ESG Report

Cybersecurity and data protection

At Allegro, customer satisfaction starts from ensuring safety and confidence that the purchase will be successful. In addition to customer privacy and data protection, cybersecurity management is one of our priorities.

The rules and policies adopted by Allegro related to customer privacy, data protection and cybersecurity include:

  • Security (including cybersecurity) policy
  • Incidents Management Process
  • NDA circulation procedure
  • Rules on storing personal data at Allegro.pl sp. z o.o.
  • Procedure for exercising the rights to Allegro.pl users’ data
  • Procedure for reporting personal data breaches to the Personal Data Protection Office
  • Business Continuity Policy

We commission the Cybersecurity Maturity Assessment (Ocena Dojrzałości Cyberbezpieczeństwa), which is a every two years external audit carried out by an external company. In the most recent review in 2021, Allegro.pl scored higher than the market average and higher than two years ago. We have multiple security solutions in place, all of which are being monitored and improved on an ongoing basis. We also introduced a private and public Bug Bounty programme, which means that we enabled users to alert our IT department about security vulnerabilities detected on our platform.

CERT, an interdisciplinary security team

CERT Allegro (Computer Emergency Response Team Allegro) is an interdisciplinary team formed to elevate security at Allegro and raise security awareness among employees and users. It is made up by members of the following teams: Information Security Team, Computer Security Incident Response Team, Cyber Defense & Offense Team, Anti-fraud Operations Team and Cooperation with Law Enforcement Authorities Team.

CERT has the following goals:

  • monitor and analyse for security at Allegro
  • respond to cybersecurity threats
  • exchange cybersecurity information, knowledge and experience with external CERT teams
  • raise security awareness among employees and users.

As part of its activity, CERT coordinates and handles incidents and other events involving cybersecurity threats to Allegro; actively reacts in the event of immediate cybersecurity threats to users; works with other CERT teams in Poland and worldwide, in particular as part of Trusted Introducer; supports the Crisis Management Team in crisis situations involving cybersecurity, and develops tools to detect, analyse and correlate threats.

Read more on CERT Allegro at.

  • 102-13

We are a member of Trusted Introducer, an initiative of the biggest European organization of cybersecurity threat response teams. We are also active members of various working groups, including the IAB Polska Group for Cybersecurity (chaired by one of our employees) and the Working Group for Cybersecurity in the Supply Chain at the Chancellery of the Prime Minister.

  • 103-1
  • 103-2
  • 103-3

Personal data, or compliance at all times

Given the nature of our operations, we have access to personal data of our merchants and customers. With the scale of our operations, we manage a great amount of data. This is why we carefully protect personal data.

We also carefully protect personal data. We are fully compliant with the GDPR. We carefully monitor the decisions and guidelines issued by the Personal Data Protection Office (PDPO) and the EDPB (European Data Protection Board), which we review and, if necessary, adjust our actions. All Allegro employees undergo training in security policy and the GDPR. We also carry out audits to verify compliance with the provisions of the GDPR. The external audit conducted between September and December 2020 did not reveal any significant shortcomings.

  • 418-1
  • G-S1

Proceeding against Allegro

In 2021, there were no serious incidents or data breaches. The most serious incident in 2021 which was reported to the PDPO regarded a lost registered letter between Ceneo.pl and one of the partners containing the agreement and PoA containing personal data of Ceneo.pl employees. The postal operator was unable to explain where the package was. In light of ENISA guidelines followed by the Group in case of Data Protection Incidents, we were obliged to report it.

In 2021, in connection with complaints submitted to the President of the Personal Data Protection Office, Allegro was a party to 5 new proceedings. The five proceedings completed in 2021 resulted in a reprimand issued by the Office (4 concerning Allegro.pl and 1 concerning eBilet.pl) and one positive decision (Allegro.pl). In 2021, no penalties were imposed on Allegro for violating personal data protection regulations. At every stage of data collection and processing, we make sure to comply with the obligation to inform the customer about the purpose and scope of processing their data and the right to access and rectify them.

Cybersecurity and data security

Our highest priority is to ensure a high-level security of infrastructure and data by applying a layered approach. The platform is protected by multiple security layers, including protection against distributed denial-of-service attacks, bot detection systems and web application firewalls.

We make every effort to ensure the safety of consumers and to protect systems and consumers’ data that are processed and stored in them. We have also developed policies and procedures to manage data security risks. We use technical security measures that are periodically reviewed by internal auditors, external penetration testers as well as security analysts.


Cybersecurity and data privacy infringements




Cybersecurity infringements (the total number of identified leaks, thefts or customer data loss)




Data privacy infringements (reported to relevant authorities) 




The total number of legitimate privacy complaints: 




Complaints submitted to the regulating authority (PUODO) requiring corrective measures 




We respond on an ongoing basis to all questions, requests and complaints from external stakeholders regarding personal data, although we do not keep detailed statistics of the various types of notifications.

One of the most important aspects of security is the human factor and building awareness among employees. All our employees receive training in security policy and the GDPR (including general information, as well as internal policies and procedures), which take place during onboarding sessions and are repeated every year. During the onboarding training, we also conduct security awareness workshops with case studies to help recognize phishing campaigns.

We also organize additional training for employees on security threats, social engineering and online privacy. We use every opportunity to educate our employees about security. This year, we celebrated Safer Internet Day, Data Privacy Day and World Password Day, among other events. We also organize a number of contests and competitions, e.g. on the Computer Security Day.

Allegro.eu is the owner of strong brands such as Allegro, Ceneo, and eBilet. We constantly strive to make them even more recognizable by both buyers and merchants through public relations and strategic partnerships. We engage in both traditional and online marketing.

Search results