Caret Up Icon Back to top button

Personal Data Protection


In accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and the Council /Regulation/ in effect as of 25.05.2018 we provide you with information regarding the processing of personal data by UniCredit Bulbank AD.


Personal Data Protection

Data controller details

UniCredit Bulbank AD, UIC: 831919536, registered seat and management address: 1000 Sofia, Vazrazhdane District 7 Sveta Nedelya Sq. Vazrazhdane District, Sofia 1000, is a controller of personal data and processes your personal data lawfully, in good faith and in a transparent fashion.


Purposes for the processing of personal data

UniCredit Bulbank AD is a credit institution holding a banking license issued by the Bulgarian National Bank by virtue of Order No. RD22-2249/16.11.2009. In order to provide you with a quality service the Bank processes information that constitutes personal data for the following purposes:

  • Perform banking operations and manage its relations with the customers using its bank services. The Bank processes personal data when:
  1. It receives preliminary information necessary for entering into an agreement
  2. Performing banking consultation operations for its customers
  3. Performing operations for a specific banking operation or a transaction, economic movement and/or change in balance with an immediate or deferred enforcement
  4. Carrying out audits, evaluations of results and tendencies of bank relations as well as the risks related to them
  5. If it is necessary for disputes resolution before a competent body (court, arbitration court, conciliation commission, administrative bodies, etc.)
  • When the Bank acts as an investment intermediary it processes personal data in providing investment services or carrying out investment activities in accordance with the Law on Markets in Financial Instruments.
  • Creditworthiness assessment , including through profiling so that the bank can offer you a quality credit service. During profiling, information about financial indicators, consumer behavior and habits is analysed with the aim of offering a specific product and/or service.
  • Assessment the reliability and timeliness of payments when granting loans.
  • Promoting and selling products and services, including through preliminary profiling. During profiling information about preferences, habits, consumer choices is analysed in order to improve customer service quality and offer new products and services.
  • Customer satisfaction surveys conducted by the Bank and the companies within UniCredit Group with the purpose of marketing and market research. This is achieved through interviews, questionnaires and other information research channels.
  • Reporting, objections and complaints handling, carrying out checks and providing a feedback.
  • Selection of outsourcing service providers for the Bank. During the selection process for a provider information which constitutes personal data is processed in accordance with Regulation (EU) 2016/679 about personal data protection.
  • Administration of the Bank’s relations with outsourcing service providers. Personal data of the provider’s representative or of the provider itself is processed in negotiating and administrating agreements, in cases of court or tax investigations as well as in commercial and legal disputes.
  • Administrationt of anti-fraud activities. The bank process personal data when it carries out activities related to fraud prevention, discovery, investigation and management.
  • Provision of security services for areas and facilities and ensure access control. Process information constituting personal data obtained from surveillance systems; while carrying out bank operations at cash desks and offices as well as while managing and controlling visitor flows at entrances and exits, protected by an electronic control systems.
  • Data protection, information, application, system and network security.
  • Observance of legal obligations for application of measures against money laundering and terrorism financing.

Grounds for Personal Data Processing

UniCredit Bulbank AD processes your personal data pursuant to art. 6, letter “b” of  Regulation (EU) 2016/679 when “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”; In the cases when you take steps to enter into an agreement with UniCredit Bulbank AD and/or sign an agreement with UniCredit Bulbank AD it is necessary to give information which constitutes personal data so that the Bank can take the necessary steps to provide you with the product or service that you would like to receive as part of the agreement. If you do not provide your personal data, it would be impossible for the controller to provide you with the requested services, taking steps before entering into an agreement.

