marketing communications in force at the Bank.

With regard to their marketing activities, all of the remaining entities in the Bank’s Group have control mechanisms to prevent the risk of an irresponsible or unethical communication from the company.The marketing communication is appropriately approved by the company’s supervisory units respectively, or additionally – in the case of companies that have agreements with the Bank concerning commissioning of marketing services for the Bank’s Group – by the Bank’s relevant departments.

With regard to the marketing activities conducted by the Bank’s Group and the Bank, no administrative proceedings were conducted in 2018 related to a breach of the regulations regarding ethics in the marketing communication.

In March 2018, a situation occurred at the Bank that was incidental in nature. One of the branches undertook distribution of a leaflet about a cash loan that did not comply with the principles of the Consumer Credit Act. Due to the above, the President of UOKiK summoned PKO Bank Polski SA to voluntarily stop a practice that violates collective consumer interests. The idea of distributing the leaflet and its contents were not consulted with the Bank’s Head Office and were not approved by it. The branch withdrew from distributing this advertising leaflet and in order to prevent similar practices in the future, the Bank sent a communication to the branch network reminding the branches are not allowed to produce marketing materials on their own.

In accordance with the generally applicable regulations, including the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)and the Personal Data Protection Act, PKO Bank Polski SA has internal personal data protection regulations.

These regulations apply to the principles of personal data processing at the Bank, in particular the method in which they are processed, as well as the technical and organizational measures ensuring security of the data being processed. Additionally, the Bank applies regulations regarding, in particular:

  • security of protected information;
  • IT System security;
  • protection of people and property;
  • security incident management;
  • conducting clarification proceedings;
  • preparation and implementation of security mechanisms.

Management of the risk of unauthorized access to Customer information

The risk of unauthorized access to Customer information is managed in accordance with the Security Policy of PKO Bank Polski SA. Whereas the Principles of protected information security at PKO Bank Polski SAregulate the issues of confidentiality of information and the maintenance of bank secrecy, as well as personal data security, including the liability of the Bank’s employees regarding personal data protection. In accordance with these principles:

  • access to protected information at the Bank is only given to employees within the scope of their corporate tasks and duties;
  • the employees undergo training on security of protected information before starting to process protected information;
  • if materials containing protected information are provided to external entities, a non-disclosure agreement is concluded between the parties, whereas, in the case of entrusting the processing of personal data, an agreement is concluded on entrusting the processing of personal data;

Each of the Bank Group’s companies processing personal data, which is required to have appropriate regulations on this, has such regulations and applies them in practice. They are in line with the generally applicable regulations and standards applied at the Bank and, to the extent necessary, contain specific regulations which are adequate to the specific nature of the particular entity’s business.

Since the General Data Protection Regulation became binding, i.e. since 25 May 2018, cases of breach of personal data protection resulting in a risk breaching personal rights and freedoms are reported to the President of the Personal Data Protection Office (UODO).

search results: