UniCredit Logo
Back to top

 

Privacy Policy

 

Information on Processing of Personal Data by UniCredit Bank d.d.

 

The information below aims at giving you an overview of the manner in which we process your personal data and informing you about your rights related to the processing of personal data, all in accordance with the current regulations. At that, processing of personal data largely depends on which Bank’s services you have agreed and used. Information refers to clients, potential clients and other private individuals which personal data the Bank gathers on whatever legal basis (e.g. guarantors, joint and several debtors, lien debtors, proxy holders, custodians, heirs, representatives of minors).

 

I DATA CONTROLLER

UniCredit Bank d.d., with the head office at the address Kardinala Stepinca b.b., 88000 Mostar, Bosnia and Herzegovina,  Tel: + 387 (0) 36 312 112, e-mail: info@unicreditgroup.ba (hereinafter: Bank).

 

 II PERSONAL DATA

Personal data is any information that relates to a private individual, based on which their identity has been or can be established (hereinafter: Data Subject).

Personal data is every data:

(a) the Data Subject communicates to the Bank verbally or in writing, as follows:

(i) in any communication with the Bank, irrespective of its purpose, which includes, without limitation, telephone communication, communication through Bank’s digital channels, at Bank’s branches and at Bank’s website;

(ii) agreeing new products and services of the Bank; 

(iii) in applications and forms for agreeing Bank’s products and services; 

(b) which the Bank finds out based on providing the Data Subject banking and financial services and services related to them, as well as the services of agreeing products and services of Bank’s contracting partners, which includes, without limitation, data on transactions, personal spending and interests, as well as other financial data stemming from the use of any product of the Bank or its contracting partners, as well as all personal data the Bank finds out by providing banking and financial services within previous business relations with a client;

(c) that originates from processing of any previously specified personal data by the Bank, and has the character of personal data (hereinafter, jointly: Personal Data).

 

III HOW THE BANK GATHERS PERSONAL DATA

The Bank gathers personal data directly from the Data Subject. The Bank is required to check whether the Personal Data is authentic and accurate. 

The Bank is required to: 

a) process Personal Data in a lawful and legal manner; 

b) not to process Personal Data gathered for special, explicit and legal purpose in any manner that is not in line with that purpose; 

c) process Personal Data only to the extent and in the scope necessary for fulfilling certain purpose; 

d) process only authentic and accurate Personal Data, and update it when needed; 

e) erase or correct the Personal Data that is inaccurate and incomplete, given the purpose of its gathering or further processing; 

f) process the Personal Data only in the time period that is necessary for fulfilling the purpose of data gathering and for a period of time defined by law; 

g) keep the Personal Data in a form that allows identification of the Data Subject for no longer than is needed for the purpose of gathering or further processing of the data; 

h) ensure that the Personal Data gathered for different purposes is not consolidated or combined.

 

IV LAWFULNESS OF PROCESSING OF PERSONAL DATA / LEGAL BASIS AND PURPOSE OF PROCESSING OF PERSONAL DATA

To be able to provide services to Data Subject, the Bank processes Personal Data in accordance with the Personal Data Protection Law, the Law on Banks of the FBIH, Law on Banks RS, Law on the Prevention of Money Laundering and Financing of Terrorism of BiH and other applicable laws to the Bank and internal acts related to personal data protection.  

Personal Data is processed when one of the following conditions of processing legality is met:

a) Meeting of legal obligations of the Bank or other purposes determined by law or other applicable regulations from the area of banking, payment transactions, anti money-laundering, etc., as well as acting in line with individual rules adopted by relevant institutions of Bosnia and Herzegovina or other bodies which orders, based on legal or other regulations, the Bank must observe. Processing of such Personal Data is a legal obligation of the Bank and the Bank can reject entry into contractual relationship or provision of an agreed service, i.e. terminate the existing business relationship in case the Data Subject fails to submit data prescribed by law.

b) Executing and implementing an agreement to which Data Subject is a party i.e. in order to take actions on Data Subjects request before executing the agreement. Provision of Personal Data for the mentioned purpose is mandatory. If the Data Subject refuses to provide some of the data necessary for executing and implementing the agreement to which Data Subject is a party, including Personal Data gathered for the purpose of risk management in a manner and within the scope prescribed by the relevant laws and by-laws, it is possible that the Bank will not be able to provide certain services and, due to that, it can reject to enter into contractual relationship.

c) Data Subject’s Consent

- For the purpose of conducting marketing activities within which the Bank can send you offers and facilities related to new or already agreed products and services of the Bank, and for the purpose of direct marketing for development of the business relationship with the Bank, within which the Bank can send you tailored offers for executing new agreements on use of banking and financial services and related services of the Bank and Group members based on the created profile.

- For the purpose of occasional research in relation to conducting its business activities.

