Trust is important, especially when it comes to your personal data. That is why we see it as our obligation to exercise the utmost care in the handling of your personal data and to do everything we can to protect your information from misuse.

UniCredit Bank Austria AG adheres strictly to data protection laws in the collection and processing of your data. The following information explains in detail which data is collected when you visit our website and how we use this data.

This Privacy Policy applies to the websites of UniCredit Bank Austria AG (*, where the asterisk stands for a readable string). Individual pages may contain links to other providers within and outside the UniCredit Group, to which the privacy policy does not extend; meaning that we cannot assume any liability for this content.

1. Who is controller of the data processing and who can you contact?

The Data Controller is:
UniCredit Bank Austria AG
Rothschildplatz 1
1020 Vienna, Austria
Telephone: +4350505-0
Fax: +43 50505-56155

The data protection officer at UniCredit Bank Austria AG is: 
Jochen Hauser
PO Box 580
1011 Vienna
Telephone: +43 50505-32836

2. Which data is processed and where does this data orginate from?

We process the personal data that we receive from you as part of the business relationship. We also process data that we have legitimately received from credit agencies1, debtor registers2 and from publicly available sources (e.g. Commercial Register, Register of Edicts, of Register of Associations, land register, media, Central Residence Register).

These personal data include, pursuant to Art. 13 of the GDPR, your personal details (name, address, contact details, date and place of birth, nationality, etc.), credentials (e.g. ID data) and authentication data (e.g. specimen signature). In addition, this may include order data (e.g. payment orders), data from the fulfilment of our contractual obligation (e.g .turnover data in pay-ment transactions), information about your financial status (e.g. creditworthiness data, scoring or rating data, etc.), advertising and sales data, documentation data (e.g. consulting records), data from signing on sign pads (e.g. writing speed), register data, image and sound data (e.g. video or telephone recordings), information from your electronic communication to the bank (e.g. apps, cookies, etc.)

These personal data include, pursuant to Art. 14 of the GDPR, data from the fulfilment of our contractual obligation (e.g. turno-ver data in payment transactions), information about your financial status (e.g. creditworthiness data, scoring or rating data, etc.), information about legal function in companies, register data (e.g. company register, land register, Central Residence Register), information from your electronic communication to the bank (e.g. apps, cookies, etc.), processing results generated by the bank itself as well as data for compliance with legal and regulatory requirements.


1 CRIF Gmbh
2 Kreditschutzverband von 1870

3. For what purposes and on what legal basis is the data processed?

We process your personal data in accordance with data protection regulations:

