In 2021, PGNiG and most of the Group companies did not report any substantiated complaints regarding breaches of customer privacy and losses of data.
Security and data protection
PGNiG has implemented the Information Security Management System (ISMS) certified for compliance with the PN-EN ISO/IEC 27001:2017-06 standard.
The system is based on the Information Security Policy (ISP) and the ICT Security Policy (ICT SP). The policies are the Company’s framework for processing information, especially personal data. In line with the PGNiG Group’s Data Protection Policy, PGNiG also fully protects personal data at the Company and selected PGNiG Group companies.
For PGNiG, information security means:
- protecting information resources and means of information processing;
- ensuring security and continuity of information processing;
- systematic management of risks by identifying resources, the related threats, and by selecting actions to safeguard those resources;
- reviewing changes introduced at the Company and their impact on the security of information resources.
The main objective of implementing the ISMS is to ensure data security and continuity of services through:
- ensuring compliance with the applicable laws;
- protecting the IT systems from unauthorised access, physical damage and malware
- raising employees’ awareness of cyber security issues and involving them in protection of information;
- ensuring ongoing analysis of the risk of information loss;
- ensuring improvement of the Information Security Management System.
One special solution are the rules of incident management defined in the ICT SP, which bring together the rules of response to IT incidents, taking into account the coordination by the Management Board’s Representative for the ISMS of actions taken in response to incidents.
The rules set out in the ISMS are subject to ongoing monitoring and change management in accordance with certified procedures for supervising the documentation of integrated management systems.
All persons who have access to PGNiG’s information resources are required to observe the rules set out in the System and demonstrate their commitment to its development and effectiveness of the implemented solutions.
Substantiated complaints regarding breaches of customer privacy and losses of data
The only exception here was PGNiG OD, the provider of services to the largest group of customers (more than seven million) of the PGNiG Group, where Data Protection Officer registered 308 breaches of personal data protection. 307 breaches did not require notification to the Data Protection Authority (UODO) or data subjects. However, in one case the risk level was assessed as high. The incident involved actions detrimental to the company and its customers which were taken by the now former PGNiG OD employee whose employment contract was terminated with immediate effect. The case, investigated by the Prosecutor’s Office, was referred to court by law enforcement agencies after the bill of indictment was drawn up. After the Prosecutor’s Office provided PGNiG OD’s Data Protection Officer with information that the circumstances preventing PGNiG OD from complying with its obligations under Articles 33 and 34 of the GDPR had ceased to exist, in January 2022 PGNiG OD formally notified UODO of the breach (in February 2021, the company provided UODO with preliminary information on the case) and informed four PGNiG OD customers about breach of their data.
With respect to each event of breach, assessments were performed concerning the risk of breaching rights and freedoms of persons whose data was breached, including in terms of the obligation to notify UODO or the data subject of the breach, based on the ENISA methodology.
Incidents of non-compliance with regulations
In 2021, the PGNiG Group did not receive any notifications or complaints regarding non-compliance with regulations and voluntary codes related to the impact of products and services on health and safety.