Dear Customer

Further to the implementation of the European General Data Protection Regulation, we wish to provide you with some useful information regarding the measures that UniCredit International Bank (Luxembourg) S.A. (hereafter “UCI” or “We” or “Us”) is taking to make sure that your data is handled responsibly, transparently and securely.
In our relationship, a number of data points are collected including personal information, which allows your identification and the collection of factors which will secure your transactions and prevent fraud or identity theft.

In most of the cases, we process your data to comply with legal and regulatory obligations which are imposed to us (e.g. anti-money laundering and terrorist financing requirements, due diligence rules, MiFID obligations, FATCA, CRS and other rules which aim to protect you and the market).
In other cases, we will process your data in order to comply with our engagement of services and to provide you with the agreed conditions of our products and services.
Exceptionally, we collect personal data in reference to the public or legitimate interest following the specific rules defined by the European Data Protection Authorities and Local regulators (e.g. information linked to the obligations derived from the law from 12 of December 2004 as amended).

Whenever we process your data under legitimate interest (E.g. for internal group reporting) we comply with relevant local regulation (such as the Art 41 of the Law of the Financial Services) and we perform a prior relevant analysis of the impact on you, to ensure that appropriate balance exist as well as we minimise the data and the type of processing to ensure protection to your rights.
Finally, in some specific cases we will require your consent to further process the data collected or to collect new data. Should this be the case, please be aware that you can withdraw a delivered consent using the same channels that were used to provide such consent.

We collect data from you and from different providers in order to facilitate the compliance with applicable rules and regulations and to ensure that our services comply with the highest Group standards.
The data collected will be retained in accordance with applicable laws and regulations (e.g. 5 years upon the lifecycle of a relationship for due diligence data, 10 years for financial information linked to a transaction, etc.), for any further detail regarding a particular data set not described here in, please contact us via the channel noted below.
The collected data is transferred exclusively to Group entities for reporting and provision of services upon your request, to authorities when UniCredit is legally required to share specific information, to a set of trusted contractors (e.g. Postal services, other Financial Institutions or professional of the financial sector and trusted advisors, clearing houses, market counterparties, payment recipients, upstream holding agents, other financial institutions).

Should you wish to receive a detailed list of the entities, please refer to our Data Protection Officer with such request.
We transfer your data to the following categories of third parties: Licensed institutions in the EEA (E.g. Service providers for payments, Audit Firms, Group companies to facilitate meetings and to allow you to perform your contractual duties in time), to relevant authorities when applicable (E.g. CSSF, European Authorities, other foreign authorities when applicable, etc.).
We assess our own methods to secure your information and the methods applied by any entity received your data in the cases described in this notice in order to ensure that best efforts and security standards are in place to protect your privacy.

As UniCredit International is a data controller, and therefore process your Personal Data , if you wish to exercise your data protection rights, please send us a written request either by e-mail dpo@unicredit.lu or to our DPO by post to our address 8 – 10 Rue Jean Monnet L- 2180 Luxembourg- Luxembourg.
You can contact our Data Protection Officer (dpo@unicredit.lu) or your Relationship Manager to obtain a more detailed form which may make ease to inform about a breach or to request our action in regards to your rights.
In order to identify you and to verify your identity, we take some security measures which may include requesting copies of Identity Cards or otherwise collecting data and documents to avoid data theft and fraudulent misuse of your data.

The document provided for the purpose of the Request will not be used otherwise and copies will be destroyed upon final answer (unless otherwise instructed by you clearly, required for legal or administrative proceedings or in order to fulfill legal obligations).
You can always contact us if you consider that the data provided or recorded is not accurate or to correct any information that somehow has become obsolete or even in cases in which you feel that your data rights need special attention, if after doing so you feel that your rights have not been protected or materialised, you can always contact the National Commission for Data Protection at

Commission nationale pour la protection des données
15, Boulevard du Jazz , L-4370 Belvaux
Tél. : (+352) 26 10 60 -1

Or file a complaint using the links available on their internet site https://cnpd.public.lu/en/support/contact/contact-prive.html

Best regards,
Your data protection office

Should you have any further questions or wish to contact our data protection officer, please refer to the email dpo@unicredit.lu or fill out our contact form for following topics: Data Subject Request or Data Protection and Information Security escalation form