Group Report 2024

5. Consumers and end-users (ESRS S4)

5.1 Material impacts, risks and opportunities and their interaction with strategy and business model (ESRS 2 SBM-3)

As a core business activity, the provision of insurance benefits may result in certain impacts, particularly on policyholders.

UNIQA is committed to the ten principles of the UN Global Compact, which include respect for human rights. In terms of customers, this commitment is reflected on the one hand in UNIQA’s compliance with minimum social standards in UNIQA’s corporate business with corporate customers (see chapter 4). On the other hand, the ESG Retail Strategy for Austria described in the following and the corresponding processes and actions ensure human rights are upheld in transactions with retail customers. Along with topics such as equal treatment and anti-discrimination, matters such as the right to data protection, the right to freedom of expression and information, the right to access essential services and the right to a fair trial with respect to the responsible handling of complaints are also relevant. No human rights violations in relation to consumers and end-users were reported for the financial year. As the various strategies (retail business, data protection and cybersecurity) have a pronounced customer-centric approach, no known impacts on consumers and/or end-users arise from or are associated with the business strategy.

5.1.1 Retail business

Insurance products offered by UNIQA are aligned to the greatest possible extent with customer requirements. As a result, the extent of insurance coverage varies from policy to policy. In certain cases, a violation of legal disclosure requirements in relation to the conclusion of insurance products or insurance-based investment products as well as incorrectly assessing customer requirements can lead to erroneous and unfavourable decisions on behalf of customers. The provision of incorrect advice represents a legal risk as it may result in insurance claims being asserted by the affected customers.

Negative impacts on consumers can also occur in individual cases where certain groups of people do not have access to customised insurance products or insurance-based investment products and are therefore denied necessary insurance or financial coverage. Conducted in close cooperation with the specialist departments on the basis of internal knowledge and technical expertise, the materiality assessment identified the relevant disadvantaged groups. Negative impacts concern people who may not be able to afford insurance coverage due to their financial situation and other groups. Potential barriers to access posed by the (complex) language used in policies could exclude migrants, people with mental illness and the elderly, while people with physical disabilities or pre-existing medical conditions are occasionally excluded from insurance products, such as health insurance.

5.1.2 Data protection

As an insurance company, UNIQA processes a large volume of data due to the nature of the business. Accordingly, data protection and all associated processes play a particularly important role at UNIQA. Failing to roll out internal processes and infrastructure for data protection and information security can result in the risk of data subjects’ rights being adversely affected, especially if data becomes accessible to third parties – something that can negatively impact both employees and customers. For UNIQA, data protection violations can result in a financial risk in the form of fines.

5.1.3 Cybersecurity

A lack of internal processes and adequate cybersecurity infrastructure could potentially result in a loss of customer data, which can negatively impact customers. In response, the digitalisation of business processes is guaranteed through comprehensive measures to minimise cyber risk and increase cybersecurity.

5.2 Policies related to consumers and end-users (S4-1)

5.2.1 Retail business

In the financial year, UNIQA developed an ESG Retail Strategy for its main market, Austria, which takes the outlined impacts and risks into account. Responsibility for the ESG Retail Strategy lies with the Customers & Markets Austria Management Board function.

In the Group Product Development Process Policy, which also falls under the responsibility of the Customers & Markets Austria Management Board function, the target market for each insurance product on the market is defined in accordance with the legal requirements. A description of the suitable customer group is also provided in the policy to permit targeted product sales. The target market definitions are based on certain criteria, including the customer category (consumer, business operator), shared characteristics, desires, objectives and needs, including the consideration of sustainability objectives. For insurance-based investment products, specific criteria such as risk and loss-bearing capacity are also taken into account. The target market is defined and approved by a dedicated committee established for this purpose as part of the product development process.

Diversity and inclusion are also important elements of the ESG Retail Strategy. Special attention is given to increasing the accessibility of products. Individual solutions are developed and offered as required in order to include socially disadvantaged groups and reduce social inequality.

