UniCredit Logo
Back to top

Information on Processing of Personal Data by UniCredit Bank d.d.

 

The information below aims at giving you an overview of the manner in which we process your personal data and informing you about your rights related to the processing of personal data, all in accordance with the current regulations. At that, processing of personal data largely depends on which Bank’s services you have agreed and used. Information refers to clients, potential clients and other private individuals which personal data the Bank gathers on whatever legal basis (e.g. guarantors, joint and several debtors, lien debtors, proxy holders, custodians, heirs, representatives of minors).

 

I WHO IS THE CONTROLLER OF PERSONAL DATA PROCESSING?

UniCredit Bank d.d., with the head office at the address Kardinala Stepinca b.b., 88000 Mostar, Bosnia and Herzegovina, tel: + 387 (0) 36 312 112, e-mail: info@unicreditgroup.ba (hereinafter: Bank).

 

II WHAT IS PERSONAL DATA?

Personal data is any information that relates to a private individual, based on which their identity has been or can be established (hereinafter: Data Holder).

Personal data is every piece of data:

(a) the Data Holder communicates to the Bank verbally or in writing, as follows:

(i) in any communication with the Bank, irrespective of its purpose, which includes, without limitation, telephone communication, communication through Bank’s digital channels, at Bank’s branches and at Bank’s website;

(ii) agreeing new products and services of the Bank; 

(iii) in applications and forms for agreeing Bank’s products and services; 

(b) which the Bank learns based on providing the Data Holder with banking and financial services and services related to them, as well as the services of agreeing products and services of Bank’s contracting partners, which includes, without limitation, data on transactions, personal spending and interests, as well as other financial data stemming from the use of any product of the Bank or its contracting partners, as well as all the personal data the Bank learned by providing banking and financial services within previous business relations with a client;

(c) that originates from processing of any previously specified personal data by the Bank, and has the character of personal data (hereinafter, jointly: Personal Data).

 

III HOW DOES THE BANK GATHER PERSONAL DATA?

The Bank gathers personal data directly from the Data Holder. The Bank is required to check whether the Personal Data is authentic and accurate. 

The Bank is required to: 

a) process Personal Data in a lawful and legal manner; 

b) not to process Personal Data gathered for special, explicit and legal purpose in any manner that is not in line with that purpose; 

c) process Personal Data only to the extent and in the scope necessary for fulfilling certain purpose; 

d) process only authentic and accurate Personal Data, and update it when needed; 

e) erase or correct the Personal Data that is inaccurate and incomplete, given the purpose of its gathering or further processing; 

f) process the Personal Data only in the time period that is necessary for fulfilling the purpose of data gathering; 

g) keep the Personal Data in a form that allows identification of the Data Holder for no longer than is needed for the purpose of gathering or further processing the data; 

h) ensure that the Personal Data gathered for different purposes is not consolidated or combined. 

 

IV WHAT ARE THE PURPOSES OF PROCESSING PERSONAL DATA?

To be able to provide services to Data Holders, the Bank processes Personal Data in accordance with the Personal Data Protection Law and the Law on Banks of the FBIH. Data Holder’s Personal Data is processed when one of the following conditions of processing legality is met:

a) Meeting of legal obligations of the Bank or other purposes determined by law or other applicable regulations from the area of banking, payment transactions, anti money-laundering, etc., as well as acting in line with individual rules adopted by relevant institutions of Bosnia and Herzegovina or other bodies which orders, based on legal or other regulations, the Bank must observe. Processing of such Personal Data is a legal obligation of the Bank and the Bank can reject entry into contractual relationship or provision of an agreed service, i.e. terminate the existing business relationship in case the Data Holder fails to submit data prescribed by law.

b) Executing and implementing an agreement to which Data Holder is a party i.e. in order to take actions on Data Holder’s request before executing the agreement. Provision of Personal Data for the mentioned purpose is mandatory. If the Data Holder refuses to provide some of the data necessary for executing and implementing the agreement to which Data Holder is a party, including Personal Data gathered for the purpose of risk management in a manner and within the scope prescribed by the relevant laws and by-laws, it is possible that the Bank will not be able to provide certain services and, due to that, it can reject to enter into contractual relationship.

c) Data Holder’s Consent

- For the purpose of conducting marketing activities within which the Bank can send you offers and facilities related to new or already agreed products and services of the Bank, and for the purpose of direct marketing for development of the business relationship with the Bank, within which the Bank can send you tailored offers for executing new agreements on use of banking and financial services and related services of the Bank and Group members based on the created profile.