  • For the fulfilment of contractual obligations (Art. 6 (1) lit b GDPR):
    The processing of personal data (Art. 4 (2) of the GDPR) is carried out for the provision and arrangement of banking, financial services and insurance, leasing and real estate business, in particular for the execution of our contracts with you and the execution of your orders and all activities required for the operation and management of a credit and financial services institution.
    The purposes of data processing are primarily based on the specific product (e.g. account, credit, building society savings, securities, deposits, brokerage) and can include, among other things, needs analyses, the provision of advice asset management and support as well as the execution of transactions. The specific details for the purpose of data processing can be found in the respective contract documents and terms and conditions.
  • For the fulfilment of legal obligations (Art. 6 (1) c GDPR):
    Processing of personal data may be necessary for the purpose of fulfilling various legal obligations (such as from the Banking Act (BWG [Bankwesengesetz]), Financial Market-Money Laundering Act (FM-GwG [Finanzmarkt-Geldwäschegesetz]), Sanctions Law (SanktG [Sanktionengesetz 2010]), Securities Supervision Act (WAG [Wertpapieraufsichtsgesetz]), Stock Exchange Act (BörseG [Börsengesetz]), etc.) as well as regulatory requirements (such as of the European Central Bank, the European Banking Supervisor, the Austrian Financial Market Authority, etc.) to which UniCredit Bank Austria AG is subject as an Austrian credit institution. Examples of such cases:
    • Identity verification, Know Your Customer process, monitoring of financial transactions, suspicious activity reports;
    • Conducting sanctions audits;
    • Compliance with sanctioning rules (data processing to avoid insider-trading, conflicts of interest and market manipulation, disclosure to the FMA (Finanzmarktaufsicht, Austrian Authority Body) according to the Securities Supervision Act and The Stock Exchange Act e.g. to monitor compliance with the provisions on market abuse of insider information);
    • Recording of Phone calls und electronic communication concerning bonds (MIFID II);
    • Provision of information to public prosecutors, courts and to financial criminal authorities in the context of financial criminal proceedings for an intentional financial offence;
    • Provision of information to federal tax authorities pursuant to § 8 of the Account Register and Account Inspection Act (Kontenregister- und Konteneinschaugesetz), as well as reports to the account register and reports of capital outflows;
    • Risk management and due diligence (§ 39 Banking Act);
    • Handling of complaints concerning Data Protection (GDPR);
    • Detection of unauthorisied, fraudaulent or suspicious financial transactions (§ 39 Banking Act, § 16 Financial Market-Money Laundering Act)
    • Accounting, Controlling and Compliance with tax regulations (e.g. Banking Act, Income Tax Law)
    • Disclosure of information on the identity of shareholders (§ 10a AktienGesetz [Companies Act]).
  • Within the scope of your consent (Art. 6 (1) lit a GDPR):
    If you have granted us consent to process your personal data, processing will only take place in accordance with the purposes set out in the declaration of consent and to the extent agreed therein. Any consent given may be revoked at any time with future effect (for example, you may object to the processing of your personal data for marketing and advertising purposes if you no longer consent to processing in the future).
  • For the protection of legitimate interests (Art. 6 (1) f GDPR):
    If necessary, within the framework of balancing of interests of UniCredit Bank Austria AG or a third party, data may be processed, by us or by third parties, beyond the actual fulfilment of the contract, in order to safeguard legitimate interests.

    In the following cases, data are processed to safeguard legitimate interests:
    • Consultation of and data exchange with credit agencies (e.g. Austrian Credit Protection Association 1870) for the identification of credit risks and default risks;
    • Assessment and optimization of methods and models, analyzing of needs and business control, product development and customer contact;
    • Advertising or market and opinion research, provided that you have not objected to the use of your data in accordance with Art 21 of the GDPR;
    • Video surveillance for the collection of evidence in the case of criminal offences or for the proof of dispositions and deposits (e.g. at ATMs); these especially serve to protect the customers and employees;
    • Telephone records (e.g. in case of complaints);
    • Writing speed, pressure strength curve when using the sign pad to make signatures forgery-proof;
    • Process management and quality management, e.g. recording of phone calls for purposes of professional training and quality assurance purposes;
    • Measures for protecting employees and customers and the property of the bank;
    • Measures for the prevention and combating of fraud (Fraud Transaction Monitoring);
    • In the context of legal prosecution.
4. Who receives my data?

Your data is received by those offices or employees that need it for fulfilling contractual, legal and regulatory duties and for legitimate interests. Outside UniCredit Bank Austria AG Bank Auditors, Annual Auditors, Lawyers, Tax Consultants, Trustees and Payment Services will receive your data if it is necessary to fulfil their duties. Furthermore, data processing companies commis-sioned by us (especially IT service providers, back-office service providers and service line) receive your data as long as they need them for fulfilling their respective service. These processors or their sub-processors may be located in third countries. The trans-fer of your data to these third countries takes place either on the basis of an adequacy decision of the European Commission or the application of EU standard contractual clauses and appropriate and adequate safeguards. Accordingly, all the data pro-cessing companies are contractually obligated to keep your data confidential and to process it only in the context of service provision.

The public authorities and institutions (such as European Banking Authority, European Central Bank, Austrian Financial Market Authority, tax authorities, etc.) and the UniCredit S.p.A. as our parent company can be recipients of your personal data if there is a legal or regulatory obligation.

