The PZU Group attaches particular importance to respecting the privacy of users visiting our website. The data collected, in logs, is used only for the purposes of website administration. We do not endeavour to identify Users of the website..

Identification data is not associated with specific persons browsing the PZU Group website, with the exception of data provided by Users in contact forms. For the purpose of ensuring the highest possible quality of the website, we occasionally analyse log files in order to determine which websites are visited most frequently, which web browsers are used, whether the structure of the website contains errors, etc.

Cross-references to other websites

The Privacy Policy applies only to the websites of the companies of the PZU Group.

In case where cross-references to other websites are placed on the website of a PZU Group company, the companies of the PZU Group are not responsible for the privacy policy in force on those websites. When you access the websites of other entities, we recommend that you familiarise yourself with the privacy policy established there.

Information on risks arising from the provision of electronic services/electronic access channels

The basic risks associated with using services on the Internet - including those offered by the PZU Group through electronic access channels - are:

  • operation of spyware,
  • impersonation with the purpose of phishing,
  • computer viruses,
  • spam.

Threats affect not only computers, but also other mobile equipment such as smartphones, tablets.

Spyware is software that can be covertly installed on a user's device, e.g. by accessing a crafted website or running a file sent in the mail. It can monitor/send to the attacker both the data on the device and our actions: mouse movements, text typed on the keyboard, camera and microphone monitoring/hearing
Phishing is the placement of fake websites on the Internet that imitate the original ones and entice users to log in to them, e.g. by sending a crafted e-mail that pretends to be a message from a genuine institution or person. The aim is to intercept the access data to the service (login, password).
Computer viruses is malware that is transmitted by writing an infected file to a data carrier e.g. hard drive, flash drive. The purpose of the virus is to steal or delete data, disrupt the operation of the device or take control of the computer. Most commonly, an electronic virus infection occurs after downloading files from an untrusted Internet source or opening an attachment in an e-mail.

Spam are unsolicited or unnecessary e-mails sent simultaneously to multiple recipients. They often carry computer viruses, spyware, links to malicious websites.

Basic safety rules

  1. Every Internet user should take care of the security of their device. The computer should have an antivirus software program with an up-to-date virus definition database, an up-to-date and secure version of the Internet browser and a firewall activated. Furthermore, the user should periodically check that the operating system and the software installed on it are up to date, as attacks take advantage of bugs found in the installed software. Software manufacturers try to eliminate such vulnerabilities by means of updates.
  2. Access data for services offered on the Internet - e.g. logins, passwords, PINs, electronic certificates, etc., - should be kept secure. They should not be disclosed or stored on a device in a form that can be easily accessed and read.
  3. It is advisable to be cautious when opening attachments or clicking on links in messages you are not expecting, e.g. from unknown senders. In case of any doubt, it is advisable to contact the sender.
  4. It is advisable to enable tools in your browser that check whether a displayed website is phishing, e.g. by posing as a person or institution. The use of anti-phishing filters significantly reduces the risk of data theft.
  5. It is of importance to use anti-virus software to protect computers from harmful software and a firewall to control the transmission of information to and from the Internet, thus preventing the transmission of confidential data.
  6. Files should only be downloaded from trusted websites. It is highly risky to install software from unverified sources. This also applies to mobile devices, e.g. smartphones, tablets.
  7. When using your home wireless network (Wi-Fi), you should establish a secure and difficult to crack password to access the network. It is also recommended to use trusted Wi-Fi encryption standards e.g. WPA2.
  8. It is also important to maintain, as far as possible, physical access control over the equipment. If an unauthorised person attaches any additional devices to it, tampers with it, it may become infected with malware or connected to spyware devices e.g. keyloggers, which are used to intercept text typed on the keyboard.

Protection of personal data

Users provide their personal data on the website on a voluntary basis.

Personal data is all information about an identified or identifiable natural person through one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected through recording equipment or other similar technology.


The Controller is each of the Companies of the PZU Group which is the Controller. Contact with the controller is possible via email address or in writing to the registered office address of the respective controller (Group Company) given below.

Select a company to contact the Controller of Personal Data:




Rondo Ignacego Daszyńskiego 4

00-843 Warszawa

PZU Życie SA


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa



Rondo Ignacego Daszyńskiego 4

00-843 Warszawa



Rondo Ignacego Daszyńskiego 4

00-843 Warszawa

PZU Zdrowie SA

PZU Zdrowie SA, ADO

Rondo Ignacego Daszyńskiego 4

00-843 Warszawa



Rondo Ignacego Daszyńskiego 4

00-843 Warszawa

PZU Pomoc SA


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa

Link4 TU SA

Link4 TU SA, ADO

ul. Postępu 15

02-676 Warszawa


Data processing by the Controller

As regards its economic activities, the Controller collects and processes personal data in compliance with the relevant legislation, including in particular the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC), and the data processing rules provided for therein.