The scope of the ESG Retail Strategy in Austria is clearly defined. The policy focuses on the product development process in the property insurance, liability, accident and motor vehicle business lines and includes customers affected by the impacts and risks identified for these areas. With the establishment of mandatory, clear guidelines for the product development process throughout the Group, the scope of the Group Product Development Process Policy has also been clearly defined.

Retail strategies specific to ESG are yet to be established in the other countries in which UNIQA operates. At present, the measures in place are limited to fulfilling minimum statutory and internal requirements, such as the application of the Product Development Process Policy.

5.2.2 Data protection

The protection of personal data – a fundamental right that concerns the privacy of customers and employees alike – is a matter of particular importance to UNIQA. Considering this, processes and guidelines have been established to ensure that the requirements of employees and customers are met. Related measures are exclusively taken in compliance with national and international frameworks and regulations. A separate dialogue is not maintained with customers in this regard.

The Group-wide Data Protection Management Policy sets out the core functions of the data protection management system. A separate Data Protection Management Standard governs the allocations of tasks, including the assignment of specific data protection tasks and responsibilities to different organisational units.

Clear rules lay down the responsibilities in relation to data protection for individual business processes within the various functional areas. In principle, the division of responsibilities follows the three lines of defence principle. The management of each Group company is responsible for compliance with all data protection requirements and receives assistance from the Group’s data protection organisation, which includes the respective data protection officers and data protection coordinators. The Group-wide requirements as well as the plans and tools required for their implementation are defined by the Group Data Protection Officer, who also monitors compliance with all requirements. The data protection officers at the individual Group companies continuously monitor data protection processes and measures. This procedure applies to both internal processes and processes related to corporate customers.

A variety of regulations govern the structure of business processes and the handling of personal data, including the EU General Data Protection Regulation (GDPR), the EU Regulation on Artificial Intelligence (AI Act) and the UN Global Compact. The criteria outlined in these frameworks provide the basis for regulating the handling of personal data in business processes. The latest interpretations and rulings of European and national courts as well as the guiding principles and regulations of the European and national supervisory authorities are also taken into account.

5.2.3 Cybersecurity

A comprehensive cybersecurity policy not only ensures a timely response in the event of an emergency, but it also helps to build trust among customers and promotes the development of innovative and secure digital solutions. It safeguards sensitive personal information, such as health and financial data, against cyber-attacks and ensures that digital services, including health apps and online insurance services, can be securely used. The UNIQA Group Cybersecurity Strategy was developed and implemented across the Group for this purpose. Responsibility for this strategy lies with the Management Board member responsible for Operations, Data & IT.

The Group Cybersecurity Strategy is based on several pillars, which include proactive measures to prevent and protect against cyber-attacks. In order to ensure business continuity, a comprehensive crisis management framework that covers strategic communication as well as structured decision-making has also been established.

 

5.3 Processes for engaging with consumers and end-users about impacts (S4-2) and processes to remediate negative impacts and channels for consumers and end-users to raise concerns (S4-3)

5.3.1 Retail business

Customers can express their opinions and provide feedback in a variety of ways. Several different approaches have been established for incorporating customers’ views into decision-making processes and measuring their satisfaction on an ongoing basis. A number of processes have been put in place to review the effectiveness of these approaches and to reduce any resulting negative impacts. Customers are informed about the available feedback mechanisms and channels through email invitations to participate in surveys, which they will receive if they have opted in to marketing, or through prompts to submit feedback on their preferred channel. One of these prompts includes the submission of a standard rating based on a five-star scale, which can be supplemented by free text fields. These free-text comments are analysed using AI technologies to identify topic-based clusters and simplify the subsequent analysis. Such surveys are carried out automatically, especially after new contracts have been concluded, after claims for damages or entitlements have been paid out or rejected, or following contact with an individual customer at a UNIQA location or with customer service. Using a scale of 1-5, with 1 being “not sufficient” and 5 being “very good”, customers can indicate whether they are willing to participate in an individual telephone interview. Findings from the customer feedback obtained are then incorporated into the product development. The customer complaints process is governed by a Complaints Management Policy. The policy ensures that virtually every time a customer interacts with UNIQA, they are given ample opportunity to provide feedback and gain additional trust. In general, great importance is attached to careful handling of feedback received. Aside from these structured feedback avenues, detailed interviews with customers who have volunteered to participate are conducted on a regular basis to gain comprehensive insights on a wider scale.