With regard to the disclosure of data to other third parties, we would like to point out that UniCredit Bank Austria AG, as an Austrian credit institution, is obliged to observe banking secrecy pursuant to § 38 of the Austrian Banking Act and is therefore obliged to maintain confidentiality about all customer-related information and facts that have been entrusted to us or made accessible to us as a result of the business relationship. Therefore, we can share your personal data only if you have explicitly released us from banking secrecy in writing in advance or if we have a legal or regulatory obligation or authorisation for it. In this context, recipients of personal data can be other credit and financial institutions or similar institutions to which we send the data in order to maintain the business relationship with you (depending on the contract this can be for example, correspondent banks, stock exchanges, custodian banks, credit service agencies etc.).

5. How long will my data be stored?

As far as it is necessary, we process your personal data for the duration of the entire business relationship (from the initiation, performance until the termination of a contract) and furthermore, we process it according to the legal safekeeping and docu-mentation obligations resulting from the Austrian Commercial Code (§ 212 UGB), the Federal Fiscal Code (§ 132 BAO), the Financial Market Money Laundering Act (§ 21 FM-GwG) and the Securities Supervision Act (§ 33 WAG).

6. Which protection rights do I have?

You have the right to obtain information, correction, deletion or of the processing of your stored data at any time, the right to object to processing and a right to data portability in accordance with the requirements of data privacy laws which you can address to the data protection officer of UniCredit Bank Austria AG. When you assert your rights, we might ask you to confirm your identity in case of doubt. We do this for your protection, so that your data will not be accessible to third parties.

The data protection officer at UniCredit Bank Austria AG is:
Jochen Hauser
Postfach 580
1011 Wien
Telefon: +43 (0)50505-32836

You can also submit complaints to the Austrian Data Protection Authority:
Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Wien


7. Are you obliged to provide data?

According to Art. 13 of the GDPR, we hereby inform you that in the context of the business relationship, you must provide personal data which is necessary to establish and maintain the business relationship, as well as the information which we are legally required to collect. If you do not provide us with this data, we will usually have to refuse to conclude the contract or execute the order or will no longer be able to fulfil an existing contract and consequently have to terminate it. However, you are not obliged to give consent for processing of any data that is not relevant or not required for legally and/or in regulatory terms for fulfilling the contract.

8. Is there an automatic decision-making, including profiling?

We do not use automated decision-making as defined under Article 22 of the GDPR to reach a decision on the establishment and conduct of the business. A credit assessment (credit scoring) is made for loan disbursement. The default risk of credit seekers is assessed with the help of statistical comparison groups. The calculated score should make it possible to predict how likely it is that the applied-for loan will be repaid. To calculate this score, your master data (e.g. marital status, number of children, duration of employment, employer, etc.), information of your overall financial situation (e.g. income, assets, monthly expenses, total liabilities, collaterals etc.) and your payment history (e.g. proper loan repayments, warnings, information on credit service agencies) are used. If the default risk is too high, the credit application is rejected, if applicable, an entry is made in the consumer loan register maintained by KSV 1870 and an internal warning notice is entered. If a credit application has been rejected, this is visible for 6 months in the consumer loan register maintained by KSV 1870 in accordance with the decision of the data protection authority.

9. Cookies, retargeting and web analytics

To make the user experience of our website as convenient as possible, we use so-called cookies. Cookies are small text files which enable the system to recognize a returning user. These cookies include cookies that are prerequisite for the usage, cookies that are used statistically to analyse the usability of the page control elements, and cookies for comfort settings that enable you to make the best possible use of our website . Further information on these cookies can be found below. The information stored does not contain any personal data and cannot be traced back to individuals.

For this purpose, we have commissioned various service providers (for example, Adobe Analytics [Omniture], Adform, Google Ads and DV360, and [YOUSURE Tarifvergleich GmbH]) to record information using cookies on the websites of, but not in connection with Bank Austria online banking, BusinessNet online banking, or SmartBanking. Our service providers only receive anonymous data. 
As a result of this process, UniCredit Bank Austria AG receives statistical analyses which are used to evaluate the need-based design of our web presence.