- For the purpose of occasional research in relation to conducting its business activities.

- The Data Holder can, at any time, withdraw previously given consents (according to the BIH Personal Data Protection Law, such withdrawal is not possible if thus explicitly agreed by the Data Holder and the controller),  and has the right to object to the processing of the Personal Data for the purpose of marketing  and market research. In that case, Personal Data related to them shall not be processed for that purpose, which does not affect the legality of processing Personal Data until that moment. Provision of data for the mentioned purposes is voluntary and the Bank will not reject execution or implementation of the agreement if the Data Holder refuses to give consent for provision of Personal Data.

Withdrawal of the consent shall not affect the legality of the processing that was based on the consent in force before its withdrawal.

d) Legitimate interest of the Bank, including, without limitation:

- management of credit, operational, reputation and other risk of the Bank and at Group level;

- the purpose of direct marketing, market research and Data Holder's opinion analysis to the extent they have not opposed to data processing for that purpose;

- taking measures for managing Bank’s operations and further development of products and services;

- taking  measures for insuring people, premises and property of the Bank, which includes control and/or checking of access to them;

- processing of Personal Data for internal administrative purposes and protection of computer and electronic communication systems.

When processing Personal Data of the Data Holder based on a legitimate interest, the Bank always pays attention to the Data Holder’s interest and basic rights and freedoms, with a special focus on ensuring that their interests are not stronger than Bank’s, which is the basis for processing Personal Data, especially if the interviewee is a child. In case of processing of personal data based on legitimate interest, the data holder has the right to submit a complaint to the Bank.

The Bank can process Personal Data also in other cases if it is necessary to protect legal rights and interests exercised by the Bank or a third party, and if that processing of Personal Data is not in contravention of the Data Holder's right to protect their private and personal life.

 

V HOW DOES THE BANK PROCESS PERSONAL DATA?

The Bank processes Personal Data in accordance with the regulations of Bosnia and Herzegovina and Bank's by-laws related to protection of Personal Data.

 

VI FOR HOW LONG DOES THE BANK KEEP PERSONAL DATA?

The period of keeping Personal Data primarily depends on the category of Personal Data and the purpose of processing. In line with that, your Personal Data shall be stored during the period of contractual relationship with the Bank i.e. so long as there is Data Holder's consent for processing of Personal Data and for the period the Bank is authorized (e.g. for the purpose of exercising legal requirements) and legally bound to keep that data (Law on Banks, Law on Anti Money-laundering and Counter Terrorist Financing, for archive purposes) 10 years from the termination of the business relationship with the Bank.

 

VII IS THE PERSONAL DATA CEDED TO THIRD PARTIES?

The Personal Data of the Data Holder can be ceded to third parties based on:

a) Data Holder’s consent; and/or

b) implementation of agreement to which Data Holder is a party; and/or

c) provisions of laws and by-laws.

Personal Data will be provided to certain third parties to which the Bank is required to provide such data, for the purpose of fulfilling a task carried out in public interest, such as: Banking Agency of the FBIH, Ministry of Finance – Tax Administration Office and others, as well as other parties to which the Bank is authorized or obligated to provide Personal Data based on the Law on Banks and other relevant regulations that regulate banking.

Additionally, the Bank is required to act in line with the obligation of keeping the banking secret, including Personal Data of Bank’s clients, and it can transfer and disclose such data to third parties i.e. recipients only in the manner and under the conditions prescribed by the Law on Banks and other regulations from this area.

