Canons of Best Financial Market Practice

We have adopted the Canons of Best Financial Market Practice, a set of 16 general and universal principles, based on fundamental ethical values and ideals guiding financial companies. The Canons were defined as a result of collaboration between 30 associations of financial companies, organisations and institutions representing consumer interests, and other market participants, as well as academics. The application of the Canons is recommended by the Polish Financial Supervision Authority, i.e. the main financial market regulation in Poland.
We share our best debt collection practices with the market. Our experts co-authored an amendment to the Code of Ethics of the Association of Financial Companies in Poland (ZPF) that has helped raise consumer protection standards.



Zero tolerance for workplace bullying or discrimination

[GRI 103-1, 103-2, 103-3 Aspect: non-discrimination]

We have implemented a zero-tolerance policy for discrimination and workplace bullying across the KRUK Group. No cases of discrimination were reported in 2021. All employees are required to participate in special anti-bullying training. Everyone at the KRUK Group is also familiar with the workplace bullying or discrimination whistleblowing procedure, as detailed in the Internal Mediation Policy. We use a special Report Misconduct form available at to make sure that all whistleblowing reports remain anonymous and confidential.

The form provides a direct channel of communication with a Supervisory Board member, a Management Board member or the Security and Operational Risk Management Department for reporting actual or suspected cases of misconduct. Any person who reports in good faith is afforded the whistleblower status and is protected against any retaliation, discrimination or violation of the principle of equal treatment. Every report triggers an inquiry that must be undertaken within the next five business days. The KRUK Group has also implemented a system for anonymously reporting any violations of law directly to the Management Boards of individual Group companies or, in the case of violations allegedly committed by Management Board members, to their respective Supervisory Boards.

Our priority is to build an ethical and stable environment for our employees, customers, shareholders, business partners and other stakeholders and to act in accordance with legal, social and ethical standards.

In 2022, the KRUK Group approved a Code of Ethics, which was adopted by resolution of the Management Board and came into force in January 2023. The Code sets out the principles and standards of responsible action, conduct and decision-making applicable at all Group companies. The document also provides clarification and guidance on issues that may give rise to ethical dilemmas. Making a good decision can be a complex process, so with this in mind, we have defined a framework of action relating to situations requiring corporate guidance.



[GRI 103-1, 103-2, 103-3 Aspect: Anti-corruption and public policy] [GRI 205-3]

The KRUK Group has implemented the Misconduct Prevention Policy and the Anti-Corruption Manual. The purpose of the Policy is to prevent misconduct, including corruption and misuse of entrusted power for private gain. The Manual sets out the rules to be followed in the event of actual or suspected corruption incident, as well the procedure for reporting and investigating corruption. In 2021, the KRUK Group reported no confirmed corruption incidents.


The Company has a compliance system in place and there is a dedicated unit, Compliance Area, responsible for compliance risk management. The adopted procedures and solutions ensure compliance of our operations with applicable internal and external regulations and support compliance risk management. The compliance process is an integral part of the business environment that provides employees and management with guidelines that help install a culture of compliance into day-to-day operations by: raising awareness of compliance-related risks; conducting and monitoring compliance training; defining and enforcing adherence to standards of conduct; developing and improving compliance-related communication framework.

Izabela Wojtera Head of Compliance Area



The impact of the area of personal data protection on the sustainability of the company:

In the financial industry, the protection of personal data is one of the key elements necessary for a stable and responsible business. Through our activities in the area of data protection, we ensure that our customer relationships are based on respect for privacy principles, that we increase confidence in the debt market and contribute to greater public awareness of this area.

At the same time, we understand that it is our duty to look after the interests not only of the KRUK Group, but also of the individuals whose data we process.


At the KRUK Group, we have implemented the GDPR Strategy, which is part of the ESG Strategy 2023-2027. The GDPR Strategy defines five objectives for 2023-2027:

  1. Strengthening the principle of privacy by design and privacy by default, in particular for projects related to new technologies and digitalisation, so that privacy is firmly embedded in the processes and systems operating in our organisation
  2. Engaging in dialogue with industry organisations and authorities in order to shape and promote high standards in the field of GDPR compliance and the rights and freedoms of data subjects.
  3. Fostering of culture of Data Privacy and Data Protection at the KRUK Group by implementing training and other privacy awareness activities.
  4. Effective execution of the Data Privacy Programme, implemented, inter alia, through consistent regulation in policies and instructions of individual areas of risk management of personal data processing, both at the group and local level
  5. Continuous improvement of the risk-based approach adopted at the KRUK Group, in particular with regard to managing the risk of non-compliance with GDPR  as well as managing the risk of violation of the rights and freedoms of persons whose data we process.


As part of the five objectives of the GDPR strategy for 2023-2027, we have developed indicators for their revision, which will ensure that its implementation is measurable.

At the KRUK Group, we have also implemented a Privacy Protection Programme, which includes policies, instructions, contract templates and other internal regulations, most importantly the Personal Data Management Policy, which aims to ensure the effective protection of the rights or freedoms of individuals by formalising rules and procedures, concerning the processing of personal data and providing guarantees for the implementation of appropriate technical and organisational measures. 


In addition, as far as the protection of personal data is concerned, we have implemented regulations concerning, among other things:

  • risk management of personal data processing;
  • entrustment of personal data processing and relations with processors,
  • personal data processing incidents, including IT incidents;
  • handling personal data breaches;
  • methodology for conducting GDPR audits;
  • fulfilling information obligations

And many others regulating in detail the principles of personal data processing in particular areas of the KRUK Group's operations


In implementing the GDPR Strategy, and applying the implemented risk management system, we are driven by legal obligations, regulatory guidelines and ethical principles, as well as taking into account the scale and complexity of our operations. In doing so, we aim to protect the personal data of our clients and other persons whose data we process from the negative consequences of a breach of their data security, and protect the KRUK Group from losses and operational downtime, reduce reputational risks and the risk of financial penalties. The right to privacy, is one of the basic fundamental human rights, so it is our priority that respect for it is firmly embedded in the DNA of our organisation.

We believe that our actions in this regard make a measurable contribution to increasing the trust of ours clients, business partners, employees and shareholders and to creating sustainable products and services in the debt management sector.


The KRUK Group’s ESG strategy assumes continued development of a multi-layer cybersecurity defence model in the context of global and local solutions. The Group prioritises IT security as an area of fundamental importance to clients, employees and business partners.

The information security management model, including cybersecurity management, is addressed in the Information Security Policy, which aims to ensure information confidentiality, integrity and availability. The primary objective of the Policy is to establish a formal basis for taking all steps designed to provide a high level of information security, thus ensuring an appropriate priority and effectiveness of such steps. The Group also has a Risk Monitoring Committee.

The KRUK Group continually takes steps to raise the employees’ awareness of cybersecurity issues. New hires are required to complete mandatory training courses on information security, including cybersecurity. Controlled phishing attacks were carried out regularly during the year to test in practice whether the employees use the knowledge they acquired through training. In line with the strategic assumptions, by 2026 90% of employees will undergo additional training and online courses on cybersecurity, and an 80% engagement in the existing awareness programme will be maintained.

Back to top