Cookies are generally only set on the website of UniCredit Bank Austria AG if the user has given his/her consent for this. Technically necessary cookies that are required for the website to function correctly are excepted from this.

You can centrally manage and deactivate your cookie settings for statistics and comfort settings if necessary. Please note that in the case of deactivation, not all functions of our website will  be fully available.

Privacy Center

Here you will find further information on cookies.


Adobe Analytics

Purpose: Adobe Analytics uses cookies to distinguish requests from different browsers and to store useful information that can be used by an application later. Cookies can also be used to associate browser information.
Adobe Analytics uses cookies primarily to anonymously define new visitors, analyze clickstream data, and track historical activity on the site, such as response to specific campaigns or the length of the sales cycle.
Read the privacy policy of the data processor here:

Retention period: 2 years


Data Management Platform Turbo Audience Lab (Next14)

Purpose: The Turbo Audience Lab data management platform uses cookies to anonymously define new visitors / visitor segments, analyze clickstream data, and track historical visitor activity on the website. Furthermore, targeted advertising can be played to users of the website via the Demand Side Platform ("DSP") Adform.
Read the privacy policy of the data processor here:

Retention period: 180 days

UniCredit Bank Austria is participating in the IAB Transparency and Consent Framework (TCF) to facilitate compliance with EU data protection standards and to effectively manage consent for online advertising and content. More information about this framework can be found at transparency-consent-framework/.


Purpose: Our website uses “Adform”, which is provided by Adform S/A, Denmark. Adform uses cookies to provide you with personalised ads. With the help of cookies, we can measure which advertising media you have come into contact with and which ones you clicked on. Cookies are set in your browser for this, but do not permit personal identification under any circumstances.
In addition, the cookies that are set record information about actions on our website in order to help us assess the efficiency of our advertising measures. These actions include accessing pages, sending contact forms, and signing up for products.
Read the privacy policy of the data processor here:

Retention period: 30 days 

Google Ads

Purpose: Bank Austria uses the Google Ads service provided by Google Ireland Limited in order to advertise products and services in the Google search engine. In order to measure the efficiency of these advertising activities, we use Google Ads Conversion Tracking, which is provided by Google Ireland Limited. When you click on an ad in a Google search, a cookie is set in your browser for this, which expires after 30 days. This cookie does not permit personal identification and allows us to track, for example, which of your interactions are connected to which entry in a Google search. Interactions that are measured in this way include sending contact forms and signing up for products..
Read data processor’s privacy policy here:

Retention period: 30 days


Bank Austria uses the Display & Video 360 (DV360) service, which is a tool of Google LLC. Collected data are used by Display & Video 360 to link advertising contacts and clicks on advertisements with a resulting use of our website. When you click on an ad in the Google Ads Network, a cookie is set in your browser for this, which expires after 30 days. This allows us to determine whether users that have seen our ad visit our website or what products they are interested in. This helps us make more efficient use of our advertising budget.
Read data processor’s privacy policy here:

Retention period: 30 days

Remarketing via DV360 and Google Ads

Bank Austria also uses Google Ads Remarketing and DV360 Remarketing, further services of Google Ireland Limited. Remarketing allows us to track your navigation on, to deduce interest in products, and to ultimately show ads for you on pages of the Google Ad Network. To do this, the Google Ads and DV360 remarketing services set a cookie in your browser that measures your navigation on The cookie is also used later to show ads for you on pages of the Google Ad Network.
Read data processor’s privacy policy here:

Retention period: 30 days


Purpose: Bank Austria uses the “” platform provided by YOUSURE Tarifvergleich GmbH. Cookies are set in your browser by for the purposes of performance measurement. These cookies are used to measure clicks on our product offerings as well as product sign-ups on
Read the privacy policy of the data processor here:

