Data protection

Our professional and personal daily lives are hard to imagine without the constant exchange of data. Data protection has become a fundamental right. In specific terms, it involves protecting personal data and the individuals these data relate to from misuse during data collection, processing and use. This is governed by the General Data Protection Regulation (GDPR) and national laws in force in Europe. To ensure compliance with the stringent data protection requirements in place, UNIQA has established its own in-house data protection organisation (Data Protection Governance). Its aim is to ensure the protection of personal data by implementing an efficient data protection management system (DPMS) and to guarantee a continuous improvement process based on a risk management system.

The Data Protection Officer reports directly to the Management Board, working as the second line of defence to monitor compliance with data protection provisions in the company and the first line of defence. The Data Protection Officer does not take any instructions in this role. Meetings between the local data protection committees are held on a quarterly basis.

A Data Protection Coordinator is appointed in each department. These individuals act as the first point of contact for any data protection matters within the department and support the data owners in advising on projects and responding to specific questions, for example. To provide more efficient support for the first line of defence as well as for project consulting purposes, the Data Protection Operations department was added alongside the existing Data Protection Legal department in 2021. We continued to enhance our operational processes in data protection in 2022. Both units advise on data protection issues and the technical and organisational measures required for this purpose. Furthermore, they assist with updating the record of processing activities and handling data breaches. They also act as an interface for internal and external customers in matters that require inter-disciplinary data protection expertise (i.e. data protection and information security). We also revised our internal guidelines on data protection in 2022. They support the first line cross-functional teams with the handling and risk assessment of projects in a more structured way, as well as the second line team in dealing with risks.

Targets and target achievement: data protection

Subject

Target achievement in 2022

2023 targets

Implementation of Data Protection Governance

Data protection is an inter-disciplinary issue and requires cross-subject expertise and appropriate interfaces to provide advice. A data protection organisation (Data Protection Governance) was therefore established within the company and extended in 2021 to include the Data Protection Operations department. Our objective in 2022 was to commence the gradual implementation of the new governance system for data protection at UNIQA.

We continued to implement the new governance system for data protection in 2022 and have now completed this work.

Expansion of data protection management system

In order to be able to meet the GDPR accountability obligations and associated documentation requirements, there is a continuous need for processes to implement data protection measures in the company.

The target set for 2023 is to ensure the protection of personal data by implementing an efficient data protection management system (DPMS) and to ensure a continuous improvement process based on a risk management system.