The Controller shall ensure transparency in the processing of data, in particular always informing about the data processing at the time of collection, including the purpose and legal basis of the processing - e.g. when concluding a contract for the sale of goods or services. The controller shall ensure that data are collected only to the extent necessary for the stated purpose and processed only for the period of time necessary.

When processing data, the Controller shall ensure its security and confidentiality and access to information about the processing to data subjects. If, despite the security measures in place, an infringement of personal data protection (e.g. data 'leakage' or data loss) were to occur, the Controller shall inform the data subjects of such an event according to the provisions.

Contact with the Controller

Contact with the Controller is possible by e-mail or in writing to the correspondence and e-mail addresses given above for the controller concerned (Companies of the Group). Each Controller has appointed a Data Protection Officer who can be contacted via the e-mail addresses given above on any matter concerning the processing of personal data.

Recipients of the data

With regard to the carrying out of activities requiring the processing of personal data, personal data is disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment (e.g. CCTV equipment), entities providing legal or accounting services, couriers, marketing or recruitment agencies. Data is also disclosed to entities related to the Controller, including companies within its capital group. More information about the capital group of the Controller can be found here.

The Controller reserves the right to disclose selected information concerning the data subject to the competent authorities or to third parties who request such information on an appropriate legal basis and in compliance with applicable law.

Period of personal data processing

The period of data processing by the Controller depends on the type of service provided and the purpose of the processing. The period of data processing may also result from regulations, when they constitute the ground for processing. If the data is processed on the basis of the legitimate interest of the Controller - e.g. for security reasons - the data shall be processed for the period allowing the fulfilment of this interest or until an effective objection to the data processing is raised. Where the processing is based on consent, the data are processed until the consent is withdrawn. When the basis for the processing is the necessity to conclude and perform a contract, the data are processed until the contract is terminated.

The period of processing may be extended if the processing is necessary for the establishment or assertion of claims or the defence against claims, and thereafter only if and to the extent required by law. Once the processing period has expired, the data shall be irreversibly deleted or anonymised.

Rights of data subjects

A data subject is any natural person whose personal data is processed by the Controller, e.g. a person visiting the premises of the Controller or directing an e-mail enquiry to the Controller.

The companies of the PZU Group ensure that data subjects exercise their rights under the GDPR

Data subjects enjoy the following rights:

  • the right of access by the data subject – on this basis, the requesting person is provided by the Controller with information about the processing of data, including, in particular, the purposes and legal basis of the processing, the scope of the data held, the entities to which the data are disclosed, and the planned date of data erasure;
  • the right to obtain a copy of the data – on this basis the Controller shall provide a copy of the data processed concerning the person making the request;
  • the right to rectification – the Controller shall rectify any inconsistencies or errors in the personal data processed and complete it if it is incomplete;
  • the right to erasure – on this basis, erasure may be requested for data whose processing is no longer necessary for any of the purposes for which it was collected;
  • the right to restriction of processing – where such a request is made, the Controller shall cease to carry out operations on the personal data - with the exception of those to which the data subject has given his or her consent - and to store them, in accordance with the retention rules adopted, or until the reasons for the restriction of the processing cease to exist (e.g. a decision by a supervisory authority authorising the further processing of the data is issued);
  • the right to data portability – on this basis - to the extent that the data is processed in connection with a contract concluded or consent given - the Controller shall issue the data provided by the data subject in a computer-readable format. It is also possible to request that the data be sent to another entity - provided, however, that the technical capabilities to do so exist both on the part of the Controller and the other entity;
  • the right to object against processing for marketing purposes – the data subject may object at any time to the processing of personal data for marketing purposes, without having to justify such objection;
  • the right to object against other purposes of the processing – the data subject may object at any time to the processing of personal data which is carried out on the basis of a legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons related to the protection of property); An objection in this respect should contain a justification
  • the right to withdraw consent – where data is processed on the basis of consent given, the data subject has the right to withdraw it at any time, but this does not affect the lawfulness of processing carried out prior to the withdrawal of consent;
  • the right to lodge a complaint–if the processing of personal data is considered to be in infringement of the provisions of the GDPR or other data protection legislation, the data subject may lodge a complaint with the President of the Personal Data Protection Office. For the purpose of exercising the aforesaid rights, please contact the controller or the Data Protection Officer using the contact details specified above.

