Customer data security
-
GRI 3-3,
-
GRI 2-23,
-
GRI 2-24,
-
GRI 2-25,
-
G-A1,
-
INTERNAL INDICATOR 10
The digital world offers new opportunities, but also requires that we are extra cautions to guarantee data security. We satisfy the requirements arising from the laws in place and apply internal regulations, such as the Code of Best Practices for the processing of personal data in sales. We respect our Customers’ right to privacy and we understand that me must protect the data we receive against unauthorised access and use it responsibly.
Internal regulations that ensure appropriate protection of our Customers’ data are:
- ENEA Group Security Policy,
- Personal Data Protection Policy in the ENEA Group,
- ICT Security Principles in the ENEA Group,
- Information Processing Principles in the ENEA Group,
- Personal Data Processing Principles in the ENEA Group,
- Risk Management Methodology for Cybersecurity of Key Services in the ENEA Group,
- Personal Data Processing Risk Methodology in the ENEA Group.
The companies in the Group can also adopt their own regulations, additional privacy and data recommendations. For example, LW Bogdanka adopted the Information Security Policy for ICT Systems.
Both Employees and third parties cooperating with the Group’s companies sign non-disclosure agreements or confidentiality clauses and – where necessary – personal data processing agreements. We educate our staff and associates in personal data protection and information security. Only authorised Employees have access to Customers’ sensitive data.
Our Customers’ data is safe. We adopt advanced data management solutions and procedures and preventive measures to minimise data storage risks. We control the ICT and industrial automation system safeguards. Our servers that store and process personal data are connected only to an internal network, without access to the Internet. In 2023, we finalised the revision of our Personal Data Protection Policy in the ENEA Group, which we put in place on 1 January 2024.
-
GRI 418-1
On 30 November 2023, the President of the Personal Data Protection Office fined Enea SA PLN 282 960 for the Company’s failure to report a personal data breach to PUODO (President of Personal Data Protection Office). The Company appealed against the decision to the Provincial Administrative Court in Warsaw.
In 2023, Enea did not identify any material new risks to the security of Customers’ data.
-
INTERNAL INDICATOR 10
- finalised revision of Personal Data Protection Policy in the ENEA Group (in effect since 1 January 2024). The revised version:
- contains a detailed list of entities that make up Enea Group’s personal data protection system, their roles and responsibilities,
- provides an updated basis and rules of personal data processing by the Enea Group’s companies,
- contains detailed and harmonised rules of providing, sharing and retaining data, with new model personal data processing agreements,
- obliges every company to adopt guidelines for handling personal data breaches and incidents,
- introduces rules on informing the companies’ Management about the condition of personal data protection,
- modernised solutions for cookies management on the websites of Enea Group’s companies and revised personal data processing agreements between individual companies in the Group,
- audit of personal data protection when connecting new Customers to the grid at Enea Operator and launch of processing the changes in the company’s Personal data protection regulations, which will be implemented in 2024,
- review and updates of the internal Information Security Policy and Personal Data Protection Policy at LW Bogdanka; the company updated its model personal data processing agreement and a questionnaire completed by the personal data processor, and improved security of access to the network resources by changing the rules of creating passwords.