Data Protection Legacy
UniCredit International Bank (Luxembourg) S.A. hereafter “Bank”.
A. Data protection, personal data
The Bank collects, processes, potentially transfers and stores Personal Data (as defined below) in relation to i) Customers and prospects (including. the client her/him/its self, related parties such as power of attorney holders, directors, ultimate beneficial owners, investors, officials, representatives, agents etc.); ii) Contractors and Sub-contractors (including related parties and the contractors and subcontractors themselves) and iii) Related Parties to the bank (including employees, shareholders, investors, trainees and other relevant persons). When such data refers to individuals under the scope of the General Data Protection Regulation (GDPR) (“Data Subject (s)”) such processing is subject to the conditions and safeguard below.
When processing such data, the Bank acts as Data Controller* therefore, the bank is to be contacted in regards to the protection of the rights of the Data Subject depending of the Category of Data subject that you are, we have prepared a specific Information Notice for you to better understand the type of data, conditions and lawfulness of the processing, transfer and other aspects relevant to the transparency and fairness.
In order to receive a copy of the applicable form or the relevant Data Protection Notice applicable to your case, please send an email to dpo@unicredit.lu including the relevant information to identify you as a Data Subject and the specific form or notice that you which to receive as per your role.
Why we process your data
In General, the Bank processes Personal data for a variety of reasons, such as the i) legal obligations which are applicable to the Bank (E.g. MiFID, AnaCredit, Professional Obligations, Risk Management, etc.); ii) the fulfilment or negotiation of contracts (E.g. provision of banking services, contracting with providers); iii) carrying out an activity in the public interest (E.g. certain reports to authorities); iv) in the legitimate interest of the Bank or a third party (E.g. when deemed necessary after a previous evaluation of the impact in the rights of the Data Subject); and v) when you have provided your consent for a particular activity.
Categories of Personal Data
As part of our role as Data controller, we collect different categories of data according to the type of relationship that we have with the Data Subject, in certain cases (as for Customers) we collect significant amounts of data, while in other cases the data collected will be very limited, we make a difference in the data sets collected based on the principle of minimization of the data and we manage the data using security systems and organisational measures to ensure and protect the privacy of the Data Subjects and making reference to the “need to know” principle.
Further to the Information notice applicable to our relationship with you, we mention below some of the categories of data that may apply:
i. Identification and contextual data (E.g. Full name, contact details, your age, your nationality and information to identify you and protect your identity from identity theft)
ii. Financial data (E.g. information related to our relationship, other financial relationships and important elements according to the products of services delivered to you)
iii. Professional information (E.g. when contracting with you, we collect credential of your knowledge and other important information regarding your professional background)
iv. Information regarding other activities (E.g. sometimes we are requested to collect further information such as your residency, your marital status, the services that we provide to you, or we need to record information when dealing with your specific requests).
All this different categories of data can be considered in certain context as part of Personal Data**, therefore is very important for us that you understand what, how and why we collect them and process them.
Purposes of the processing of Personal Data
We are committed to transparency; therefore, we want to share with you the different purposes for which we process your Personal Data:
i. providing the services requested by you and carrying out the tasks in relation to these services (E.g. performing transactions, payments, providing loans, for accountancy and reporting reasons, etc.)
ii. preventing misuse and fraud, demonstrating business transactions and communications; managing transactions surveillance and monitoring and complying with reporting obligations;
iii. conducting a risk assessment as prescribed by applicable legal provisions by collecting and archiving required documentary evidence regarding the identity and business activity; conducting a risk management control and global supervision of risk exposure on a real-time basis;
iv. securing communication channels; enabling the Client to make use of a state-of-the-art IT system for its banking operations;
v. performing analysis and establishing statistics and tests with respect to Personal Data;
vi. managing risks, disputes, collections, debt recovery, complaints and litigations.
vii. complying with legal obligations, specific rights of the Bank and market practices
(together the “Purposes”).
