1. Data controller and data protection officer

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan.

You can contact the Data Protection Officer at UniCredit SpA, Data Protection Office, Piazza Gae Aulenti n.3, Tower A, 20154 Milan; E-mail:; PEC:

2. Purpose and legal basis of the processing

UniCredit S.p.A. has made available in its Application for Authorized Mobile Devices, which can be downloaded through the dedicated On-Line Stores (By way of example: App Store iOS and Google Play Android), the BANCOMAT Pay® Service, which provides the possibility to make payments at the Merchants Affiliated by BANCOMAT S.p.A..

This Service provides for the "Pay at the stores near you" function, which for the sole purpose of identifying the location of the Affiliated Merchants and enabling the Service Customer to easily locate the Exercises closest to him/her, the application can access the Geolocation feature of the Mobile Device on which the UniCredit Application is installed.

UniCredit uses the Geolocation Data of the Customers' Mobile Devices only for the purpose of locating the Stores close to the location of the Customer's Mobile Device and the Geolocation Data will in any case neither be saved nor historicized nor processed for other and/or different purposes.

The legal basis for the processing is the consent given by the Customer according to art. 6, par. 1, lett. A) of Regulation (EU) 2016/679, by selecting "I AGREE" in the specific function provided in the UniCredit Application.

The User is free to decide whether to enable both the Geolocation function of his/her Mobile Device and to give his/her consent for the use of the "Pay at stores near you" function based on such Geolocation.

The User may revoke the aforementioned consent at any time either by using the function of the Operating System of the Mobile Device, or by using the specific function made available for this purpose in the UniCredit Application (Communication Hub Section > Settings > Geolocation Services).

If consent is not given, the "Pay in Stores Near You" Service will still be usable by the Customer but only through manual searches of the name of the Convenience Store.

The processing is carried out by computer and telematic tools with logics strictly related to the aforementioned purpose and, in any case, in such a way as to guarantee the security of the Geolocation data by also applying suitable encryption techniques designed to ensure confidentiality and to ensure that the data processed is "anonymous" both at the offices of the Data Controller and externally by the Third Parties appointed as Data Processors pursuant to Article 28 of Regulation (EU) 2016/679. 

3. Categories of personal data processed 

UniCredit collects Geolocation GPS coordinates only from Mobile Devices on which UniCredit's Mobile Application is installed and on which both the Geolocation function is enabled at the Operating System level of the Device (By way of example: function available in iOS or Android) and the consent to processing is given in the appropriate function of the Application itself.

The data related to the GPS Geolocation coordinates used to provide in the Customer's Mobile Device the location of the Convenience Merchants closest to him/her, are encrypted and the identifiers referring to the Customer used in the process are anonymized 

4. Recipients or categories of recipients of personal data 

In order to provide the functionality of "Pay in the stores near you" UniCredit makes use of an IT Platform made available by the Provider BANCOMAT S.p.A., with its sole office in Via delle Botteghe Oscure, 4 - 00186 Rome, which acts as Data Processor pursuant to Art. 28 Regulation (EU) 679/2016.

In addition, in order to provide this functionality of the BANCOMAT Pay® Service, UniCredit makes use of other Companies appointed as Data Processors pursuant to the aforementioned Art. 28 of Regulation (EU) 679/2016, whose updated list is available at the following link:

List of external data processor – italian version

List of external data processor – english version

5. Rights of the data subjects

EU Regulation 679/2016 grants individuals, sole proprietorships and/or freelancers ("Data Subjects") specific rights, including the right to know what personal data is held by the Bank and how it is used (Right of Access), to obtain the updating, rectification or, if interested, integration of such data, as well as their erasure, transformation into anonymous form or limitation.

Users may exercise their rights and revoke their consent to the processing of their personal data related to geolocation in the BANCOMAT Pay® service at any time using the specific functions made available in the UniCredit Mobile Application. 

5.1 Period of data storage and right to erasure (i.e. right to be forgotten)

UniCredit will not store personal data of the Data Subject related or referable to the Geolocation function "Pay in Stores Near You". UniCredit will retain for a short period of time only the data rendered anonymous through the application of suitable irreversible encryption mechanisms, aimed at verifying the proper functioning of the BANCOMAT Pay® Service, and in any case no longer than three months. 

6. Methods of exercising rights

Each Data Subject to exercise the rights referred to in paragraph 5 and 5.1 may contact: UniCredit S.p.A., Claims, Via Del Lavoro n. 42, 40127 Bologna (BO), Tel. +39 051.6407285, Fax +39 051.6407229, E-mail address:

The deadline for the reply is one (1) month, which may be extended by two (2) months in particularly complex cases; in these cases, the Bank will provide at least one interim communication within one (1) month.

The exercise of the rights is, in principle, free of charge; the Bank reserves the right to charge a fee in the event of manifestly unfounded or excessive requests (including repetitive ones).

The Bank has the right to request information necessary for the identification of the applicant.

7. Complaint or report to the personal data protection authority 

The Bank informs you that you have the right to file a complaint or a report to the Personal Data Protection Authority or alternatively to appeal to the Judicial Authority. The contacts of the Personal Data Protection Authority are available on the website