Market research also plays an important role in product development processes, regardless of whether they involve changes to existing products or designing new products. Customer segmentation is similarly based on the continuous evaluation of market research data. Information is generally collected anonymously and does not follow a specified timetable. Market research on sustainability issues with regard to health insurance, motor vehicle insurance and household insurance products was carried out in the financial year. In addition to the insights gained from these findings, the results of the customer surveys are also incorporated into the product development process. The Product Experience department is responsible for implementing the findings, while responsibility for engaging with customers lies with the Management Board members for the Customer & Market Austria and Customer & Market International departments.

5.3.2 Data protection

Data subject rights under data protection legislation constitute core elements of the GDPR and permit data subjects to maintain control over their data. Corresponding processes have been defined and introduced to ensure data subjects’ rights are reliably upheld and observed for the duration of the statutory retention periods. One of the most important measures was the creation of a single point of contact with a dedicated e-mail address to which enquiries regarding data subject rights in relation to data protection can be sent. All customers are informed about this central point of contact in the privacy notices they receive at the time their data is collected for each data processing operation. Depending on the type of data processing and the form in which they communicate, customers may receive these privacy notices in paper form, in the app, through various other electronic channels or on the website. The central point of contact ensures that all incoming enquiries are documented, efficiently processed and reliably handled by the legally prescribed deadlines. If the enquiries received reveal systematic shortcomings in the data protection concept, measures are developed, and the Data Protection Management Policy is updated. An electronic complaints management system that complies with data protection legislation has been set up to ensure standardised handling of customer concerns, requests and complaints along with demands made under data protection legislation. Customers can report potential compliance or legal violations through various channels (including anonymous channels. The Compliance team, which can be contacted by e-mail, post or in person, and the UNIQA Whistleblowing Platform are available for this purpose (see also chapter 6). Information on the complaints management system can also be found on the UNIQA website.

In order to ensure comprehensive follow-up and transparent processing, enquiries regarding data subject rights are recorded and documented by the data protection team. Every case of a suspected violation is carefully evaluated and the potential impacts on existing processes analysed. In accordance with the GDPR, risks affecting the rights and freedoms of natural persons are reported in due time to the data protection authority and, where applicable, to the affected customers and employees. At the same time, measures are being taken to eliminate the risk and prevent future incidents. The measures taken include, in particular, updating the data protection management system and the data protection requirements in ongoing data protection advisory processes on the basis of findings from the case in question. With this remedial approach, it can be ensured that the measures are effective and adhered to in the long term. Regular reports and expert panels provide information to all top management levels and to experts (Management Board, Supervisory Board, management, data protection coordinators) on specific data protection incidents and the measures taken. Raising awareness of the measures taken and exchanges with the specialist departments also help to ensure the effectiveness of the measures. The management of each individual Group company is responsible for compliance with data protection regulations. The data protection organisation provides the support required to ensure that data protection is properly implemented.

Customers and employees receive comprehensive and transparent information on the processing of their data and have the right to obtain information about their data stored by UNIQA and to request the rectification or erasure thereof at any time.

5.3.3 Cybersecurity

Customer requirements in terms of data protection are met through a combination of seamless compliance with ongoing improvements of protective measures. Due to the complexity of the topic, an active dialogue is not maintained with customers on the subject of cybersecurity. The alignment of the cybersecurity policy with legal and regulatory requirements such as the GDPR or the European Union’s Digital Operational Resilience Act (DORA) ensures that stakeholders are afforded comprehensive protection. Please consult section 5.5.2 to learn more about the transparency and processing of customer data, including with respect to the development and implementation of remedial measures.

