General Data Protection Regulation

The Personal Data Controllers (PDC), depending on executed agreements or provided services, are the PZU Group Companies. You can contact the controller by sending an e-mail or a letter to the address of the controller’s registered office (a Company from the Group).

Select a company to contact your Personal Data Controller​:

PZU SA	PZU SA, ADO Rondo Ignacego Daszyńskiego 4 00-843 Warszawa
PZU Życie SA	PZU Życie SA, ADO Rondo Ignacego Daszyńskiego 4 00-843 Warszawa
PTE PZU SA	PTE PZU SA, ADO Rondo Ignacego Daszyńskiego 4 00-843 Warszawa
TFI PZU SA	TFI PZU SA, ADO Rondo Ignacego Daszyńskiego 4 00-843 Warszawa
PZU Zdrowie SA	PZU Zdrowie SA, ADO Rondo Ignacego Daszyńskiego 4 00-843 Warszawa
TUW PZUW	TUW PZUW, ADO Rondo Ignacego Daszyńskiego 4 00-843 Warszawa
PZU Pomoc SA	PZU Pomoc SA, ADO Rondo Ignacego Daszyńskiego 4 00-843 Warszawa
PZU CASH SA	PZU Cash SA, ADO Rondo Ignacego Daszyńskiego 4 00-843 Warszawa
Link4 TU SA	Link4 TU SA, ADO ul. Postępu 15 02-676 Warszawa

 

Processing of personal data by a controller (Company) must comply with the law, especially with provisions of the GDPR. Data may be processed if there is at least one condition for lawfulness of processing. Examples of the grounds for processing are an agreement, provisions of law or a voluntary conscious consent given by the data subject.

Data subjects have the right to obtain a wide range of information on the processing of their personal data by the controller. The data subject must be notified of the fact that operations are performed which involve processing of their personal data and of the purposes of such processing. The controller should provide any other information necessary to ensure reliability and transparency of the processing, taking into consideration specific circumstances and the context of personal data processing.

E-mail and traditional mail more

Contact on the telephone more

Video surveillance and access control more

Recruitment more

Data collection in connection with the provision of services or performance of other contracts more

Data collection in other cases more

 

Anyone whose personal data are processed has certain rights. These rights include the right of access to personal data, the right of rectification of personal data, the right of personal data erasure, the right to restrict personal data processing, the right to data portability and the right to object to processing on the terms and conditions defined in the GDPR.

The controller must define and describe appropriate technical and organizational measures to protect personal data. The controller is responsible for proving that they are effective and comply with the GDPR.

The controller’s duty is to maintain a record of the most important activities connected with personal data processing. That record shall contain, among others, the ways to protect personal data and data recipients.

A data controller may entrust personal data processing only to entities that ensure fair application of the GDPR.

The PZU Group Companies (controllers), in view of the nature and scope of personal data processing, are obligated to appoint Data Protection Officers (DPO) to be responsible for ensuring compliance with provisions of the GDPR, giving recommendations for assessment of effects for data protection as well as cooperating with the regulatory authority.

Data subjects may contact the Data Protection Officer designated by a given controller.

The Officer may be contacted by email or in writing to the following address of the Officer appointed in a given PZU Group Company.

Select a company to contact your Data Protection Officer:

PZU SA, IOD Grażyna Maśnica	PZU SA, IOD Rondo Ignacego Daszyńskiego 4 00-843 Warszawa e-mail: IODpzu@pzu.pl
PZU Życie SA, IOD Grażyna Maśnica	PZU Życie SA, IOD Rondo Ignacego Daszyńskiego 4 00-843 Warszawa e-mail: IODpzu@pzu.pl
PTE PZU SA, IOD Małgorzata Grzesiuk	PTE PZU SA, IOD Rondo Ignacego Daszyńskiego 4 00-843 Warszawa e-mail: IODpte@pzu.pl
TFI PZU SA, IOD Krzysztof Andrzejczyk	TFI PZU SA, IOD Rondo Ignacego Daszyńskiego 4 00-843 Warszawa e-mail: IODtfi@pzu.pl
PZU Zdrowie SA, IOD Mariusz Sarnecki	PZU Zdrowie SA, IOD Rondo Ignacego Daszyńskiego 4 00-843 Warszawa e-mail: IODzdrowie@pzu.pl
PZU Pomoc SA, IOD Kamil Marciniak	PZU Pomoc SA, IOD Rondo Ignacego Daszyńskiego 4 00-843 Warszawa e-mail: IODpomoc@pzu.pl
PZU Cash SA, IOD Magdalena Zięcina	PZU Cash SA, IOD Rondo Ignacego Daszyńskiego 4 00-843 Warszawa e-mail: IOD_cash@pzu.pl

 

The level of protection for personal data outside the European Economic Area (including the European Union, Norway, Liechtenstein and Iceland) differs from that provided by the European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate degree of protection, primarily by:

• cooperation with personal data processors in countries for which a relevant decision of the European Commission has been issued;
• application of standard contractual clauses issued by the European Commission;
• application of binding corporate rules approved by the relevant regulatory authority.

The Controller shall always inform about the intention to transfer personal data outside the EEA at the stage of collection.

The Personal Data Controller of your personal data, depending on executed agreements or provided services, is a PZU Group Company. Each of the Companies which is the controller of your personal data is responsible for using them safely, in compliance with the agreement and prevailing laws.