Submission of requests for the exercise of the rights

A request for the exercise of the rights of data subjects can be submitted:

  • in writing to the following address: Rondo Ignacego Daszyńskiego 4, 00-843 Warsaw, Poland;
  • by e-mail to:

If the Controller is unable to identify the person making the request on the basis of the request made, the Controller shall ask the person making the request for additional information. The request may be submitted in person or through an authorised representative (e.g. a family member). For reasons of data security, the Controller encourages the use of a power of attorney in a form certified by a notary public or an authorised attorney-in-law or advocate, which shall significantly speed up the verification of the authenticity of the request. The request should be responded to within one month of receipt. If it is necessary to extend this time limit, the controller shall inform the person making the request of the reasons for the delay.

The reply shall be provided by post, unless the request is made by e-mail or electronic transmission is requested

Rules on charges

The procedure for requests submitted is free of charge.

Objectives and legal basis for the processing

E-mail and traditional correspondence

Where correspondence is addressed to the Controller via e-mail or traditional mail that is not related to the services provided to the sender or any other contract entered into with the sender, the personal data contained in such correspondence is processed solely for the purpose of communication and resolution of the matter to which the correspondence relates.

The legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting of the handling of correspondence addressed to it in connection with its economic activities.

The Controller shall only process personal data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner that ensures the security of the personal data (and other information) contained therein and is only disclosed to authorised persons.

Telephone contact

Where the Controller is contacted by telephone, on matters not related to the contract concluded or the services provided, the Controller may request personal data only if it is necessary to handle the matter to which the contact relates. The legal basis in such a case is the legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting of the need to resolve the reported matter related to his/her economic activity.

Telephone calls may also be recorded, in which case information is provided at the beginning of the call. The calls are recorded in order to monitor the quality of the service provided and to verify the consultants' work, as well as for statistical purposes. The recordings are available only to the employees of the Controller and to the operators of the helpline of the Controller.

Personal data in the form of a recording of the call is processed:

  • for the purposes of serving clients and inquirers via the helpline, where the Controller provides such a service – the legal basis for processing is the necessity of the processing to provide the service (Art. 6(1)(b) of the GDPR);
  • for the purposes of monitoring the quality of service and verifying the work of the consultants operating the helpline, as well as for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in ensuring the highest possible quality of service for the benefit of clients and inquirers, as well as the work of the consultants and conducting statistical analyses of telephone communication.

Video surveillance and access control

For the purpose of ensuring the safety of persons and property, the Controller uses video surveillance and controls an access to the premises and to the area managed by the Controller. The data collected in this manner is not used for any other purposes.

Personal data in the form of video surveillance recordings and data collected in the entry and exit register are processed for the purpose of ensuring security and order on the premises and possibly for the purpose of defending against or asserting claims. The basis for the processing of personal data is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) to ensure the security of the property of the Controller and to protect the rights of the Controller.


Within the scope of the recruitment processes, the Controller expects the transfer of personal data (e.g. in a curriculum vitae or a resume) only to the extent stipulated by the labour legislation. Consequently, information should not be provided to a broader extent. Should the applications sent contain additional data, these shall not be used or taken into account in the recruitment process.

Personal data is processed:

  • in order to comply with legal obligations related to the employment process, including primarily the Labour Code - the legal basis for the processing is a legal obligation incumbent on the Controller (Article 6(1)(c) of the GDPR in relation to the provisions of the Labour Code);
  • in order to carry out the recruitment process for data not required by the provisions of law, as well as for future recruitment processes - the legal basis for the processing is a consent (Article 6(1)(a) of the GDPR);
  • in order to establish or assert or defend against possible claims - the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR).

Collection of data in connection with the provision of services or performance of other contracts

Where data is collected for the performance of a specific contract, the Controller shall provide the data subject with details of the processing of his/her personal data at the time of entering into the contract.

Collection of data in other cases

With regard to its economic activities, the Controller also collects personal data in other cases - e.g. during business meetings, at industry events or by exchanging business cards - for the purposes of initiating and maintaining business contacts. The legal basis for the processing in this case is the legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting of networking in connection with the activities conducted.

Personal data collected in such cases are processed only for the purpose for which it has been collected, and the Controller shall ensure that it is adequately protected.

Data security

For the purpose of ensuring data integrity and confidentiality, the Controller has implemented procedures that enable personal data to be accessed only by authorised persons and only to the extent that this is necessary for the tasks they perform. The Controller applies organisational and technical measures to ensure that all operations on personal data are recorded and carried out only by authorised persons

Furthermore, the Controller shall take all necessary measures to ensure that also its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Controller

The Controller conducts a risk analysis on an ongoing basis and monitors the adequacy of the applied data security measures to the identified risks. Where necessary, the Controller shall implement additional measures to enhance data security

Profiling and multi-company marketing of the PZU Group

What is profiling?