Retention period: 60 days


Purpose: Bank Austria uses the “LinkedIn Advertising” service provided by LinkedIn Ireland Unlimited in order to advertise products and services on the LinkedIn platform. We use cookies here in order to identify you in the LinkedIn network as a user who has also accessed pages on These cookies enable us to provide you with personalised ads while you are on the LinkedIn platform. The pages you have accessed on are used as the basis for the personalisation.
Read the privacy policy of the data processor here:

Retention period: 90 days

To customise and improve the design of our newsletter, we use the "Unica" campaign management software from HCL-Software. By linking different communication channels and by using cookies, records can be compiled which then enable us to provide subscribers to our newsletter with information about current products and other offers tailored to meet their needs. The records compiled are only used for analytical assessments and are not transferred to unauthorised third parties.

Additional information for internet banking: Cookies are a prerequisite for the usage of the internet banking services of UniCredit Bank Austria AG. For the first login on a new device (browser), as well at the latest every 90 days for each following login, it is additionally necessary to enter a TAN due to a legal requirement. Via cookies the link between device (browser) and user code is ensured; However, these cookies can be deleted by appropriate settings in your browser software, automatically by date or when closing the browser. After deleting the cookies, the link between the browser and your user code is no longer available. Therefore, the next time you log on to this browser, entering a TAN will again prompt you to register the browser with a new name and re-associate it with your user code.

10. Google Maps

The UniCredit Bank Austria website uses Google Maps, in particular during searches for branch offices. Google Maps is operated by Google Inc. By using this website, you agree to allow Google, its representatives or third-party providers, to collect, process and to use data which is collected automatically or entered by you.
You can find a summary here of the data which is transferred when using Google Maps: – in addition to the IP address, other items are also included, such as smartphone GPS data, if one is used for the search, or details of the search activity.

11. YouTube Videos

The UniCredit Bank Austria website integrates YouTube videos stored at, which are therefore playable on the website. YouTube is operated by Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The videos are integrated with the "Extended Data Protection Mode", which means that no data about you as a user is transmitted to YouTube if you do not actively play the videos. If you actively click on the video, data is transmitted to Google Inc.
In this case, whether you are logged into your Google account makes a difference. If you are not logged into a Google account, Google Inc. stores data with unique identifiers associated with the browser, app, or device that you are using. Google Inc. can thereby ensure, for example, that your language settings are retained for all browser sessions. If you are logged into a Google account, Google Inc. also collects data, which are stored in your Google account and considered personal data.

For more information, please refer to the data protection declaration of Google:

12. Social Media - Twitter, XING, LinkedIn

UniCredit Bank Austria AG collaborates with the following providers of social media networks:
Twitter Inc., San Francisco, California, United States, XING SE, Hamburg, Germany, and LinkedIn Inc., Sunnyvale, California, United States.
In the course of this collaboration, when using the respective service, your browser will automatically connect to the service provider selected (such as LinkedIn). In this case, data such as your IP address, cookies and other information will be transmitted to the respective service provider if you have previously visited its website. Where possible, we will prevent this data transfer from taking place and it will only occur if you interact with the social media network. If you are logged into the social media network concerned, it can assign your visit to our website to your user account.

In addition, we use plugins for various platforms (such as the LinkedIn symbol). By clicking on the respective symbol, you agree to allow communication with the respective platform, including the transfer of information (such as your IP address) to the service provider concerned. For further information on how your data is used in such cases, kindly read the Data Protection Declaration of the service provider you have connected to.

You can find the Data Protection Declaration of Twitter here:
You can find the Data Protection Declarations of XING here:
You can find the Data Protection Declarations of LinkedIn here:

13. Data Security

The security of your data is our highest concern. Our stated aim is to take all technical and organisational measures required to ensure that our data processing is carried out in a secure manner and to process your personal data in such a way that it is protected from access by unauthorised third parties.
We make sure our IT infrastructure complies with the highest international security standards by using the most up-to-date security software, codes and encryption procedures.
In addition we enhance the security of your data by using risk minimisation measures and preventive safeguards. Furthermore, all of our users have the option to obtain information about current topics at no charge and without obligation by using the purpose-built security portal