- The Data Subject can, at any time, withdraw previously given consents and has the right to object to the processing of Personal Data for the purpose of marketing  and market research except where legal regulations define that the consent  is mandatory for every contractual relationship with the Bank. In that case, Personal Data related to them shall not be processed for that purpose, which does not affect the lawfulness of processing of Personal Data until that moment. Provision of data for the mentioned purposes (marketing  and market research) is voluntary and the Bank will not reject execution or implementation of the agreement if the Data Subject refuses to give consent for provision of Personal Data.

Withdrawal of the consent shall not affect the legality of the processing that was based on the consent in force before its withdrawal.

d) Legitimate interest of the Bank, including, without limitation:

- management of credit, operational, reputation and other risk of the Bank and at Group level;

- the purpose of direct marketing, market research and Data Subjects opinion analysis to the extent they have not opposed to data processing for that purpose;

- taking measures for managing Bank’s operations and further development of products and services;

- taking  measures for insuring people, premises and property of the Bank, which includes control and/or checking of access to them;

- processing of Personal Data for internal administrative purposes and protection of computer and electronic communication systems.

When processing Personal Data of the Data Subject based on a legitimate interest, the Bank always pays attention to the Data Subject’s interest and basic rights and freedoms, with a special focus on ensuring that their interests are not stronger than Bank’s, which is the basis for processing Personal Data, especially if the Data Subject is a child. In case of processing of personal data based on legitimate interest, the Data Subject has the right to submit a complaint to the Bank.

The Bank can process Personal Data also in other cases if it is necessary to protect legal rights and interests exercised by the Bank or a third party, and if that processing of Personal Data is not in contravention of the Data Subject's right to protect their private and personal life.

 

V FOR HOW LONG DOES THE BANK KEEP PERSONAL DATA?

The period of keeping Personal Data primarily depends on the category of Personal Data and the purpose of processing. In line with that, your Personal Data shall be stored during the period of contractual relationship with the Bank i.e. so long as there is Data Subject's consent for processing of Personal Data and for the period the Bank is authorized (e.g. for the purpose of exercising legal requirements) and legally bound to keep that data (Law on Banks, Law on Anti Money-laundering and Counter Terrorist Financing, for archive purposes) 10 years from the termination of the business relationship with the Bank.

 

VI ARE PERSONAL DATA CEDED TO THIRD PARTIES?

The Personal Data of Data Subjects can be ceded to third parties based on:

a) Data Subject’s consent; and/or

b) implementation of agreement to which Data Subject is a party; and/or

c) provisions of laws and by-laws.

Personal Data will be provided to certain third parties to which the Bank is required to provide such data, for the purpose of fulfilling a task carried out in public interest, such as: Banking Agency of the FBIH, Ministry of Finance – Tax Administration Office and others, as well as other parties to which the Bank is authorized or obligated to provide Personal Data based on the Law on Banks and other relevant regulations that regulates banking services.

Additionally, the Bank is required to act in line with the obligation of keeping the banking secret, including Personal Data of Bank’s clients, and it can transfer and disclose such data to third parties i.e. recipients only in the manner and under the conditions prescribed by the Law on Banks and other regulations from this area.

We emphasize that all the persons who, due to the nature of their job performed with the Bank or for the Bank, have access to the Personal Data are equally obliged to keep that data as banking secret consistent with the Law on Banks, Personal Data Protection Law and other regulations that regulate data secrecy.

In addition to the aforementioned, your Personal Data can also be accessible to service providers who have business relationship with the Bank (e.g. providers of IT services, providers of card transaction processing services, etc..) for the purpose of ensuring adequate operations of the Bank i.e. provision of banking services, who are also required to act in accordance with the applicable regulations from the area of personal data protection.

Details related to the purpose of processing of Personal Data, to recipients or recipient categories, legal basis for processing of Personal Data and giving Personal Data for use to other recipients are described in more detail in Bank’s relevant documents, which are available to Bank’s clients when they agree products and services. The list of data processors is regularly updated and available for insight to Data Subjects at the Bank’s website, in the subsection “Data Protection”, as well as the content of the informative notice.

 

VII TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATION

Any transfer of personal data which is being processed or is intended for further processing after its transfer to another country or international organization may only be carried out if such transfer is in accordance with the provisions of the Law on personal data protection in BiH, which includes the further transfer of personal data from another country or international organization to another country or international organization.

Data Subject’s Personal Data can be taken out of Bosnia and Herzegovina (hereinafter: Third Countries) only:

- to the extent prescribed by law or other binding legal basis; and/or

- to the extent necessary to execute Data Subject’s orders (e.g. payment orders); and/or

- if Data Subject has given an adequate consent for taking out Personal Data to third countries.

 Transfers to third countries can, inter alia, include transfer to other members of UniCredit Group (UniCredit S.pA., Italy, as mother company of UniCredit Group, Zagrebačka Banka d.d. – Republic of Croatia, UniCredit Invest BH d.o.o.) for the purpose of risk management or realization of business/contractual relationship with a client.