Profiling means any form of automated processing of personal data which consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.

Profiling consists of three elements:

  • form of processing is automated (at least in part);
  • processing involves personal data;
  • purpose of the processing is to evaluate personal aspects, attribute characteristics or predict behaviour.

What is automated data processing?

Automated data processing is referred to when data is processed solely by an algorithm (computer), i.e. without human involvement.

The Controller is obliged to inform about the automated processing, including profiling - if such processing produces legal effects or materially affects the natural person concerned. The data subject, on the other hand, has the right to object to automated processing, including profiling. The GDPR also guarantees the right not to be subject to a decision that is based solely on the automated processing.

Examples of profiling and automated decision-making

Profiling, without decision-making:

  • Internet advertising (web tracking) in order to adapt the advertisements displayed to the user's expectations;
  • direct marketing of our own products and services;
  • analysis of client claims for internal statistical purposes.

Decisions based on the automated processing:

  • insurance risk assessment in order to calculate a premium;
  • analysis of driving style (telematics) to individualise a premium;
  • automatic calling for assistance in the event of an accident.

Multi-company marketing

The PZU Group implements marketing activities based on the mutual exchange and sharing of personal data of the users of the PZU websites and applications (including mojePZU) in order to offer better customised offers to current and potential clients. Personal data is collected via cookies and other content that monitors the user's activities, if the user has given the appropriate consent. You can find more information about the cookies and content that we use to monitor your activities in the paragraph 'Other disclosures (cookie files)’

Selected entities within the PZU Group may have an access to data collected using cookie files for the implementation of multi-company marketing. The aforementioned data shall be processed on the basis of previously expressed consent. The data shall be processed for the purposes of displaying suggestions of products that may be of interest to the user, activity suggestions for the user, advertisements - including advertising banners, customised to the user's interests and preferences on the PZU Group websites and its applications (including mojePZU). The data collected may take into account real-time activities within the websites and applications of the PZU Group - e.g. what links the user clicks on, what information they view and what offers they are interested in. We may combine and analyse data collected from all PZU Group websites and applications for this purpose, including using automated systems. However, based on their outcome, no binding decisions shall be made towards users, only their segmentation and the matching of relevant offers.

For example, if you are a client of PZU S.A. and you consent to all cookie files on the website, we may display a customised service offer to you from another PZU Group entity, including on other PZU Group websites and in the mojePZU application or other applications we may make available to users in the future. If you have additionally consented to electronic marketing, we may send you marketing content based on the aforesaid analyses on selected communication channels (e.g. SMS, e-mail).

For the purposes of multi-company marketing, some of the entities in the PZU Group act as joint controllers of personal data. These entities decide jointly on the nature, scope and purposes of data processing for multi-company marketing on the basis of mutual arrangements. The essence of the arrangements is to achieve the common purpose of analysing, combining and sharing data collected by cookies and content monitoring user activities used by entities of the PZU Group and using them for marketing purposes of the PZU Group. This does not affect the manner and rules for the exercise of the data subject's rights as described in this Privacy Policy, including the relevant addresses and channels of communication.

You can always object to such processing of your personal data and revoke your consent to cookie files and data processing - see the paragraphs 'Data subject rights' and 'Other disclosures (cookie files)' for more information.'

If the scope of data processing requires the collection of additional declarations of intent, e.g. a consent to process certain categories of data, we shall collect such a declaration from users in the relevant form. Any additional information relevant to such a form shall also be provided, including with regard to the legal grounds for the data processing.

Data Protection Officer (DPO)

Users may contact the Data Protection Officer appointed by the Controller concerned in matters of personal data protection.

Such contact may be made by e-mail or in writing to the address of the DPO appointed at the relevant company of the PZU Group given below.

Select a company to contact the Data Protection Officer:

Personal Data Officers

PZU SA, IOD Grażyna Maśnica


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


PZU Życie SA, IOD Grażyna Maśnica


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


PTE PZU SA, IOD Małgorzata Grzesiuk


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


TFI PZU SA, IOD Krzysztof Andrzejczyk


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


PZU Zdrowie SA, IOD Mariusz Sarnecki

PZU Zdrowie SA, IOD

Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


PZU Pomoc SA, IOD Kamil Marciniak


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


PZU Cash SA, IOD Magdalena Zięcina


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


Other disclosures (cookie files)

Almost every website uses the technology of cookie files. When you visit our website, fragments of code are saved on your computer in which your settings are stored.

