General Data Protection Regulation (GDPR) has been applicable in the European Union since May 25, 2018. The entry into force of this regulation changed the approach to the protection of personal data, imposing a number of new obligations on data controllers, such as the introduction of new data security procedures or informing the Polish supervisory authority (PUODO) and GDPR rights entities (e.g. TAURON Group’s customers) of personal data breaches.
As part of the GDPR (RODO) project, TAURON Group has undertaken a number of actions aimed at implementing the requirements of the Regulation due to the need to:
- ensure the protection of personal data regardless of the place of its processing,
- appoint a Personal Data Protection Officer at TAURON Group’s subsidiaries (IOD),
- ensure mandatory notification of personal data breaches,
- ensure the default protection of personal data and the protection of privacy at the design stage (privacy by design),
- implement the rights of the customers and contractors (counterparties) that the data is applicable to (e.g. “the right to be forgotten”),
- update the content of the information clauses and consents regarding the processing of personal data,
- adapt the IT systems to the new security requirements for personal data processing.
The following principles are enforced at TAURON Capital Group:
- Legality (lawfulness) of personal data processing: we process personal data in accordance with the generally applicable law, based on an established legal basis;
- Reliability: personal data is processed in a fair, adequate, appropriate and required manner for the purposes of its processing;
- Purposefulness: personal data is processed for specific purposes;
- Accountability: TAURON Group effectively documents the handling of the given data in order to be fully accountable and prove the fulfillment of the legal obligations regarding its processing;
- Minimization: TAURON Group minimizes the processing of personal data, we disclose it only for the required purposes, of which we inform in advance;
- Correctness: we take care of the correctness of data with the utmost diligence, verifying it and enabling its owners (entities subject to GDPR), for example, to update the data;
- Security: we place particular emphasis on the security of personal data processing using IT systems, implementing tools and procedures aimed at increasing cyber security. We implement and update procedures, optimizing the security of personal data, and train staff in this regard.
TAURON Capital Group applies the Personal Data Protection Policy for TAURON Group’s entities. Taking into account the processing of personal data, the document sets out the principles and obligations related to the security and confidentiality of such data, as well as regarding access to the information on its processing for the data subjects (persons that the given personal data is applicable to). In the event that, despite the security measures applied, a breach of personal data protection (e.g. data leakage or loss) has occurred, the Data Protection Controllers (Administrators) at TAURON Group, using the specially prepared forms, inform persons that the given personal data is applicable to (data subjects), of such an occurrence, doing it in manner in accordance with the legal regulations.
DUE DILIGENCE PROCEDURES AND INTERNAL REGULATIONS
Due diligence procedures provided in the described Policy include in particular:
- General principles for the processing of personal data specified in art. 5 of GDPR. 2. Rules ensuring that data is processed in accordance with the law – art. 6-11 of GDPR. 3.
- Obligations of the Data Controllers (Administrators) to comply with the rights of persons whose data is processed – art. 12-23 of GDPR.
- Regulations on the fulfillment of the general obligations with respect to the data processing entrusted with the Data Controller (Administrator) and the Processing Entity (e.g. a template of the agreement for entrusting the processing of personal data) – art. 24-31 of GDPR.
- The necessary security measures for data processing, taking into account the nature of the scope, context and purposes of data processing – Art. 32- 36 of GDPR.
- Control mechanisms over data processing in the form of monitoring the compliance with the regulations and the accepted processing procedures by the Data Protection Officer – art. 27-43.
- Requirements for the transfer of data to third countries and international institutions – Art. 44-49 of GDPR.
In the Policy, in accordance with art. 24 and art. 32 of the GDPR, while performing the above-mentioned obligations with respect to ensuring the compliance, measures taking into account the state of technical knowledge, costs, nature, scope, context, purposes of processing, as well as the risks to which the processed data is exposed, have been implemented.
ACTIONS TAKEN AND RESULTS ACHIEVED
TAURON Capital Group undertook further intensive activities in 2020 to demonstrate its care for the security of the personal data processed, by:
- Ensuring the update of the internal regulations, including the Policy, to the extent related to the changing environment.
- Keeping the inventory of equipment and software used for processing the information, including their type and configuration, up to date.
- Performing periodic analyses of the risk of a loss of integrity, availability (accessibility) or confidentiality of the information and taking measures to minimize this risk, pursuant to the results of the analysis completed.
- Undertaking actions to ensure that the persons involved in the information processing process hold the applicable authorizations and participate in this process to an extent adequate to the tasks and duties carried out by them to ensure the information security.
- Promptly changing the authorizations in the event of a change in the tasks of the persons referred to in item 4.
- Providing training for the people involved in the information processing process, with particular regard to such issues as:
- threats to information security,
- consequences of violating information security rules, including the legal liability,
- using measures to ensure information security, including devices and software that minimizes the risk of human errors,
- Ensuring the protection of the information processed against theft, unauthorized access, damage or interference, by:
- monitoring access to the information,
- activities aimed at detecting unauthorized information processing activities,
- providing measures to prevent unauthorized access at the level of operating systems, network services and applications.
- Establishment of and compliance with the basic principles guaranteeing security of work in case of mobile processing and remote work.
- Securing the information in a manner that prevents its unauthorized disclosure, modification, deletion or destruction.
- Including, in the support services contracts signed with third parties, provisions guaranteeing an appropriate level of information security.
- Setting the rules for dealing with the information that minimize the risk of a theft of information and the information processing means, including mobile devices.
- Implementation of an appropriate level of security in the ICT systems, involving, in particular:
- taking care of software updates,
- minimizing the risk of information loss as a result of a failure,
- protection against errors, loss, unauthorized modification,
- using cryptographic mechanisms in a manner adequate to the threats or the requirements of a legal provision,
- ensuring the security of system files,
- reducing the risks arising from the use of the published technical vulnerabilities of the ICT systems,
- taking prompt action after noticing the undisclosed vulnerabilities of IT systems to the possibility of security breaches,
- checking the compliance of ICT systems with the relevant security standards and policies, including the data retention implementation.
- Implementation of a system for promptly reporting incidents of the information security breaches in a specific and pre-defined manner, enabling taking of corrective (remedial) actions quickly.
- Internal audit with respect to the information security, including in particular the audit of IT systems in which personal data is processed.
The increase in the total number of identified leaks, thefts or cases of loss of customer data (+ 39.2%) is due to the increase in the scale of processing personal data of customers in 2020 during the pandemic time. The number of substantiated (justified) complaints regarding breaches of customer privacy received from the regulatory authorities fell (by 250%).
GRI 418-1. Material complaints regarding breaches of customer privacy and loss of customer data at TAURON Group in 2020Export to Excel
|Total number of data leakage, theft or loss of customer data cases found||341|
|Number of substantiated (justified) complaints regarding breaches of customer privacy received from third parties and recognized by the organization||63|
|Number of substantiated (justified) complaints regarding breaches of customer privacy received from the regulatory authorities||1|
|Total number of substantiated (justified) complaints regarding breaches of customer privacy||64|
TAURON Sprzedaż, TAURON Sprzedaż GZE and TAURON Dystrybucja S.A., are the centers for the arising of material complaints regarding breaches of customer privacy and loss of customer data in 2020, they account for 100% of all the detected data leaks, complaints at TAURON Group.
A detailed analysis of the subject structure and growth factors of the said indicators (rates) will be completed in 2021, along with the recommendations on how to arrest the growth thereof.