Privacy Policy

The Controller is each of the Companies of the PZU Group which is the Controller. Contact with the controller is possible via email address or in writing to the registered office address of the respective controller (Group Company) given below.

Select a company to contact the Controller of Personal Data:

As regards its economic activities, the Controller collects and processes personal data in compliance with the relevant legislation, including in particular the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC), and the data processing rules provided for therein.

The Controller shall ensure transparency in the processing of data, in particular always informing about the data processing at the time of collection, including the purpose and legal basis of the processing - e.g. when concluding a contract for the sale of goods or services. The controller shall ensure that data are collected only to the extent necessary for the stated purpose and processed only for the period of time necessary.

When processing data, the Controller shall ensure its security and confidentiality and access to information about the processing to data subjects. If, despite the security measures in place, an infringement of personal data protection (e.g. data 'leakage' or data loss) were to occur, the Controller shall inform the data subjects of such an event according to the provisions.

Contact with the Controller is possible by e-mail or in writing to the correspondence and e-mail addresses given above for the controller concerned (Companies of the Group). Each Controller has appointed a Data Protection Officer who can be contacted via the e-mail addresses given above on any matter concerning the processing of personal data.

With regard to the carrying out of activities requiring the processing of personal data, personal data is disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment (e.g. CCTV equipment), entities providing legal or accounting services, couriers, marketing or recruitment agencies. Data is also disclosed to entities related to the Controller, including companies within its capital group. More information about the capital group of the Controller can be found here.

The Controller reserves the right to disclose selected information concerning the data subject to the competent authorities or to third parties who request such information on an appropriate legal basis and in compliance with applicable law.

Period of personal data processing

The period of data processing by the Controller depends on the type of service provided and the purpose of the processing. The period of data processing may also result from regulations, when they constitute the ground for processing. If the data is processed on the basis of the legitimate interest of the Controller - e.g. for security reasons - the data shall be processed for the period allowing the fulfilment of this interest or until an effective objection to the data processing is raised. Where the processing is based on consent, the data are processed until the consent is withdrawn. When the basis for the processing is the necessity to conclude and perform a contract, the data are processed until the contract is terminated.

The period of processing may be extended if the processing is necessary for the establishment or assertion of claims or the defence against claims, and thereafter only if and to the extent required by law. Once the processing period has expired, the data shall be irreversibly deleted or anonymised.

A data subject is any natural person whose personal data is processed by the Controller, e.g. a person visiting the premises of the Controller or directing an e-mail enquiry to the Controller.

The companies of the PZU Group ensure that data subjects exercise their rights under the GDPR

Data subjects enjoy the following rights:

• the right of access by the data subject – on this basis, the requesting person is provided by the Controller with information about the processing of data, including, in particular, the purposes and legal basis of the processing, the scope of the data held, the entities to which the data are disclosed, and the planned date of data erasure;
• the right to obtain a copy of the data – on this basis the Controller shall provide a copy of the data processed concerning the person making the request;
• the right to rectification – the Controller shall rectify any inconsistencies or errors in the personal data processed and complete it if it is incomplete;
• the right to erasure – on this basis, erasure may be requested for data whose processing is no longer necessary for any of the purposes for which it was collected;
• the right to restriction of processing – where such a request is made, the Controller shall cease to carry out operations on the personal data - with the exception of those to which the data subject has given his or her consent - and to store them, in accordance with the retention rules adopted, or until the reasons for the restriction of the processing cease to exist (e.g. a decision by a supervisory authority authorising the further processing of the data is issued);
• the right to data portability – on this basis - to the extent that the data is processed in connection with a contract concluded or consent given - the Controller shall issue the data provided by the data subject in a computer-readable format. It is also possible to request that the data be sent to another entity - provided, however, that the technical capabilities to do so exist both on the part of the Controller and the other entity;
• the right to object against processing for marketing purposes – the data subject may object at any time to the processing of personal data for marketing purposes, without having to justify such objection;
• the right to object against other purposes of the processing – the data subject may object at any time to the processing of personal data which is carried out on the basis of a legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons related to the protection of property); An objection in this respect should contain a justification
• the right to withdraw consent – where data is processed on the basis of consent given, the data subject has the right to withdraw it at any time, but this does not affect the lawfulness of processing carried out prior to the withdrawal of consent;
• the right to lodge a complaint–if the processing of personal data is considered to be in infringement of the provisions of the GDPR or other data protection legislation, the data subject may lodge a complaint with the President of the Personal Data Protection Office. For the purpose of exercising the aforesaid rights, please contact the controller or the Data Protection Officer using the contact details specified above.

