Data protection management
The PGE Group takes a responsible and comprehensive approach to the security and protection of personal data.
PGE Polska Grupa Energetyczna S.A., as the corporate centre, ensures:
The functioning of a coherent organisation of the personal data protection area in the PGE Group,
The building of personal data protection standards in the PGE Group,
The minimisation of the risk of data protection breaches while maintaining the required quality standards and the interest of the PGE Group,
Compliance with data protection regulations, including in particular the separateness and independence of individual companies in the PGE Group as controllers of personal data,
The accountability of the processing of personal data by carrying out regular compliance checks in the area of personal data protection.
The processing and protection of personal data are carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and other provisions of generally applicable law. In the PGE Group, safeguards and procedures are in place to protect the personal data being processed. Data processing risks are analysed on an ongoing basis and staff receive regular training.
The primary objectives in managing data protection in the PGE Group are the following:
- ensuring effectiveness in the area of personal data protection by identifying strategic areas for personal data protection management in PGE Group companies and their proper management,
- taking measures to optimise the protection of personal data,
- organising the companies’ work related to the fulfilment of their obligations as a data controller or processor,
- standardising internal regulations of the personal data protection area in the PGE Group, taking into account the specificity of the functioning of individual companies and guaranteeing transparency of the personal data protection process,
- building awareness in the area of personal data at PGE Group level by means of internal communication tools,
- cooperation between the Data Protection Officers (DPOs) in individual companies in the form of the PGE Capital Group DPO Forum,
- the division of roles and responsibilities in the area of data protection management, including the division of duties between the DPO and the personal data controller in order to comply with the requirements under the GDPR,
- developing and implementing in the PGE Capital Group ICT tools enabling the fulfilment of obligations resulting from the regulations on personal data protection in order to ensure continuity and consistency of activities in the area of personal data protection in a uniform manner, at a specified level and according to a specified methodology.
Total number of substantiated complaints about customer privacy breaches and data loss in 2023
| Complaints received from external bodies and acknowledged by the organisation |
Complaints received from the regulator |
Total number of identified leaks, thefts or losses of customer data |
|
|---|---|---|---|
| PGE S.A.1 | 0 | 0 | 0 |
| PGE Obrót | 0 | 32 | 8843 |
| PGE Energia Ciepła | 0 | 0 | 0 |
| PGE Dystrybucja | 0 | 0 | 8 |
- 1concerns the processing of data in the category “Client” in the capacity of controller of personal data ↩︎
- 2additionally, one decision of the PDPO containing a warning for PGE Obrót S.A. for a breach of GDPR provisions ↩︎
- 338 – the number of incidents classified as breaches with notification to the Personal Data Protection Office (PDPO), (four internal); 846 – the number of incidents classified as breaches without notification to the PDPO ↩︎
In accordance with Article 33(1) of the GDPR: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Notification to the PDPO occurs when the analysis of a data breach notification indicates that the data that have been disclosed may be used by an unauthorised third party and may cause material or immaterial damage to the person whose data have been disclosed.
In order to minimise the risk of a data breach, companies take appropriate remedial measures adapted to the severity and scope of the incident or breach.
At PGE Dystrybucja, such countermeasures include the following:
- talks with employees to remind them of the data protection principles and the information security procedures in place,
- reminders about the data security principles in communications to employees via corporate mail and publications on the intranet. In them, the Data Protection Officer (DPO) provides, among other things, recommendations on the company’s data protection principles and measures,
- refresher training activities,
- updates to the existing data protection procedures and regulations,
- regular contact with the Data Protection Officer, for both employees and the company’s customers and business partners.
At PGE Obrót, such countermeasures include the following:
- encryption of documentation containing PESEL numbers and sent electronically,
- limitation of the scope of personal data sent in electronic and paper correspondence (electronic requests for payment, traditional correspondence related to a change in the billing method – prosumer),
- maximising the scope of correspondence sent to customers electronically, especially correspondence containing sensitive data (contracts),
- updating customer data,
- cooperation with the postal operator with respect to the exercise of due diligence in the performance of official tasks by the operator’s employees,
- cyclical data protection training for company employees,
- taking measures aimed at regulating issues related to the monitoring of electronic mail in monitoring in the Work Regulations, in accordance with the Labour Code Act,
- development of the document entitled “Principles for the secure delivery of employment contracts and other personnel documentation” for the HR Department,
- recommending that all due diligence be exercised in the performance of official tasks by company employees, particularly with regard to verifying the correctness of address details and attachments prior to sending email/traditional correspondence.