Personal data protection
CD PROJEKT makes every effort to protect personal data against potential threats. This is done, in particular, through appropriate technical and organizational safeguards, which include procedures and technologies dedicated to protection of personal data.
Our personal data protection activities are rooted in:
- The CD PROJEKT Group Personal Data Protection Policy, which includes a procedure for responding to personal data protection breaches – an internal document specifying the organizational framework for protecting personal data at the CD PROJEKT Group, and
- The CD PROJEKT RED Privacy Policy – a public document which specifies conditions for processing personal data in the scope of most of the services we provide to consumers.
CD PROJEKT personal data protection principles:
- pursuant to existing regulations, we process personal data only to the extent necessary, as justified by clearly communicated goals,
- we always inform parties to whom the data pertains of how, why, and on what basis their personal data is being processed, as well as of their rights in this regard,
- when selecting subcontractors who are to obtain access to personal data, we make sure that they care for the security of any data entrusted to them,
- we carry out on-the-fly monitoring of personal data processing security, and react to notifications of possible irregularities; when required, we report such irregularities to the appropriate public bodies or notify parties who may be affected by them.
Cybersecurity
At the CD PROJEKT Group we take action to protect information, IT systems and infrastructures, and to mitigate cybersecurity risks. The Cybersecurity Policy in force at the Group specifies rules for maintaining information security and provides a framework for cybersecurity management.
In the scope of cybersecurity:
- we identify, investigate and monitor cybersecurity risks, among others – by carrying out periodic risk reviews and monitoring risk factors. This helps us identify potential threats, and assess their potential impact on the organization,
- we monitor the security of the IT infrastructure and systems and develop capabilities for detecting, analyzing and responding to cybersecurity threats,
- we identify and mitigate vulnerabilities in our systems, among others through vulnerability monitoring and periodic security tests of our systems and services,
- we report, investigate and respond to information security incidents,
- we maintain readiness to respond to crises which may affect the activities of our organization,
- we carry out screening of external partners with regard to cybersecurity and information security practices. Depending on the specific scope of collaboration, this process may also entail additional requirements and security assessment mechanisms. Third-party security requirements, which take into the account the level of data confidentiality, are published on the Company’s website.
Cybersecurity also involves raising awareness among the workforce. This is why we organize annual mandatory cybersecurity training courses, which help develop the required knowledge and foster best practices related to information security.