The Controller ensures transparency of data processing, in particular, it always informs about data processing when it collects them, including the purpose and legal basis of processing – e.g. when entering into a contract for the sale of goods or services. The Controller makes efforts to ensure that the data are collected only in the scope necessary for the indicated purpose and processed only for a time when it is necessary. The scope of the data will differ depending on whether they are processed to enter into and perform an insurance agreement, use medical services or in connection with employment.

The Controller makes efforts to ensure that the data are collected only in the scope necessary for the indicated purpose which may be:

• to enter into and perform an agreement,
• to follow an instruction for participation in mutual funds,
• to perform duties following from the law, 
• to handle a request for payment of damages, benefit or cash from a pension fund,
• to engage in direct marketing of own products and services,
• to detect and prevent abuses,
• to pursue and defend ourselves against claims,
• to prepare analyses and statistics,
• to handle a recorded notification,
• to ensure the security of people and property.

The PZU Group Companies process personal data of the following persons:

• clients entering into insurance agreements and other ones offered by the PZU Group Companies,
• persons reporting claims on account of executed agreements,
• persons using healthcare services,
• clients who participate in mutual funds,
• clients who are members of pension funds,
• persons authorized to disbursement of cash from pension funds,
• clients entering into an agreement for a banking product or for a consumer loan,
• employees and associates and the entire supporting group,
• candidates for employees and collaborators.

The PZU Group Companies also process personal data of other data controllers if such data have been entrusted to them in order to provide services.

The data are processed in compliance with requirements of binding laws and terms and conditions of agreements.

In compliance with law, you may make an objection at any time:

• to the processing of your data for direct marketing purposes (including profiling),
• to the processing of your personal data (including profiling) on the grounds of a legitimate interest.

Anyone whose data are processed by the PZU Group Companies may file a request for:

• data rectification (correction),
• data erasure,
• restriction of processing,
• access to the data (information about data processing and a copy of the data),
• data transfer to another data controller.

More on the above rights can be found in the Rights tab.

If the legal basis for personal data processing is your consent, you may withdraw it at any time. Such an action, however, will not affect the lawfulness of the processing of your data before your consent was withdrawn.

Profiling means any form of automated personal data processing that involves the use of personal data to evaluate certain personal features of an individual, in particular to analyze or forecast aspects of that individual's work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement.

Profiling consists of three components:

• the form of processing is automated (at least in part),
• processing concerns personal data,
• the purpose of the processing is to evaluate personal factors, to assign certain characteristics or to predict behavior.
• Automated data processing takes place when data is processed solely by an algorithm (computer), i.e. without human involvement.

The Personal Data Controller is required to inform about automated processing, including profiling – if such processing produces legal effects or affects the individual in significant way. The data subject, on the other hand, has the right to object to automated processing, including profiling. The GDPR also guarantees the right not to be subject to a decision that is based solely on automated processing.

Examples of profiling and automated decision making:

Profiling, without decision making:

• online advertising (web tracking) to adjust displayed advertisements to the user’s expectations,
• direct marketing of own products and services,
• analysis of clients’ loss ratios for internal statistical purposes.

Decisions based on automated processing:

• insurance risk assessment to calculate the premium,
• analysis of driving style (telematics) to adjust the premium individually,
• calling for assistance automatically in the event of an accident.

In order to exercise data subjects’ rights, you should contact the Personal Data Controller or the Data Protection Officer.

A request concerning a data subject’s rights may be submitted:

• in writing to the address: Rondo Ignacego Daszyńskiego 4, 00-843 Warsaw;
• by e-mail to the address: kontakt@pzu.pl,
• specifying the PZU Group Company (Companies) to which the request refers.

If the Controller is unable to identify the requesting person on the basis of the request made, they will ask the requesting person for additional information. A request may be submitted in person or through a proxy (such as a family member). For the sake of data security, the Controller encourages the use of a power of attorney in a form certified by a notary public or authorized legal counsel or attorney-at-law, which will significantly speed up the verification of the authenticity of the request. The request should be answered within a month of its receipt. If it is necessary to extend this deadline, the Controller shall inform the requesting person of the reasons for the delay.

A response is provided by traditional mail, unless the request is made by e-mail or a response is requested to be in electronic form.

On this basis, the requesting person is provided by the Controller with information about the data processing, including, in particular, the purposes and legal grounds for the processing, the scope of data stored, the entities to which they are disclosed, and the planned date of data erasure.

On this basis, the Controller provides a copy of the processed data concerning the person making the request.

The Controller is required to remove any inconsistencies or errors in the processed personal data and supplement them if they are incomplete.

On this basis, it is possible to request the erasure of data which is no longer necessary to be processed to achieve any of the purposes for which they have been collected.

If such a request is made, the Controller shall cease performing operations on personal data – with the exception of operations consented to by the data subject – and storing them, in accordance with established retention rules or until the reasons for restricting processing cease to exist (e.g. a decision is issued by a regulatory authority permitting further processing).

On this basis, to the extent that the data are processed in connection with a contract or consent given, the Controller shall release the data provided by the data subject in a computer-readable format. It is also possible to request that the data should be sent to another entity – provided, however, that the technical capabilities exist in this regard, both on the part of the Controller and the other entity.

The data subject may object at any time to the processing of personal data for marketing purposes, without having to justify such objection.

The data subject may object at any time to the personal data processing that is carried out on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons related to the protection of property). An objection in this regard should include a justification.

If the data are processed on the basis of consent given, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing performed before the consent has been withdrawn.

If the personal data processing is deemed to violate the provisions of the GDPR or other data protection laws, the data subject may file a complaint with the President of the Personal Data Protection Office.