1. Data controller and data protection officer

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan.

You can contact the Data Protection Officer at UniCredit SpA, Data Protection Office, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan; E-mail:; PEC:

2. Purpose and legal basis of the processing

UniCredit S.p.A. has made available in its Application for Authorized Mobile Devices, which can be downloaded through the appropriate On-Line Stores (By way of example: App Store iOS and Google Play Android), the IP Refueling Service, which provides the possibility to make payments at the service stations Affiliated by API Group.

This Service provides the possibility to carry out the refueling process by concluding the payment directly from UniCredit's Mobile Banking App.

Specifically, for the service in question, UniCredit's Mobile App can access the Geolocation functionality of the Mobile Device on which UniCredit's Application is installed for the sole purpose of:

  1. verify that the Customer's location coincides with the location of the Agreed Service Stations;
  2. enable the Customer to locate the Service Station closest to him to refuel.

UniCredit, therefore, uses the Geolocation Data of the Customers' Mobile Devices only for the purpose of locating the Service Station closest to the location of the Customer's Mobile Device and verifying that the device is actually within 30 meters of the station itself.

Geolocation Data will not, however, be stored or historicized or processed for any other and/or different purposes than those stated above.

The legal basis for the processing is the consent given by the Customer pursuant to and in accordance with Article 6 letter "a" of Regulation (EU) 2016/679 ("GDPR"), by selecting "I AGREE" in the specific function provided in the UniCredit Application.

The User is free to decide whether to enable both the Geolocation function of his/her Mobile Device, and whether to give his/her Consent for the use of the "IP Refresh" function based on such Geolocation.

The User may revoke the aforementioned consent at any time either by using the function of the Mobile Device's Operating System, or by using the specific function made available for this purpose in the UniCredit Application (Communication Hub Section > Settings > Geolocation Services).

In the event of lack of consent, the "IP Replenishment" Service will not be usable by the Customer.

The processing is carried out by means of computer and telematic tools with logics strictly related to the aforementioned purpose and, in any case, in such a way as to guarantee the security of the Geolocation data by also applying suitable encryption techniques aimed at guaranteeing confidentiality and making "pseudoanonymized" the data processed both at the premises of the Data Controller and externally by the persons appointed as Data Processors pursuant to Art. 28 GDPR. 

3. Categories of personal data processed 

UniCredit collects GPS Geolocation coordinates only from Mobile Devices on which UniCredit's Mobile Application is installed and on which both the Geolocation function is enabled at the Operating System level of the Device (By way of example: function available in iOS or Android) and the Consent to Processing is given in the appropriate function of the Application itself.

The data related to the GPS Geolocation coordinates used to provide in the Customer's Mobile Device the location of the Affiliated Merchants closest to him/her, will in any case neither be saved nor historicized and nor processed for other and/or different purposes than those mentioned above.

4. Recipients or categories of recipients of personal data 

In order to provide the "IP Replenishment" functionality, UniCredit makes use of an IT Platform made available by the Partner Gruppo Api, with its sole office in Via Salaria, 1322 - 00138 Rome, which acts as Data Processor pursuant to Article 28 GDPR.

In addition, in order to provide such functionality of the IP Replenishment Service, UniCredit makes use of other Companies appointed as Data Processors pursuant to the aforementioned art. 28 GDPR, whose updated list is available at the following link:

List of external data processor – italian version

List of external data processor – english version

5. Rights of the data subjects

Regulation (EU) 2016/679 ("GDPR") grants Individuals, Sole Proprietorships and/or Freelancers (the "Data Subjects") specific rights, including the right to know what personal data UniCredit holds about them and how they are used (Right of Access), to obtain their updating, rectification or, if there is interest, integration, as well as their deletion, transformation into anonymous form or restriction.

The User may exercise his or her rights and revoke his or her consent to the processing of his or her personal data related to geolocation in the IP Replenishment service at any time by using the specific functions made available in the UniCredit Mobile Application.

5.1 Period of data storage and right to erasure (i.e. right to be forgotten)

UniCredit will not retain any personal data of the Data Subject related to or referable to the Geolocation function "PIN Replenishment". UniCredit will retain for a short period of time only the data made pesudoanonymized through the application of suitable irreversible encryption mechanisms, aimed at verifying the proper functioning of the IP Replenishment Service, and in any case no longer than three months. 

6. Methods of exercising rights

Each Data Subject to exercise the rights referred to in paragraph 5 and 5.1 may contact: UniCredit S.p.A., Claims, Via Del Lavoro n. 42, 40127 Bologna (BO), Tel. +39 051.6407285, Fax +39 051.6407229, E-mail address:

The deadline for the reply is one (1) month, which may be extended by two (2) months in particularly complex cases; in these cases, the Bank will provide at least one interim communication within one (1) month.

The exercise of the rights is, in principle, free of charge; the Bank reserves the right to charge a fee in the event of manifestly unfounded or excessive requests (including repetitive ones).

The Bank has the right to request information necessary for the identification of the applicant.

7. Complaint or report to the personal data protection authority 

The Bank informs you that you have the right to file a complaint or a report to the Personal Data Protection Authority or alternatively to appeal to the Judicial Authority. The contacts of the Personal Data Protection Authority are available on the website