Recipients of Personal Data
i. The Personal Data is or may be transmitted to the following recipients (the “Recipients”) by the Bank and its directors, officers, employees and agents (the “Authorized Persons”) to the extent that the Bank and the Authorized Persons deem such disclosure or transmission to be necessary or desirable for satisfying the Purposes: the UniCredit Group: All companies of the UniCredit Group have agreed to the Binding Corporate Rules.
ii. The Client may also obtain a copy of the Binding Corporate Rules or, should the Binding Corporate Rules not apply to a specific situation, any other document demonstrating the existence of appropriate safeguards, by contacting the Bank (please refer to the email address dpo@unicredit.lu) or, otherwise, to the email address that might be specified from time to time by the Bank to the Client);
iii. the Bank’s lawyers, notaries, bailiffs, external auditors and advisors; third-party service providers that provide IT or other services to the Bank . For a list of the categories of such providers, please free to contact your Data Protection Officer at dpo@unicredit.lu
iv. public, governmental, administrative or judicial entities in Luxembourg (such as the Administration des contributions directes, the Commission de Surveillance du Secteur Financier, the Commission Nationale Pour la Protection des Données) or abroad (such as the European Central Bank).
v. This list may be updated from time to time and the Client will be duly informed.
For a detailed and specified list for your personal case and all recipients please refer to the Data Protection Officer as specified below.
Transmission by the Customer/Related Party/Contractor/ Sub-contractor (Relevant party) of Personal Data related to other Data Subjects
Clients engaging in business with the bank will be asked to confirm and warrant to the Bank that:
i. any Data Subject related to the Relevant Party has been informed of the processing of Personal Data carried out by the Bank and of the transfer of that Personal Data to the Recipients as described in this notice or in accordance with the specific relationship with you;
ii. when it is necessary, the Relevant Party has received the Data Subjects’ prior written consent in this regard;
iii. the Relevant Party will inform and request as far as necessary the prior written consent of any new Data Subject regarding the processing and transfer of their Personal Data by the Bank.
The Relevant Party will be asked to unconditionally and irrevocably agree to indemnify and hold harmless the Bank from and against any and all liabilities resulting from, and/or arising in connection with any claim against the Bank for non-compliance for any reason with the aforementioned obligation to inform and obtain the consent of any of the Data Subjects related to the Relevant Party.
Rights of Data Subjects
Subject to the conditions of the GDPR and further European decision, opinion of relevant working groups or boards, and local rules and regulations in Luxembourg, the Data Subject have: (i) a right to access their Personal Data and may ask for a rectification thereof in cases where such Personal Data are inaccurate and incomplete, (ii) the right to request from the Bank erasure of their Personal Data or restriction of processing of the Personal Data or to object to the processing of the Personal Data by the Bank, in particular for marketing purposes, (iii), the rights to request the portability of their Personal Data, (iv) the rights to object to a particular processing, to object to automatized decision making and profiling.
Requests
In any case, we wish to let you know that all those rights are subject to specific restrictions and that in certain cases we will not be able to complete your different requests.
We will do our best to answer to any request within a month time, Nonetheless, in certain cases (depending of the complexity of your request and the number of requests) we may inform you of an extension of that period (for maximum 2 extra months).
For any Request regarding your rights, please feel free to contact us by sending us an email to the address dpo@unicredit.lu you may receive a form in order to better address your query.
Inform us about any potential Data Breach or concern
Should you consider that your Data is wrongly processed or have a Data Protection Related complaint or wish to bring to our attention a potential data breach, please send us an email to the address dpo@unicredit.lu (you may receive a form to better understand the conditions of the issue and to address rapidly and required data to react to your request).
Retention period
All Personal Data related to the Client shall not be retained for longer than the time required for satisfying the Purposes, subject to the legal periods of limitation and to the situations where the applicable laws require that the Personal Data be retained for a certain period of time after the termination of the relationship.
Consequently, some information will be retained for periods of 6 months (E.g. unsuccessful applications), some others for 5 years (E.g. due diligence data and documents in accordance with legal retention periods and their potential extensions) and other for up to 10 years (E.g. information related to instructions, fulfilment of contracts, and other accountancy related matters).
Additional information
If after having contacted us you still feel that your request was not appropriately handled, feel free to contact the National Commission for Data Protection CNPD
Contact
The National Commission for Data Protection “Commission nationale pour la protection des données” (CNPD) 1, avenue du Rock’n’Roll L-4361 Esch-sur-Alzette Tel.: (+352) 26 10 60-1
Or by visiting their website https://cnpd.public.lu/en.html
*Data Controller: Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law.
**Personal data: Any information related to an identified or identifiable natural person
(‘Data Subject’) which directly or indirectly identifies such individual or makes the individual identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.