General Data Protection Regulation

What is the GDPR?

The GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) regulates in a direct and comprehensive manner personal data protection in the European Union. The aim of the document was to reduce the differences between relevant laws in all Member States. The GDPR introduces new solutions and reinforces the requirements prevailing to date.


The most important GDPR principles

Personal Data Controller

The Personal Data Controllers (PDC), depending on executed agreements or provided services, are the PZU Group Companies. You can contact the controller by sending an e-mail or a letter to the address of the controller’s registered office (a Company from the Group).

Select a company to contact your Personal Data Controller​:



Rondo Ignacego Daszyńskiego 4

00-843 Warszawa

PZU Życie SA


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa



Rondo Ignacego Daszyńskiego 4

00-843 Warszawa



Rondo Ignacego Daszyńskiego 4

00-843 Warszawa

PZU Zdrowie SA

PZU Zdrowie SA, ADO

Rondo Ignacego Daszyńskiego 4

00-843 Warszawa



Rondo Ignacego Daszyńskiego 4

00-843 Warszawa

PZU Pomoc SA


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa



Rondo Ignacego Daszyńskiego 4

00-843 Warszawa

Link4 TU SA

Link4 TU SA, ADO

ul. Postępu 15

02-676 Warszawa


Legal basis for personal data processing

Processing of personal data by a controller (Company) must comply with the law, especially with provisions of the GDPR. Data may be processed if there is at least one condition for lawfulness of processing. Examples of the grounds for processing are an agreement, provisions of law or a voluntary conscious consent given by the data subject.

Information on the purposes and legal grounds for the processing

Data subjects have the right to obtain a wide range of information on the processing of their personal data by the controller. The data subject must be notified of the fact that operations are performed which involve processing of their personal data and of the purposes of such processing. The controller should provide any other information necessary to ensure reliability and transparency of the processing, taking into consideration specific circumstances and the context of personal data processing.

E-mail and traditional mail


Contact on the telephone


Video surveillance and access control




Data collection in connection with the provision of services or performance of other contracts


Data collection in other cases



Rights of data subjects

Anyone whose personal data are processed has certain rights. These rights include the right of access to personal data, the right of rectification of personal data, the right of personal data erasure, the right to restrict personal data processing, the right to data portability and the right to object to processing on the terms and conditions defined in the GDPR.

Data protection policy

The controller must define and describe appropriate technical and organizational measures to protect personal data. The controller is responsible for proving that they are effective and comply with the GDPR.

Record of processing activities

The controller’s duty is to maintain a record of the most important activities connected with personal data processing. That record shall contain, among others, the ways to protect personal data and data recipients.

Personal data processor

A data controller may entrust personal data processing only to entities that ensure fair application of the GDPR.

Data Protection Officer

The PZU Group Companies (controllers), in view of the nature and scope of personal data processing, are obligated to appoint Data Protection Officers (DPO) to be responsible for ensuring compliance with provisions of the GDPR, giving recommendations for assessment of effects for data protection as well as cooperating with the regulatory authority.

Data subjects may contact the Data Protection Officer designated by a given controller.

The Officer may be contacted by email or in writing to the following address of the Officer appointed in a given PZU Group Company.

Select a company to contact your Data Protection Officer:

PZU SA, IOD Grażyna Maśnica


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


PZU Życie SA, IOD Grażyna Maśnica


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


PTE PZU SA, IOD Małgorzata Grzesiuk


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


TFI PZU SA, IOD Krzysztof Andrzejczyk


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


PZU Zdrowie SA, IOD Mariusz Sarnecki

PZU Zdrowie SA, IOD

Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


PZU Pomoc SA, IOD Kamil Marciniak


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa


PZU Cash SA, IOD Magdalena Zięcina


Rondo Ignacego Daszyńskiego 4

00-843 Warszawa



Transfers of data outside the EEA

The level of protection for personal data outside the European Economic Area (including the European Union, Norway, Liechtenstein and Iceland) differs from that provided by the European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate degree of protection, primarily by:

  • cooperation with personal data processors in countries for which a relevant decision of the European Commission has been issued;
  • application of standard contractual clauses issued by the European Commission;
  • application of binding corporate rules approved by the relevant regulatory authority.

The Controller shall always inform about the intention to transfer personal data outside the EEA at the stage of collection.

Processing of personal data

Information about personal data processing

The Personal Data Controller of your personal data, depending on executed agreements or provided services, is a PZU Group Company. Each of the Companies which is the controller of your personal data is responsible for using them safely, in compliance with the agreement and prevailing laws.

Scope of data

The Controller ensures transparency of data processing, in particular, it always informs about data processing when it collects them, including the purpose and legal basis of processing – e.g. when entering into a contract for the sale of goods or services. The Controller makes efforts to ensure that the data are collected only in the scope necessary for the indicated purpose and processed only for a time when it is necessary. The scope of the data will differ depending on whether they are processed to enter into and perform an insurance agreement, use medical services or in connection with employment.

Purpose of using data

The Controller makes efforts to ensure that the data are collected only in the scope necessary for the indicated purpose which may be:

  • to enter into and perform an agreement,
  • to follow an instruction for participation in mutual funds,
  • to perform duties following from the law, 
  • to handle a request for payment of damages, benefit or cash from a pension fund,
  • to engage in direct marketing of own products and services,
  • to detect and prevent abuses,
  • to pursue and defend ourselves against claims,
  • to prepare analyses and statistics,
  • to handle a recorded notification,
  • to ensure the security of people and property.