They serve to provide an optimal user experience when visiting our website and enable faster and easier access to information. Cookie files are not used to process personal data, and their content does not allow the user to be identified. On the next visit from the same device, the browser can check whether the relevant cookie file (i.e. a file containing the name of the page) is stored on the device and send the data contained therein back to the site which stored the cookie file. This makes it possible to recognise that a User has visited in the past and, in some cases, to customise the content presented to the recipient

Retention period for cookie files

Due to the lifespan of cookies and other similar technologies, we use two main types of these files:

  • session ones- temporary files, stored on the User's terminal equipment until the User logs out, leaves the website and application or switches off the software (web browser);
  • persistent ones- stored on the User's terminal equipment for the time specified in the parameters of the cookies or until they are deleted by the User.

Cookies are divided into two categories.

Necessary cookie files are those needed for the proper functioning of our websites and applications. They are used to ensure security, to maintain the session of the user logging into our websites, and to remember preferences. We do not provide the option to disable these types of cookies from the level of the 'Privacy Management' window. It is possible to remove or block the placement of these cookies from your web browser, but this may hinder your use of our websites and applications, or in extreme cases, even prevent you from using some or all of the options.

Given the purpose of necessary cookies and other similar technologies, we use the following types of cookie files:

  • cookies necessary for the operation of the service and applications- enabling you to use our services, e.g. authentication cookies used for services that require authentication;
  • security cookies - np. wykorzystywane do wykrywania nadużyć w zakresie uwierzytelniania;
  • wydajnościowe - e.g. used to detect authentication misuse;
  • functional - enabling 'remembering' the User's selected settings and personalising the User's interface, e.g. with regard to the User's chosen language or region of origin, font size, appearance of the website and applications, etc.

Optional cookies are a set of cookie files mainly used by analytics and advertising systems of trusted partners. They are not necessary for the use of our services. Like necessary cookies, this category of cookies stores anonymous information. The user can delete the placed cookies or block the placement of cookies at any time using the options available in his or her web browser or from the level of the 'Privacy Management' window.

Based on the purpose of optional cookies and other similar technologies, we use the following types of cookies:

  • analytical and statistical - enable the collection of information about the use of websites and applications in relation to behaviour on these sites, e.g. transitions between subpages of the website and analysing the sources of traffic - where Users come from;
  • used for personalisation and A/B testing  - changing the appearance of websites and applications depending on User preferences and previous behaviour;
  • advertising - enabling us to provide Users with advertising content more customised to their interests, these are our cookies, as well as cookies of third-party providers, used in particular for proper billing with publishers or to reach people who have visited our websites with advertisements.

Managing and deleting necessary and optional cookies from your browser varies depending on the browser you use. You can find out exactly how to do this by using the Help function in your browser. Most browsers offer the option of accepting or rejecting all cookies, accepting only certain types, or notifying the user each time a website attempts to store them. The user can also easily delete cookies that have already been stored on the device by the browser.

You can change the conditions for storing or receiving cookies by configuring the settings in web browsers, inter alia:

List of cookie files

Privacy management - Change settings

Functionalities or technologies of external partners

We use the tool provided by CUX Research Sp. z o.o, 42A Robotnicza St., 53-608 Wroclaw, Poland registered in the National Court Register under the KRS number: 0000792391. We conduct our economic activities in this regard based on our legitimate interest to create statistics and analyse them in order to optimise our websites. registers users of our site and enables us to play a video recording of its traffic on our website, as well as to generate so-called heat maps. does not share any information with us that allows us to identify you, as your data is encrypted at the web browser level and is not sent to the servers of

The information we have access to within is, in particular:

  1. information about the operating system and web browser you use,
  2. time spent on our website and on its subpages, the subpages you view within our website,
  3. transitions between different sub-pages within our service,
  4. source from which you go to our service,
  5. places where you click your mouse on our pages.

In order to use the aforesaid data, we have implemented the monitoring code in the source code of our website. It uses the cookies of the tool. You can disable the tracking code from within our website, using the mechanism used to manage cookies.

If you want to learn more about the data processing policy of, we encourage you to take a look at the privacy policy of

Transfer of data outside the EEA

The level of protection of personal data outside the European Economic Area (EEA) differs from that provided by the European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate level of protection, primarily by:

  • cooperation with processors of personal data in the countries for which a relevant decision of the European Commission has been issued;
  • use of standard contractual clauses issued by the European Commission;
  • application of the binding corporate rules approved by the relevant supervisory authority.

The Controller shall always inform about the intention to transfer personal data outside the EEA at the stage of its collection.

Contact with the Controller/Personal Data Officer

Contact with the Controller

Contact with the Personal Data Officer