Cybersecurity and data protection

At Allegro, customer satisfaction starts from ensuring safety and confidence that the purchase will be successful. In addition to customer privacy and data protection, cybersecurity management is one of our priorities.

The rules and policies adopted by Allegro related to customer privacy, data protection and cybersecurity include:

Security (including cybersecurity) policy
Incidents Management Process
NDA circulation procedure
Rules on storing personal data at Allegro.pl sp. z o.o.
Procedure for exercising the rights to Allegro.pl users’ data
Procedure for reporting personal data breaches to the Personal Data Protection Office
Business Continuity Policy

We commission the Cybersecurity Maturity Assessment (Ocena Dojrzałości Cyberbezpieczeństwa), which is a every two years external audit carried out by an external company. In the most recent review in 2021, Allegro.pl scored higher than the market average and higher than two years ago. We have multiple security solutions in place, all of which are being monitored and improved on an ongoing basis. We also introduced a private and public Bug Bounty programme, which means that we enabled users to alert our IT department about security vulnerabilities detected on our platform.

CERT, an interdisciplinary security team

CERT Allegro (Computer Emergency Response Team Allegro) is an interdisciplinary team formed to elevate security at Allegro and raise security awareness among employees and users. It is made up by members of the following teams: Information Security Team, Computer Security Incident Response Team, Cyber Defense & Offense Team, Anti-fraud Operations Team and Cooperation with Law Enforcement Authorities Team.

CERT has the following goals:

monitor and analyse for security at Allegro
respond to cybersecurity threats
exchange cybersecurity information, knowledge and experience with external CERT teams
raise security awareness among employees and users.

As part of its activity, CERT coordinates and handles incidents and other events involving cybersecurity threats to Allegro; actively reacts in the event of immediate cybersecurity threats to users; works with other CERT teams in Poland and worldwide, in particular as part of Trusted Introducer; supports the Crisis Management Team in crisis situations involving cybersecurity, and develops tools to detect, analyse and correlate threats.

Personal data, or compliance at all times

Given the nature of our operations, we have access to personal data of our merchants and customers. With the scale of our operations, we manage a great amount of data. This is why we carefully protect personal data.

We also carefully protect personal data. We are fully compliant with the GDPR. We carefully monitor the decisions and guidelines issued by the Personal Data Protection Office (PDPO) and the EDPB (European Data Protection Board), which we review and, if necessary, adjust our actions. All Allegro employees undergo training in security policy and the GDPR. We also carry out audits to verify compliance with the provisions of the GDPR. The external audit conducted between September and December 2020 did not reveal any significant shortcomings.

GRI

418-1

ESG

G-S1

Proceeding against Allegro

In 2021, there were no serious incidents or data breaches. The most serious incident in 2021 which was reported to the PDPO regarded a lost registered letter between Ceneo.pl and one of the partners containing the agreement and PoA containing personal data of Ceneo.pl employees. The postal operator was unable to explain where the package was. In light of ENISA guidelines followed by the Group in case of Data Protection Incidents, we were obliged to report it.

In 2021, in connection with complaints submitted to the President of the Personal Data Protection Office, Allegro was a party to 5 new proceedings. The five proceedings completed in 2021 resulted in a reprimand issued by the Office (4 concerning Allegro.pl and 1 concerning eBilet.pl) and one positive decision (Allegro.pl). In 2021, no penalties were imposed on Allegro for violating personal data protection regulations. At every stage of data collection and processing, we make sure to comply with the obligation to inform the customer about the purpose and scope of processing their data and the right to access and rectify them.

Cybersecurity and data security

Our highest priority is to ensure a high-level security of infrastructure and data by applying a layered approach. The platform is protected by multiple security layers, including protection against distributed denial-of-service attacks, bot detection systems and web application firewalls.

We make every effort to ensure the safety of consumers and to protect systems and consumers’ data that are processed and stored in them. We have also developed policies and procedures to manage data security risks. We use technical security measures that are periodically reviewed by internal auditors, external penetration testers as well as security analysts.

Export to XLS

Cybersecurity and data privacy infringements	2021	2020	2019
Cybersecurity infringements (the total number of identified leaks, thefts or customer data loss)	0	0	0
Data privacy infringements (reported to relevant authorities)	1	1	0

Export to XLS

The total number of legitimate privacy complaints:	2021	2020	2019
Complaints submitted to the regulating authority (PUODO) requiring corrective measures	5	1	0

We respond on an ongoing basis to all questions, requests and complaints from external stakeholders regarding personal data, although we do not keep detailed statistics of the various types of notifications.

One of the most important aspects of security is the human factor and building awareness among employees. All our employees receive training in security policy and the GDPR (including general information, as well as internal policies and procedures), which take place during onboarding sessions and are repeated every year. During the onboarding training, we also conduct security awareness workshops with case studies to help recognize phishing campaigns.

We also organize additional training for employees on security threats, social engineering and online privacy. We use every opportunity to educate our employees about security. This year, we celebrated Safer Internet Day, Data Privacy Day and World Password Day, among other events. We also organize a number of contests and competitions, e.g. on the Computer Security Day.

Allegro.eu is the owner of strong brands such as Allegro, Ceneo, and eBilet. We constantly strive to make them even more recognizable by both buyers and merchants through public relations and strategic partnerships. We engage in both traditional and online marketing.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.