Unicredit - Official logo

Information notice on the processing and protection of personal data pursuant to the articles 13 and 14 of general regulation on the protection of personal data (“gdpr”)

The following information notice is intended to provide an overview of the use of your personal data and your rights pursuant to the General Data Protection Regulation - Regulation (EU) 2016/679 (hereinafter also GDPR) (and in accordance with 152-FZ “On personal data” FOR RUSSIAN EMPLOYEES ONLY) carried out by UniCredit S.p.A. and all other UniCredit Legal Entities where you are an employee, which act as Autonomous Data Controllers for the 360 feedback (hereinafter also “Data Controllers”. For the full list of UniCredit Legal Entities, that act as Data Controllers, please see the Annex 1 of this information notice).

01 · DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan, as well as all other UniCredit Legal Entities that act as autonomous Data Controllers, since they might be in charge or anyway involved of the above mentioned 360 feedback for the data processing of their own employees (for the Data Controllers full list see Annex 1).

You can contact the UniCredit S.p.A. Data Protection Officerat:

For the contact detail of the DPO of the other UniCredit Legal Entities, where you are an employee, you can make reference to the Annex 2 or to the information Notice provided by them when you started your working relationship with them.

02 · PURPOSE AND LEGAL BASIS OF PROCESSING

The Data Controllers process the personal data of their employees in its possession, collected either directly from the data subject, or from third parties for the following purposes:

In order to comply with the Delegations of Authority defined by UniCredit Board of Directors for the decision making process related to the 360 feedback your personal data - name, surname, corporate e-mail address, as well as any other data related to your employment with a Legal Entity belonging to the UniCredit Group, are transmitted, stored, managed and processed by UniCredit S.p.A— as Holding Company — as well the UniCredit Legal Entities (for the data processing of their own employees).

The 360 feedback is a development tool where the involved population is requested to answer - anonymously - a set of questions based on the UniCredit Values.

The legal basis for the processing of personal data is your consent, which you are free to give or not and which you may, however, revoke at any time. The provision of data necessary for these purposes is not mandatory, but without your personal data it will be not possible for you to participate in the aforementioned process related to the 360 feedback.

03 · CATEGORIES OF PERSONAL DATA

The Data Controllers process personal data collected directly from you, or from third parties, which include, but are not limited to, personal data (e.g. name, surname, e-mail address) as well as your data related to your employment relationship.

04 · RECIPIENTS OR RECIPIENTS’ CATEGORIES OF PERSONAL DATA

Your data may be communicated to the natural and legal persons in their capacity as “Data Processors” as specified in the list available on the websites of the corresponding Data Controller, as well as in the quality of persons authorized to process personal data, in relation to the data necessary for the performance of the duties assigned to him, the natural persons belonging to the following categories:

Would you need any additional info, you can refer to the dedicated email address: UniCredit - Group - Data Privacy Recruiting dataprivacy.recruiting@unicredit.eu.

05 · DATA PROCESSING MODALITIES

The processing of personal data involves the use of manual, IT and ICT instruments with rationale closely connected with the purposes defined above and, in any case, in such a way as to guarantee the security and confidentiality of the data.

FOR RUSSIAN EMPLOYEES ONLY data localization requirements in respect of transmitted personal data (e.g. name, surname, e-mail address) as well as your data related to your employment relationship have already been fulfilled by AO Unicredit Bank.

06 · DATA SUBJECT RIGHTS

GDPR* grants and assures specific rights, including the right to know what data concerning you are held by the Data Controllers (right of access), as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, as well as the update, the rectification or, if interested, the data integration, the restriction of processing, the right to object to processing, as well as the right to data portability.

*FOR RUSSIAN EMPLOYEES ONLY 152-FZ “On personal data”.

07 · DATA RETENTION PERIOD AND RIGHT TO ERASURE

UniCredit processes and stores your personal data for all the time of the employment relationship, to execute the related and connected obligations as well as for its own defensive purposes or those of third parties until the expiration of the longest mandatory retention period provided by the applicable law starting from the date of termination of the employment relationship.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless the further processing is necessary for one or more of the following purposes: i) for resolution of pre-litigation and/or litigation, started before the expiration of the mandatory retention period; ii) to follow up with investigations/inspections by internal control functions and/or external authorities, started before the expiration of the mandatory retention period; iii) to follow up with requests from the Italian and/or foreign public authorities received/notified, started before the expiration of the mandatory retention period.

08 · PROCEDURE TO EXERCISE THE RIGHTS

To exercise the rights described above, you can refer to: UniCredit - Group - Data Privacy Recruiting - dataprivacy.recruiting@unicredit.eu.

The deadline for the reply is one (1) month*, that may be extended by two (2) further months in cases of particular complexity; in these cases, the Data Controllers inform you about such extension within one (1) month of receipt of the request.

FOR RUSSIAN EMPLOYEES ONLY The deadline for the reply is 10 working days in accordance with 152-FZ “On personal data” that may be extended no longer than to 15 working days.

FOR RUSSIAN EMPLOYEES ONLY Personal data can’t be transferred to any other countries than the following countries by the UniCredit S.p.A. and/or Unicredit Group or the 360 vendor: Austria, Bulgaria, Bosnia and Herzegovina, Croatia, Czech Republic, Great Britain, Hungary, Germany, Italy, Luxembourg, Romania, Serbia, Singapore, Slovakia, Slovenia, United States of America.

The exercise of rights is, in principle, free of charge. The Data Controllers reserve the right to ask for a contribution in case of manifestly unfounded or excessive requests (also repetitive).

09 · COMPLAINT OR REPORTING TO THE DATA PROTECTION AUTHORITY

You have the right to appeal to the Judicial Authority or else to lodge a complaint with or make a report to your Local Data Protection Authority.

ANNEX 1 - Data Controllers

Annex 2 -Data Protection Officer

  • Unicredit Consumer Financing Ifn S.A. at:
  • Data Protection Office,
  • sectorul 1, b-dul Expoziţiei, nr. 1f, 012101 Bucharest, Romania
  • Email: roucfindpo@unicredit.ro
  • Unicredit Leasing Corporation Ifn S.A. at:
  • Data Protection Office,
  • sectorul 1, b-dul Expoziţiei, nr. 1f, 012101 Bucharest, Romania
  • Email: dpo@unicreditleasing.ro