• S4-1

To effectively manage the identified impacts, risks, and opportunities, PZU Group implemented policies and regulations in place to ensure transparency, ethical conduct, and the protection of consumer rights. Below are the key policy categories from the perspective of consumers and end-users.

The functioning of the PZU Group is based on compliance with national, EU, and international laws and regulations, covering both the insurance and banking sectors. In relations with consumers and endusers, regulations specific to both areas are crucial and include the Act on Insurance and Reinsurance Activity, Act on Insurance Distribution, and provisions under the IDD, as well as the Consumer Loan Act, MiFID provisions on offering investment products, and EU delegated regulations governing product supervision and distribution processes.

In the banking area, the essential legislation includes provisions of the Banking Law, in particular those regulating disclosure obligations to customers, rules for creditworthiness assessment, requirements for the security of funds, the maintenance of accounts, and the application of prudential supervision measures. Also relevant are regulations on combating unfair market practices, including the Payment Service Act and PSD2, as well as obligations under the Anti-Money Laundering and Countering the Financing of Terrorism (AML) Act, and provisions on customer identification and verification (KYC). In terms of personal data protection and information security, the standards for operations are set by the General Data Protection Regulation (GDPR) and the guidelines of supervisory authorities.

The PZU Group also applies the recommendations of the supervisory authority (KNF) for insurance companies regarding the product management system and meets the requirements under EU regulations, including:
  • Commission Delegated Regulation (EU) 2017/1469 of 11 August 2017, establishing a standardized format for the presentation of a document containing information on insurance products (for property products and other casualty insurance products), commonly referred to as the Insurance Product Information Document (IPID);
  • Commission Delegated Regulation (EU) 2017/653 of 8 March 2017 laying down regulatory technical standards with regard to the presentation, content, review and revision of key information documents and the conditions for fulfilling the requirement to provide such documents. Consequently, the Key Information Document (KID) accompanies all products for which this is required according to the regulation.
PZU Group targets are accordance with global norms and commitments, including:
  • ISO 9001 – Quality Management System;
  • ISO/IEC 27001 – Information Security Management Systems.

The PZU Group implemented policies, procedures, and principles that ensure compliance with legal regulations, protection of consumer rights, and high quality service. The most important ones include:

Policies to protect customers’ personal data

The policies aim to ensure that all processes related to the processing of personal data comply with the General Data Protection Regulation (GDPR). There are equivalents of „Personal Data Management Principles in PZU SA and PZU Życie” in other PZU Group companies. These principles define activities in terms of privacy, information security and transparency of data processing throughout the PZU Group.

Policies are in place at all PZU Group entities and cover all processes in which personal data of customers, employees, co-workers and contractors is processed. They apply to data obtained under insurance, banking and investment contracts, as well as employee data.

  • ensuring compliance with GDPR and national data protection regulations;
  • protecting the privacy of individuals through the use of adequate technical and organizational safeguards;
  • minimizing the risk of data security breaches and unauthorized disclosure;
  • ensuring transparency in how data is processed and the right of access to information;
  • building trust with customers, employees and partners through responsible data management.
  • personal data are processed in accordance with the principles of legality, minimization, integrity and confidentiality;
  • only authorized persons have access to data, and all IT systems are secured according to the highest cybersecurity standards;
  • procedures are in place to respond to incidents and data security breaches, including the obligation to report violations to the supervisory authority;
  • every customer and employee is provided with rights under the GDPR, including the right of access, rectification, erasure of data and the right to object to its processing;
  • regular training of employees in data protection and work ethics.
  • security management policy in the PZU Group;
  • procedures for handling requests for personal data;
  • a system for monitoring incidents related to privacy;
  • compliance audits and security effectiveness
    assessments.

Implementation of the policy is the responsibility of a specific organizational unit in PZU Compliance Department. In addition, each Group entity has a dedicated unit responsible for monitoring compliance with GDPR.

Human Rights Policy in the PZU Group

Respect for human rights is the cornerstone of the PZU Group’s relationship with customers and other stakeholders, as reflected in the “Human Rights Policy in the PZU Group”, which is in line with UN and OECD guidelines. The Group ensures equal treatment of customers, non-discriminatory nature of services, wide availability of outlets and remote channels, and offers products targeting vulnerable groups, while addressing these issues in its investment processes and operational and compliance risk management system.

For a broader description of the Policy, see Social – Employees of PZU Group.

In 2025, there were no incidents regarding respect for human rights and non-compliance with UN and OECD guidelines against the customers and end-users.

Security management policy in the PZU Group

The PZU Group’s Security management policy governs the protection of data and information systems, countering cyber threats, and managing risks associated with cyber-attacks.

For a broader description of the Policy, see the Cybersecurity section.

Customer experience management policy

The Customer experience management policy focuses on optimizing service processes, eliminating communication barriers and improving the quality of customer interactions, and supports building long-term relationships based on trust. The policy covers all entities of the PZU Group (excluding Alior Bank and Bank Pekao).

Marketing Policy of PZU Group

The PZU Group’s marketing policy ensures consistency in advertising and promotional activities and compliance with the Code of Ethics in Advertising, defines standards for reliable communication, prevents misleading practices and promotes responsible marketing practices.

Principles regarding the insurance product management system

The principles for an insurance product management system specify requirements throughout the product life cycle – from design to sales to claims handling. They ensure compliance with the KNF’s recommendations and Commission Delegated Regulation (EU) 2017/2358 supplementing Directive (EU) 2016/97 of the European Parliament and of the Council with regard to product oversight and governance requirements for insurance undertakings and insurance distributors.

CRM cooperation policy

The CRM cooperation policy improves customer relationship management by using analytical tools to personalize service and increase customer satisfaction.

The above policies cover all PZU Group entities except Alior Bank and Bank Pekao, which have adopted their own policies.

In the area of retail banking, most processes are governed by policies adopted by banks, such as the Code of Conduct, the Policy for the process of implementing new products, the Customer experience management model, the Marketing policy, the Personal data retention policy at Bank Pekao, the Information policy, the Policy of preventing dishonest sales, the Personal data protection policy and the Principles of responsible marketing at Alior Bank.

Additionally, the PZU Group takes into account international standards, such as the OECD and UN guidelines, as well as internal procedures ensuring compliance with consumer protection regulations.

In the coming years, the PZU Group anticipates further activities in this area, including the development of tools to monitor the risk of greenwashing and training for employees in responsible communication and sustainability reporting.

Remedies such as compensation, mediation or psychological support are used when incidents occur. In 2025, there were no reported violations of UN and OECD guidelines at any of the PZU Group companies.

As a result, consumers and end users receive – in a transparent and concise form – information that is important to them, enabling them to both understand and compare the products offered on the market. Documents are provided during the sales process and can also be found on the product websites of PZU Group entities.

Previous topic
Managing material impacts, risks and opportunities and their interactions with strategy and business model
Next topic
Processes for engaging with consumers and end-users about impacts at PZU Group