ESG Report of the
ENEA Capital Group for
2022
GRI:[ ]

Customer data security

  • 3-3
  • INTERNAL INDICATOR 10
  • G-S1
  • 2-23
  • 2-24
  • 2-25

The ENEA Group respects the privacy of its customers and protects the security of the data it stores, guided by the applicable laws and internal procedures in this area. As regards personal data security, the Group relies on ENEA Centrum, which ensures comprehensive support for IT processes, including administration of systems critical for cybersecurity. ENEA Group companies comply with the requirements of the GDPR and the key service operators act in accordance with the Act on the National Cybersecurity System. The Group has implemented advanced technical and organizational solutions enabling a quick and efficient management of cybersecurity incidents. The established structures counteract the potential materialization of risks, with a particular focus on the existing threats generated in connection with the necessity to adapt the security of ICT and industrial automation systems to the hybrid performance of work and the related threats arising from the present geopolitical situation in the world.

Pursuant to the GDPR requirements, Data Protection Officers have been appointed in Group companies. They monitor compliance with personal data protection regulations and are contact persons for any matters in that area, also for customers.

  • ENEA Group Information Security Policy,
  • Personal Data Protection Policy in the ENEA Group,
  • ICT Security Principles in the ENEA Group,
  • Information Processing Principles in the ENEA Group,
  • Personal Data Processing Principles in the ENEA Group,
  • Risk Management Methodology for Cybersecurity of Key Services in the ENEA Group,
  • Personal Data Processing Risk Methodology in the ENEA Group.

Moreover, the companies adopt their own regulations, an example of which is the Information Security Policy for ICT Systems at Lubelski Węgiel Bogdanka S.A.

Both employees and external entities cooperating with the Group companies sign non-disclosure agreements (or confidentiality clauses) and personal data processing agreements. Employees’ access to customers’ personal data is limited to a necessary extent resulting from the discharged functions; physical access to rooms where documents with personal data are stored is also restricted. Documents which include personal data sent by electronic mail are password-protected and in the case of traditional mail, they are sent by registered letter with receipt confirmation. IT systems processing personal data operate only in internal networks such as intranet (without access to the Internet) and have necessary safeguards to protect the data.

Security of IT systems is subject to regular internal and external audits, which also cover identification and mitigation of risk connected with keeping the data confidential. In the companies, training courses are conducted on personal data protection and information security – for employees, trainees and people cooperating with the companies based on civil law agreements.

In 2022, the physical, information and ICT security services focused primarily on the process of improving employee skills in the area of the broadly defined security. The employees attended dedicated external and internal training. Furthermore, internal security campaigns for raising employee awareness of phishing attacks were launched last year.

In 2022, the ENEA Group CERT team responsible for responding to network security incidents, was awarded the GÉANT TF-CSIRT Trusted Introducer accreditation, which attests to high standards of professionalism. The team monitors cyberspace risks on an ongoing basis and responds appropriately, e.g. by introducing changes to the Group’s security systems. Additionally, it maintains continuous contact with Polish and European CERT/CSIRT teams and implements their recommendations.

Jacek Kij Director of the Group Security Department
  • 418-1
Export to Excel

Breaches of personal data protection regulations in 2022. Eligible for reporting to the President of the Personal Data Protection Authority Ineligible for reporting to the President of the Personal Data Protection Authority Total
By ENEA Group companies overall: 0 254 254
including ENEA S.A. 0 45 45

On 21 February 2022, the Voivodship Administrative Court upheld the decision of the President of the Personal Data Protection Authority, who – by the decision of 11 February 2021 – imposed an administrative fine of PLN 136,437 on ENEA S.A. in connection with finding a breach of Article 33(1) of Regulation 2016/679 consisting in a failure to report a personal data breach to the President of the Personal Data Protection Authority without undue delay, within 72 hours of finding the breach. The fine was paid on 15 March 2022.

Selected initiatives in 2022 to enhance personal data security

  • INTERNAL INDICATOR 10

ENEA Operator conducted a data protection audit in the process of connecting customers to the electricity grid. As a result of the activities, the scope of data related to the access to properties, which is obtained from customers for the purpose of construction and maintenance of electricity infrastructure, has been minimized.

LWB carried out a review and an update of the internal information security policy, implemented automatic message retention in the enterprise e-mail system, and enhanced security of remote access via VPN by introducing multifactor authentication.

Previous page

Service quality

Next page

Communication and satisfaction surveys

Search results