Personal data protection policy for the TAURON Group’s entities
Personal data protection policy for the TAURON Group’s entities
General Data Protection Regulation (GDPR) has been applicable in the European Union since 25 May 2018.
The entry into force of this regulation changed the approach to the protection of personal data, imposing a number of new obligations on data controllers, such as the introduction of new data security procedures or informing the Polish supervisory authority (PUODO) and GDPR rights entities (e.g. the TAURON Group’s customers) about personal data breaches. As part of the GDPR project, TAURON Group has undertaken a number of actions aimed at implementing the requirements of the Regulation due to the need to:
ensure the protection of personal data regardless of the place of its processing,
appoint a Personal Data Protection Officer at the TAURON Group’s subsidiaries (IOD),
ensure mandatory notification of personal data breaches,
ensure the default protection of personal data and the protection of privacy at the design stage (privacy by design),
implement the rights of the customers and contractors (counterparties) that the data is applicable to (e.g. „the right to be forgotten”),
update the content of the information clauses and consents regarding the processing of personal data,
adapt the IT systems to the new security requirements for personal data processing.
The following principles are enforced in the TAURON Group:
Legality of personal data processing: we process personal data in accordance with the generally applicable law, based on an established legal basis;
Reliability: personal data is processed in a fair, adequate, appropriate and required manner for the purposes of its processing;
Purposefulness: personal data is processed for specific purposes;
Accountability: the TAURON Group effectively documents the handling of the given data in order to be fully accountable and prove the fulfillment of the legal obligations regarding its processing;
Minimization: the TAURON Group minimizes the processing of personal data, we provide it only for the required purposes, of which we inform in advance;
Correctness: we take care of the correctness of data with the utmost diligence, verifying it and enabling its owners (entities subject to GDPR), for example, to update the data;
Security: we place particular emphasis on the security of personal data processing using IT systems, implementing tools and procedures aimed at increasing cyber security. We implement and update procedures, optimizing the security of personal data, and train staff in this regard.
TAURON applies the Personal Data Protection Policy for the TAURON Group entities. Taking into account the processing of personal data, the document sets out the principles and obligations related to the security and confidentiality of such data, as well as regarding access to the information on its processing for the data subjects. In the event that, despite the security measures applied, a breach of personal data protection (e.g. data leakage or loss) has occurred, the Data Protection Controllers in the TAURON Group, using the specially prepared forms, inform persons that the given personal data is applicable to, of such an occurrence, doing it in manner in accordance with the legal regulations.
Due diligence procedures and internal regulations
Due diligence procedures provided in this Policy include in particular:
General principles for the processing of personal data specified in Article 5 of GDPR. 2. Rules ensuring that data is processed in accordance with the law – Articles 6-11 of GDPR. 3.
Obligations of the Data Controllers to comply with the rights of persons whose data is processed – Articles 12-23 of GDPR.
Regulations on the fulfillment of the general obligations with respect to the data processing entrusted with the Data Controller and the Processing Entity (e.g. template of the agreement for entrusting the processing of personal data) – Articles 24-31 of GDPR.
The necessary security measures for data processing, taking into account the nature of the scope, context and purposes of data processing – Articles 32-36 of GDPR.
Control mechanisms over data processing in the form of monitoring the compliance with the regulations and the accepted processing procedures by the Data Protection Officer Articles 27-43.
Requirements for the transfer of data to third countries and international institutions – Articles 44-49 of GDPR.
In the Policy, in accordance with Articles 24 and 32 of GDPR, while performing the above mentioned obligations with respect to ensuring the compliance, measures taking into account the state of technical knowledge, costs, nature, scope, context, purposes of processing, as well as the risks to which the processed data is exposed, have been implemented.
Actions taken and results achieved
In 2019, the TAURON Group undertook a considerable effort to demonstrate its commitment to the security of personal data entrusted to it by:
Ensuring the update of the internal regulations, including the Policy, to the extent related to the changing environment.
Keeping the inventory of equipment and software used for processing the information, including their type and configuration, up to date.
Performing periodic analyses of the risk of a loss of integrity, availability (accessibility) or confidentiality of the information and taking measures to minimize this risk, pursuant to the results of the analysis completed.
Undertaking actions to ensure that the persons involved in the information processing process hold the applicable authorizations and participate in this process to an extent adequate to the tasks and duties carried out by them to ensure the information security.
Immediately changing the authorizations in the event of a change in the tasks of the persons referred to in item 4.
Providing training for the people involved in the information processing process, with particular regard to such issues as:
threats to information security,
consequences of violating information security rules, including the legal liability,
using measures to ensure information security, including devices and software that minimizes the risk of human errors,
Ensuring the protection of the information processed against theft, unauthorized access, damage or interference, by:
monitoring access to the information,
activities aimed at detecting unauthorized information processing activities,
providing measures to prevent unauthorized access at the level of operating systems, network services and applications.
Establishment of and compliance with the basic principles guaranteeing security of work in case of mobile processing and remote work.
Securing the information in a manner that prevents its unauthorized disclosure, modification, deletion or destruction.
Including, in the support services contracts signed with third parties, provisions guaranteeing an appropriate level of information security.
Setting the rules for dealing with the information that minimize the risk of a theft of information and the information processing means, including mobile devices.
Implementation of an appropriate level of security in the ICT systems, involving, in particular:
taking care of software updates,
minimizing the risk of information loss as a result of a failure,
protection against errors, loss, unauthorized modification,
using cryptographic mechanisms in a manner adequate to the threats or the requirements of a legal provision,
ensuring the security of system files,
reducing the risks arising from the use of the published technical vulnerabilities of the ICT systems,
taking immediate action after noticing the undisclosed vulnerabilities of IT systems to the possibility of security breaches,
checking the compliance of ICT systems with the relevant security standards and policies.
Implementation of a system for immediately reporting incidents of the information security breaches in a specific and pre-defined manner, enabling prompt taking of corrective actions.
Periodic internal audit with respect to the information security, at least once a year.
The number of justified complaints regarding breaches of customer privacy received by the TAURON Group from the external entities decreased by 50% in 2019, as compared to 2018 (measured since May in 2018), however, the number of justified complaints regarding a breach of customer privacy received from the regulatory authorities went up by 100%.
The following table presents material complaints regarding breaches of customer privacy and loss of customer data in the TAURON Group in 2019.
Material complaints regarding breaches of customer privacy and loss of customer data at the TAURON Group in 2019
Total number of data leakage, theft or loss of customer data cases found
Number of justified complaints regarding breaches of customer privacy received from third parties and recognized by the organization
Number of justified complaints regarding breaches of customer privacy received from the regulatory authorities
Total number of justified complaints regarding breaches of customer privacy
TAURON Sprzedaż and TAURON Sprzedaż GZE received the largest number of material complaints regarding breaches of customer privacy and loss of customer data in 2019 (92%). The increase in the growth rate of the total number of detected data leaks, thefts or cases of its loss (+ 355%) results from the increase in the scale of the processing of the customers’ personal data in 2019, especially in the new projects as compared to 2018.
In 2020, a detailed analysis of the subject structure and growth factors of the said indicators (rates) will be performed, along with the recommendations on how to reduce their magnitude.