A request for the exercise of the rights of data subjects can be submitted:

• in writing to the following address: Rondo Ignacego Daszyńskiego 4, 00-843 Warsaw, Poland;
• by e-mail to: kontakt@pzu.pl.

If the Controller is unable to identify the person making the request on the basis of the request made, the Controller shall ask the person making the request for additional information. The request may be submitted in person or through an authorised representative (e.g. a family member). For reasons of data security, the Controller encourages the use of a power of attorney in a form certified by a notary public or an authorised attorney-in-law or advocate, which shall significantly speed up the verification of the authenticity of the request. The request should be responded to within one month of receipt. If it is necessary to extend this time limit, the controller shall inform the person making the request of the reasons for the delay.

The reply shall be provided by post, unless the request is made by e-mail or electronic transmission is requested

The procedure for requests submitted is free of charge.

Where correspondence is addressed to the Controller via e-mail or traditional mail that is not related to the services provided to the sender or any other contract entered into with the sender, the personal data contained in such correspondence is processed solely for the purpose of communication and resolution of the matter to which the correspondence relates.

The legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting of the handling of correspondence addressed to it in connection with its economic activities.

The Controller shall only process personal data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner that ensures the security of the personal data (and other information) contained therein and is only disclosed to authorised persons.

Where the Controller is contacted by telephone, on matters not related to the contract concluded or the services provided, the Controller may request personal data only if it is necessary to handle the matter to which the contact relates. The legal basis in such a case is the legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting of the need to resolve the reported matter related to his/her economic activity.

Telephone calls may also be recorded, in which case information is provided at the beginning of the call. The calls are recorded in order to monitor the quality of the service provided and to verify the consultants' work, as well as for statistical purposes. The recordings are available only to the employees of the Controller and to the operators of the helpline of the Controller.

Personal data in the form of a recording of the call is processed:

• for the purposes of serving clients and inquirers via the helpline, where the Controller provides such a service – the legal basis for processing is the necessity of the processing to provide the service (Art. 6(1)(b) of the GDPR);
• for the purposes of monitoring the quality of service and verifying the work of the consultants operating the helpline, as well as for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in ensuring the highest possible quality of service for the benefit of clients and inquirers, as well as the work of the consultants and conducting statistical analyses of telephone communication.

For the purpose of ensuring the safety of persons and property, the Controller uses video surveillance and controls an access to the premises and to the area managed by the Controller. The data collected in this manner is not used for any other purposes.

Personal data in the form of video surveillance recordings and data collected in the entry and exit register are processed for the purpose of ensuring security and order on the premises and possibly for the purpose of defending against or asserting claims. The basis for the processing of personal data is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) to ensure the security of the property of the Controller and to protect the rights of the Controller.

Within the scope of the recruitment processes, the Controller expects the transfer of personal data (e.g. in a curriculum vitae or a resume) only to the extent stipulated by the labour legislation. Consequently, information should not be provided to a broader extent. Should the applications sent contain additional data, these shall not be used or taken into account in the recruitment process.

Personal data is processed:

• in order to comply with legal obligations related to the employment process, including primarily the Labour Code - the legal basis for the processing is a legal obligation incumbent on the Controller (Article 6(1)(c) of the GDPR in relation to the provisions of the Labour Code);
• in order to carry out the recruitment process for data not required by the provisions of law, as well as for future recruitment processes - the legal basis for the processing is a consent (Article 6(1)(a) of the GDPR);
• in order to establish or assert or defend against possible claims - the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR).