Categories of persons whose data we process

The PZU Group Companies process personal data of the following persons:

  • clients entering into insurance agreements and other ones offered by the PZU Group Companies,
  • persons reporting claims on account of executed agreements,
  • persons using healthcare services,
  • clients who participate in mutual funds,
  • clients who are members of pension funds,
  • persons authorized to disbursement of cash from pension funds,
  • clients entering into an agreement for a banking product or for a consumer loan,
  • employees and associates and the entire supporting group,
  • candidates for employees and collaborators.

The PZU Group Companies also process personal data of other data controllers if such data have been entrusted to them in order to provide services.

The data are processed in compliance with requirements of binding laws and terms and conditions of agreements.

Right to object and other rights

In compliance with law, you may make an objection at any time:

  • to the processing of your data for direct marketing purposes (including profiling),
  • to the processing of your personal data (including profiling) on the grounds of a legitimate interest.

Anyone whose data are processed by the PZU Group Companies may file a request for:

  • data rectification (correction),
  • data erasure,
  • restriction of processing,
  • access to the data (information about data processing and a copy of the data),
  • data transfer to another data controller.

More on the above rights can be found in the Rights tab.

Consent to data processing

If the legal basis for personal data processing is your consent, you may withdraw it at any time. Such an action, however, will not affect the lawfulness of the processing of your data before your consent was withdrawn.

Profiling and automated decision making

Profiling means any form of automated personal data processing that involves the use of personal data to evaluate certain personal features of an individual, in particular to analyze or forecast aspects of that individual's work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement.

Profiling consists of three components:

  • the form of processing is automated (at least in part),
  • processing concerns personal data,
  • the purpose of the processing is to evaluate personal factors, to assign certain characteristics or to predict behavior.
  • Automated data processing takes place when data is processed solely by an algorithm (computer), i.e. without human involvement.

The Personal Data Controller is required to inform about automated processing, including profiling – if such processing produces legal effects or affects the individual in significant way. The data subject, on the other hand, has the right to object to automated processing, including profiling. The GDPR also guarantees the right not to be subject to a decision that is based solely on automated processing.

Examples of profiling and automated decision making:

Profiling, without decision making:

  • online advertising (web tracking) to adjust displayed advertisements to the user’s expectations,
  • direct marketing of own products and services,
  • analysis of clients’ loss ratios for internal statistical purposes.

Decisions based on automated processing:

  • insurance risk assessment to calculate the premium,
  • analysis of driving style (telematics) to adjust the premium individually,
  • calling for assistance automatically in the event of an accident.

Data subject’s rights

Exercising data subjects’ rights

In order to exercise data subjects’ rights, you should contact the Personal Data Controller or the Data Protection Officer.

A request concerning a data subject’s rights may be submitted:

  • in writing to the address: Rondo Ignacego Daszyńskiego 4, 00-843 Warsaw;
  • by e-mail to the address:,
  • specifying the PZU Group Company (Companies) to which the request refers.

If the Controller is unable to identify the requesting person on the basis of the request made, they will ask the requesting person for additional information. A request may be submitted in person or through a proxy (such as a family member). For the sake of data security, the Controller encourages the use of a power of attorney in a form certified by a notary public or authorized legal counsel or attorney-at-law, which will significantly speed up the verification of the authenticity of the request. The request should be answered within a month of its receipt. If it is necessary to extend this deadline, the Controller shall inform the requesting person of the reasons for the delay.

A response is provided by traditional mail, unless the request is made by e-mail or a response is requested to be in electronic form.

The right to information about personal data processing

On this basis, the requesting person is provided by the Controller with information about the data processing, including, in particular, the purposes and legal grounds for the processing, the scope of data stored, the entities to which they are disclosed, and the planned date of data erasure.

The right to obtain a copy of the data

On this basis, the Controller provides a copy of the processed data concerning the person making the request.

The right to rectification

The Controller is required to remove any inconsistencies or errors in the processed personal data and supplement them if they are incomplete.

The right to data erasure

On this basis, it is possible to request the erasure of data which is no longer necessary to be processed to achieve any of the purposes for which they have been collected.

The right to restrict processing

If such a request is made, the Controller shall cease performing operations on personal data – with the exception of operations consented to by the data subject – and storing them, in accordance with established retention rules or until the reasons for restricting processing cease to exist (e.g. a decision is issued by a regulatory authority permitting further processing).

The right to data portability

On this basis, to the extent that the data are processed in connection with a contract or consent given, the Controller shall release the data provided by the data subject in a computer-readable format. It is also possible to request that the data should be sent to another entity – provided, however, that the technical capabilities exist in this regard, both on the part of the Controller and the other entity.

The right to object to processing for marketing purposes

The data subject may object at any time to the processing of personal data for marketing purposes, without having to justify such objection.

The right to object to other purposes of processing

The data subject may object at any time to the personal data processing that is carried out on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons related to the protection of property). An objection in this regard should include a justification.

The right to withdraw consent

If the data are processed on the basis of consent given, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing performed before the consent has been withdrawn.

The right to complain

If the personal data processing is deemed to violate the provisions of the GDPR or other data protection laws, the data subject may file a complaint with the President of the Personal Data Protection Office.