5.4 Taking action on material impacts on consumers and end-users, and approaches to managing material risks and pursuing material opportunities related to consumers and end-users, and effectiveness of those actions (S4-4)

5.4.1 Retail business

A key focus of the ESG Retail Strategy is on promoting comprehensive sustainability awareness among advisors. The aim behind this is to expand their expertise on the topic of sustainability and ensure that they are able to incorporate this knowledge into their conversations with customers in a targeted manner. In the financial year, an ESG Check was rolled out in Austria as an integral part of the product development process. In addition to environmental criteria, this check also incorporates social criteria such as promoting equal opportunity and inclusion (for more information see section 2.5). Dedicated training on the ESG guideline and ESG Check also helps product managers integrate ESG aspects directly into product development.

In the financial year, various IT tools were introduced for the advisory process in Austria to ensure that advisers receive ESG-related support when documenting the requests and requirements of their customers during consultations.

In order to address the social aspects of the ESG Retail Strategy, work is also taking place to improve the accessibility of products. In Austria, for example, pilot projects related to online customer service were carried out in the financial year. A team set up for this purpose handles consultation appointments that customers can independently book on the website. As a result, consultations are available from any location. Customers can also choose from several different languages. Documents such as contracts and informational material have been written and tested in simple language to make them easier for customers to understand.

In the 2024 financial year, a comprehensive process was implemented in Austria to regularly assess all products on the market. As a result, targeted checks can now be conducted to determine whether products are being sold successfully in the defined target market or whether new framework conditions have necessitated product updates. These criteria are reviewed on the basis of the evaluation of any customer complaints received, a survey conducted among sales employees on the target market definitions and an analysis of key actuarial metrics. For life insurance products, a quantitative and qualitative product assessment is also carried out to ensure that the products in question continue to create added value for customers. In addition, regular information exchanges take place with various advocacy groups.

In the other markets in which UNIQA operates, specific plans and measures are being developed to reduce negative impacts for consumers and end-users and to improve access to products. In addition, various new training formats such as sustainability training for sales employees will be launched in 2025.

5.4.2 Data protection

Comprehensive risk management in compliance with data protection legislation ensures that potential data protection risks are identified at an early stage through risk analyses to permit targeted action to be taken to minimise risk. At UNIQA, data protection is integrated into various management systems, both in terms of operations and strategy. The data protection management system (DPMS) is closely linked to the risk management system and the compliance management system.

One key component of the data protection management system is the provision of comprehensive advice on data protection legislation by the Data Protection department. All employees across the Group can access this advice. Consulting with the Data Protection department is also mandatory for new initiatives and projects related to data protection as part of a standardised process. This procedure ensures that business practices comply with regulatory requirements and do not result in any negative privacy-related impacts for data subjects. The data protection management system also involves a continuous improvement process that culminates in a regular review of data protection regulations and the Data Protection Guideline. In addition, as part of the reactive measures, in its capacity as the second line of defence, the Data Protection department reviews the data breach process and determines whether it is effective and working in the interests of data subjects with regard to content, timing and actions taken. In addition, remedial action may be taken on the basis of case-by-case assessments in the event of data breaches. Corresponding actions may include the deletion of data, the blocking of devices, password changes and training specific to certain target groups. When UNIQA takes these actions, the affected customers are informed accordingly if their active participation is required. Preventive measures such as implementing technical and organisational precautions, establishing privacy by design and privacy by default principles, authorisation policies, emergency plans and regular security reviews also help to prevent data breaches.

Regular training on the fundamental aspects of data protection and how to handle personal data ensures that all employees are kept up to date on the latest data protection requirements and know how to implement them in their daily work. This reduces the risk of data breaches and increases overall data security within the company. Data protection training is mandatory for all employees and takes place every two years as well as during the onboarding process. Various guidance documents were prepared in the 2024 financial year for the individual specialist departments to provide assistance with the implementation of data protection. For instance, the documents contain instructions on how to use cookies in line with data protection regulations and provide guidance on managing the distribution of roles under data protection legislation. Furthermore, the topic of data protection was more optimally and comprehensively integrated with regard to the use of AI in the consulting process in the financial year. An expanded process for evaluating and monitoring service providers used by UNIQA was also introduced to enable their compliance with data protection legislation to likewise be assessed.