The transfer of personal data to another country, to a part of its territory, or to one or more sectors within that country or to an international organization may be carried out if it has been established that other country, part of its territory, or one or more sectors within that country or that international organization ensures an adequate level of protection of personal data.

An adequate level of protection shall be deemed to be ensured in a country, parts of its territory, or one or more sectors within that country or international organization, for which the European Union has determined that an adequate level of protection of personal data exists.

A data controller or processor may transfer personal data to another country, part of its territory, one or more sectors within that country or to an international organization for which an adequate level of protection of personal data has not been determined only if the data controller or processor has ensured appropriate safeguards for such data and if the data subject has been assured of enforceable rights and effective judicial protection. 

 

VIII DOES THE BANK CONDUCT AUTOMATED DECISION-MAKING AND PROFILING?

Related to business relationship with the Data Subject, the Bank does not conduct automated individual decision-making that would produce legal effects with negative consequences for the Data Subject. In some cases, the Bank applies automated decision-making, including creation of profile for the purpose of assessing realization of agreement between the interviewee and the Bank; for example, when approving authorized current account overdraft, and in accordance with the Law on Anti Money-laundering and Counter Terrorist Financing, when producing the model of money-laundering risk analysis. In case of automated decision-making, the Data Subject has the right to be exempt from a decision that is based exclusively on automated processing i.e. they have  the right to require human intervention from the Bank in order to express their standpoint and contest the decision.

 

IX HOW DOES THE BANK PROTECT THE DATA?

As part of the internal security system and with a view to ensuring security of your Personal Data, in line with the relevant regulations and defined obligations, the Bank applies and undertakes adequate organizational and technical measures i.e. measures against unauthorized access to Personal Data, alteration, destruction or loss of data, unauthorized transfer and other forms of illegal processing and misuse of the Personal Data.

 

X WHAT ARE THE DATA SUBJECT’S RIGHTS?

Every data subject whose personal data is processed by the Bank, as the Controller, has the right to request the exercise of the following rights:

1) Right to access data  – this right allows the data subject to find out whether his/her personal data are being processed or not, i.e., the data subject has the right to obtain the Bank’s confirmation as to whether or not the data that concern him/her are being processed and, where that is the case, information regarding the purpose of the processing, the categories of personal data concerned, the recipients or categories of recipients of such data, the envisaged period for which the data will be stored, and similar.

2) The right to rectification of data  – this right allows the data subject to request that any inaccurate or incomplete personal data concerning him/her be rectified.

3) Right to erasure  – this right allows the data subject to request that his/her personal data be erased, in which case the Bank will not be able to honour such request if the processing of the personal data of the relevant data subject is necessary (e.g., to comply with the prescribed data retention obligation, or to establish, exercise or defend legal claims).

4) Right to restriction of processing  – this right allows the data subject to request that the processing of his/her personal data be restricted in cases where he/she contests the accuracy of personal data, considers the processing to be unlawful, opposes the erasure of personal data and requests that the use of such data be restricted instead, and in cases where the data subject has objected to the processing and is waiting for the confirmation as to whether or not the legitimate interests of the Controller override his/her interests as the data subject.

5) Right to data portability  – this right allows the data subject to receive the data that concern him/her (and to directly transmit those data to another controller). It should be noted that the right to data portability applies exclusively to the personal data of the data subject which he/she has provided to the Bank in a structured, commonly used and machine-readable format, if the processing of data (whether personal data or special categories of personal data) is based on consent, or is carried out for performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, provided that the right in question does not adversely affect the rights and freedoms of others.

6) Right to object  – this right allows the data subject to object to the processing of personal data if the processing is carried out in the public interest, or if the processing is necessary for the purposes of pursuing a legal and legitimate interest of the Bank (which override the interests, rights and freedoms of the data subject), or the processing is necessary for the establishment, exercise or defence of legal claims).

The right to lodge a complaint with the supervisory authority  - Personal Data Protection Agency.

 

XI HOW TO EXERCISE YOUR RIGHTS?

Data Subjects have at their disposal Bank staff at all the Bank branches as well as as Personal Data Protection Officer who can be contacted in writing at the address: UniCredit Bank d.d., Personal Data Protection Officer, Kardinala Stepinca b.b., 88000 Mostar or via e-mail address: dpo@unicreditgroup.ba

 The only precondition for exercising your rights is to prove your identity unquestionably. The Bank will inform you of the actions taken without undue delay, and no later than within one month of receiving your request. Exceptionally, this time limit may, if necessary, be extended by an additional period of two months, taking into account the complexity and number of requests, of which the Bank is obligated to inform you.

Besides, every Data Subject, as well as the person whose Personal Data is processed by the Bank, is authorized to file an objection to processing of their Personal Data by the Bank as controller with the Personal Data Protection Agency in Bosnia and Herzegovina.

Information on the processing of personal data through the video surveillance system of UniCredit Bank d.d.

Spinning wheel animation

Loading

UniCredit Logo