We emphasize that all the persons who, due to the nature of their job performed with the Bank or for the Bank, have access to the Personal Data are equally obliged to keep that data as banking secret consistent with the Law on Banks, Personal Data Protection Law and other regulations that regulate data secrecy.

In addition to the aforementioned, your Personal Data can also be accessible to service providers who have business relationship with the Bank (e.g. providers of IT services, providers of card transaction processing services, etc..) for the purpose of ensuring adequate operations of the Bank i.e. provision of banking services, who are also required to act in accordance with the applicable regulations from the area of personal data protection.

Details related to the purpose of processing of Personal Data, to recipients or recipient categories, legal basis for processing of Personal Data and giving Personal Data for use to other recipients are described in more detail in Bank’s relevant documents, which are available to Bank’s clients when they agree products and services. The list of data processors is regularly updated and available for insight to Data Holders at the Bank’s website, in the subsection “Data Protection”, as well as the content of the informative notice.

 

VIII TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Data Holder’s Personal Data can be taken out of Bosnia and Herzegovina (hereinafter: Third Countries) only:

- to the extent prescribed by law or other binding legal basis; and/or

- to the extent necessary to execute Data Holder’s orders (e.g. payment orders); and/or

- if Data Holder has given an adequate consent for taking out Personal Data to third countries.

 

Transfers to third countries can, inter alia, include transfer to other members of UniCredit Group (UniCredit S.pA., Italy, as mother company of UniCredit Group, Zagrebačka Banka d.d. – Republic of Croatia, UniCredit Services GmbH, Austria, i.e. UniCredit Services S.C.p.A., Italy) for the purpose of risk management or realization of business/contractual relationship with a client.

More details on the transfer conditions and its purpose are made available to clients in the documentation handed out to them when agreeing concrete Bank’s products and services, as well as via other information published and available at Bank’s branches.

 

IX DOES THE BANK CONDUCT AUTOMATED DECISION-MAKING AND PROFILING?

Relative to business relationship with the Data Holder, the Bank does not conduct automated individual decision-making that would produce legal effects with negative consequences for the Data Holder. In some cases, the Bank applies automated decision-making, including creation of profile for the purpose of assessing realization of agreement between the interviewee and the Bank; for example, when approving authorized current account overdraft, and in accordance with the Law on Anti Money-laundering and Counter Terrorist Financing, when producing the model of money-laundering risk analysis. In case of automated decision-making, the Data Holder has the right to be exempt from a decision that is based exclusively on automated processing i.e. they have  the right to require human intervention from the Bank in order to express their standpoint and contest the decision.

 

X HOW DOES THE BANK PROTECT THE DATA?

As part of the internal security system and with a view to ensuring security of your Personal Data, in line with the relevant regulations and defined obligations, the Bank applies and undertakes adequate organizational and technical measures i.e. measures against unauthorized access to Personal Data, alteration, destruction or loss of data, unauthorized transfer and other forms of illegal processing and misuse of the Personal Data.

 

XI WHAT ARE THE DATA HOLDER’S RIGHTS?

In addition to the already mentioned Data Holder’s rights, every person whose Personal Data is processed by the Bank has primarily, and most importantly, the right to access all the provided Personal Data, and to correct and erase the Personal Data (to the extent permitted by law), the right to limitation of the processing, all in the manner defined by current regulations.

 

XII HOW TO EXERCISE ONE'S RIGHTS?

Data Holders have at their disposal Bank staff at all the Bank branches as well as as Personal Data Protection Officer who can be contacted in writing at the address: UniCredit Bank d.d., Personal Data Protection Officer, Kardinala Stepinca b.b., 88000 Mostar or via e-mail address: dpo@unicreditgroup.ba

 

Besides, every Data Holder, as well as the person whose Personal Data is processed by the Bank, is authorized to file an objection to processing of their Personal Data by the Bank as controller with the Personal Data Protection Agency in Bosnia and Herzegovina.

 

 

Information on the processing of personal data through the video surveillance system of UniCredit Bank d.d.

 

Spinning wheel animation

Loading

UniCredit Logo