5.4.3 Cybersecurity

For more information on how potential negative impacts for customers that could arise as a result of a cyber incident are handled and related remedial actions, please refer to the procedure outlined in section 5.5.2. Related measures include regular security updates, threat assessments, security policies and the use of state-of-the-art technologies such as firewalls, intrusion detection systems and encryption. Sophisticated tools are used to identify and monitor unusual activity and threats early on. Employees receive training on cybersecurity each year and during their onboarding. They also participate in awareness programmes that help to raise the associated risk awareness. These programmes are updated to cover the latest threats and types of attacks and – depending on the target group – include both theoretical knowledge and practical exercises such as crisis simulations.

The Cybersecurity Action Plan, which is based on the Cybersecurity Strategy, entails a combination of technical, organisational and personnel measures. With regard to technical measures, the primary focus in the financial year was on strengthening network security, automated threat identification, data backups and restoration plans. Organisational measures include the risk assessment, risk management and the incident response plan. Personnel measures encompass training and raising awareness, the recruitment of experts and specialists, and addressing the corporate culture, in particular general handling of the topic of cybersecurity.

A comprehensive resilience management system that combines several approaches to security and crisis management has been introduced to strengthen resilience to cyber threats. Business Continuity Management (BCM) ensures critical business processes continue uninterrupted on the basis of defined plans and processes both during and after an incident.

IT Service Continuity Management (ITSCM) involves the establishment of disaster recovery plans and the regular review of IT risks. In the event of a security breach, an incident response team takes action to minimise the damage and ensure timely system recovery on the basis of clearly defined processes for identifying, mitigating, remediating and analysing security breaches. The plans and measures for managing acute emergency scenarios that jeopardise business operations are enshrined in the emergency management approach along with the coordination of internal and external resources.

In 2025, the focus will be on implementing additional measures, in particular on making the necessary updates to the DPMS to fulfil regulatory requirements in relation to AI and to ensure that the provisions of data protection legislation and data security principles are guaranteed when using innovative technologies. UNIQA’s task is to develop and implement specific measures for achieving the defined targets. Monitoring progress on an ongoing basis and updating the action plan where necessary will make a substantial contribution to achieving the defined targets.

5.5 Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities (S4-5)

5.5.1 Retail business

Formulation of quantitative targets and defining metrics to help UNIQA manage and leverage the identified impacts, risks and opportunities is currently in progress. The goal over the next few years is to establish a quantitative basis for all UNIQA markets. A corresponding monitoring process can only be set up in the course of establishing quantitative targets.

5.5.2 Data protection

In order to meet regulatory requirements arising in particular from the EU Digital Strategy, it will be necessary, among other things, to adopt a holistic approach to data protection and to further develop the Governance Framework for Data Governance. A data protection action plan sets annual targets for mitigating material risks related to the processing of personal data of employees and customers and for taking appropriate action. For 2025, these targets primarily relate to the measures and legal requirements listed above. Due to the complexity of the topic and the absence of specific targets, no further quantitative or time-sensitive targets can be stated in this regard.

5.5.3 Cybersecurity

In the future, UNIQA will continue to expand its cybersecurity strategy in compliance with regulatory requirements in order to strengthen and guarantee its cyber resilience. This will be achieved in particular through the implementation of the described measures. For example, in 2025, the requirements of the EU Digital Operational Resilience Act (DORA) will be rolled out which, together with the implementation of third-party security risk management and measures to manage security risks, will ensure that consistent standards are upheld and contribute to the fulfilment of third-party security requirements.

The measures in place are continuously reviewed and updated in order to minimise any security risks identified. This procedure also ensures elimination of any vulnerabilities, data integrity, confidentiality and system availability. In addition, regular audits and tests are conducted to strengthen resilience against cyber threats on an ongoing basis.