Where data is collected for the performance of a specific contract, the Controller shall provide the data subject with details of the processing of his/her personal data at the time of entering into the contract.

With regard to its economic activities, the Controller also collects personal data in other cases - e.g. during business meetings, at industry events or by exchanging business cards - for the purposes of initiating and maintaining business contacts. The legal basis for the processing in this case is the legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting of networking in connection with the activities conducted.

Personal data collected in such cases are processed only for the purpose for which it has been collected, and the Controller shall ensure that it is adequately protected.

Profiling means any form of automated processing of personal data which consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.

Profiling consists of three elements:

• form of processing is automated (at least in part);
• processing involves personal data;
• purpose of the processing is to evaluate personal aspects, attribute characteristics or predict behaviour.

Automated data processing is referred to when data is processed solely by an algorithm (computer), i.e. without human involvement.

The Controller is obliged to inform about the automated processing, including profiling - if such processing produces legal effects or materially affects the natural person concerned. The data subject, on the other hand, has the right to object to automated processing, including profiling. The GDPR also guarantees the right not to be subject to a decision that is based solely on the automated processing.

Profiling, without decision-making:

• Internet advertising (web tracking) in order to adapt the advertisements displayed to the user's expectations;
• direct marketing of our own products and services;
• analysis of client claims for internal statistical purposes.

Decisions based on the automated processing:

• insurance risk assessment in order to calculate a premium;
• analysis of driving style (telematics) to individualise a premium;
• automatic calling for assistance in the event of an accident.

The PZU Group implements marketing activities based on the mutual exchange and sharing of personal data of the users of the PZU websites and applications (including mojePZU) in order to offer better customised offers to current and potential clients. Personal data is collected via cookies and other content that monitors the user's activities, if the user has given the appropriate consent. You can find more information about the cookies and content that we use to monitor your activities in the paragraph 'Other disclosures (cookie files)’

Selected entities within the PZU Group may have an access to data collected using cookie files for the implementation of multi-company marketing. The aforementioned data shall be processed on the basis of previously expressed consent. The data shall be processed for the purposes of displaying suggestions of products that may be of interest to the user, activity suggestions for the user, advertisements - including advertising banners, customised to the user's interests and preferences on the PZU Group websites and its applications (including mojePZU). The data collected may take into account real-time activities within the websites and applications of the PZU Group - e.g. what links the user clicks on, what information they view and what offers they are interested in. We may combine and analyse data collected from all PZU Group websites and applications for this purpose, including using automated systems. However, based on their outcome, no binding decisions shall be made towards users, only their segmentation and the matching of relevant offers.

For example, if you are a client of PZU S.A. and you consent to all cookie files on the pzu.pl website, we may display a customised service offer to you from another PZU Group entity, including on other PZU Group websites and in the mojePZU application or other applications we may make available to users in the future. If you have additionally consented to electronic marketing, we may send you marketing content based on the aforesaid analyses on selected communication channels (e.g. SMS, e-mail).

For the purposes of multi-company marketing, some of the entities in the PZU Group act as joint controllers of personal data. These entities decide jointly on the nature, scope and purposes of data processing for multi-company marketing on the basis of mutual arrangements. The essence of the arrangements is to achieve the common purpose of analysing, combining and sharing data collected by cookies and content monitoring user activities used by entities of the PZU Group and using them for marketing purposes of the PZU Group. This does not affect the manner and rules for the exercise of the data subject's rights as described in this Privacy Policy, including the relevant addresses and channels of communication.

You can always object to such processing of your personal data and revoke your consent to cookie files and data processing - see the paragraphs 'Data subject rights' and 'Other disclosures (cookie files)' for more information.'

If the scope of data processing requires the collection of additional declarations of intent, e.g. a consent to process certain categories of data, we shall collect such a declaration from users in the relevant form. Any additional information relevant to such a form shall also be provided, including with regard to the legal grounds for the data processing.