Data protection

Since UNIQA processes a large volume of data as an insurer and trust is one of our company’s key success factors, data protection is our top priority throughout the Group. In specific terms, it involves protecting personal data and the individuals these data relate to from misuse during data collection, processing and use. We minimise data protection risks and continuously improve by using structured processes and setting clear priorities. A comprehensive approach to data protection creates trust in UNIQA as a business partner and serves as a positive selling point. Not only are we required to fulfil a range of data protection requirements, but we also have to be able to provide our customers with information about how their data are used at all times.

To optimise the integration of the new data protection regulations into our day-to-day business operations, we are actively involved in the implementation of the Austrian industry standard for data protection (ÖBS) for the Austrian Insurance Association (VVO), which was approved by the Data Protection Authority in 2022. Our strategy is to establish data protection internally as an interdisciplinary issue. In addition to implementing interfaces and joint processes for information security and risk management, we have also harmonised our policies. We divide data protection risks into four categories: “operational”, “financial”, “reputational” and “regulatory”. Implementing and enhancing our data protection management system allows us to deal with these risks in a structured manner and set targeted priorities. This cross-functional collaboration allows the key elements of risk management and information security to be managed more efficiently and considered when handling projects.

When introducing new data processing procedures, we conduct consultations and, if necessary, data protection impact assessments that take technical, legal and process factors into account. Based on this analysis, we make decisions on how to implement new processing activities and focus on operational aspects of data protection, process improvements and the introduction of new data protection governance procedures by cross-functional teams. The continuous further development of the data protection management system remains a basic prerequisite in ensuring data protection compliance. There were 24 enquiries from customers regarding the exercising of data subject rights in 2023 in accordance with Article 15 GDPR (confirmation as to whether personal data are being processed and right to information about processing details) and three complaints from customers and third parties to the data protection authority.