Your personal data is processed pursuant to art. 6, letter “f” of  Regulation (EU) 2016/679 for the purposes of the legitimate interests of UniCredit Bulbank AD in cases where the following is performed:

  • Anti-fraud actions
  • Security and access control
  • Audio and video surveillance, audio and video recording for the purposes of security, access control, anti-fraud actions, documenting communication
  • Upon providing data to third parties: When the legal or contractual obligations of the controller are fulfilled or on the basis of any other valid legal grounds
  • To entities related to the Bank, to the companies within UniCredit Group for the purposes of following and implementing group policies, reporting, audit activities, credit risk evaluation
  • Assessment and improvement of the customer service provided by Unicredit Bulbank AD and the companies within UniCredit Group as well as for the purposes of marketing and market research and analysis

When the processing of your personal data for specific purposes is based on the legitimate interests of UniCredit Bulbank AD, including profiling, you can object to processing for specific purposes at any time.

Categories of personal data recipients

In accordance with the requirements of  Regulation (EU) 2016/679 UniCredit Bulbank AD has the right to disclose personal data which it processes to the following categories of recipients:

  • Public bodies, institutions and establishments, auditors that exercise supervisory control over the activity of the Bank or over the compliance with a law applicable to the bank or the data subjects. Those can be, for instance, the BNB, FSC, CPDP, NRA, SANS, MoI, the court, the prosecutor’s office, etc.; Personal data can be provided with the purpose of receiving preliminary information necessary for entering into an agreement and/or its performance.
  • Third parties, individuals, legal entities, public authorities, institutions, establishments, upon fulfillment of legal or contractual obligations or other valid legal grounds.
  • Subcontractors of the Bank, in their capacity as processors. Processors carry out processing in accordance with an agreement entered into with the Bank or another legal act in accordance with the controller. The Bank utilizes only those  processors which provide sufficient guarantees for the implementation of appropriate technical and organizational measures in compliance with Regulation (EU) 2016/679.
  • Entities related to the Bank, including the companies within UniCredit Group, when personal data is processed for the purposes of the legitimate interests of UniCredit Bulbank AD; upon implementation of group policies; to improve customer service quality within the companies of UniCredit Group.
  • For making inquiries and receiving information from state authorities, institutions, establishments and registers (for example the National Social Security Institute, Central Credit Register, Civil Registration and Administrative Service, Experian Bulgaria EAD, etc.) in order to evaluate your creditworthiness or for the purpose of receiving other types of preliminary information necessary for entering into an agreement at the request of the individual.
  • Upon entering into agreements by virtue of which the Bank transfers (assigns) its receivables under loan agreements to third parties in accordance with the requirements of effective legislation in the country.
  • Partners providing credit, investment and insurance intermediation and other services in cooperation with UniCredit Bulbank AD, only for the customers of the Bank who use these services.


Transfer of personal data to a third country or an international organization

Usually, UniCredit Bulbank AD does not transfer personal data to third countries or international organizations. If, however, this is necessary, the provisions under the General Data Protection Regulation shall be observed. Such transfer shall be done, for instance when it is required for the conclusion and execution of an agreement between you and the Bank. One such instance is when you need to do a money transfer abroad.  You can use the phone numbers or the contact form of the Bank (those are available on our website) to obtain information about the applicable safeguards  for personal data protection and the conditions of the transfer.

Retention Periods

UniCredit Bulbank AD processes personal data in accordance with the deadlines stipulated in the effective legislation in the country and by regulatory supervisory authorities. After the expiry of legal/regulatory periods, UniCredit Bulbank AD will erase your personal data. Personal data with regard to which there is no explicit legislative/supervisory obligation to be kept shall be erased after the purpose for which it was collected and processed has been achieved.

Automated decision-making

For certain categories of credit products (for instance, those with a pre-approved limit), you may be subject to an automated decision making process, which includes profiling while assessing your creditworthiness. This type of decision making is necessary in order to conclude the agreement. Various checks are carried out in databases of the Bank and the country’s official registers, which lead to decision based on pre-set criteria. You may receive an offer for such type of product if you have given your consent for processing of your data for the purposes of direct marketing. It is entirely up to you to decide whether to accept the offer or not.

Exercising rights under Regulation (EU) 2016/679

In addition to the provided information UniCredit Bulbank AD provides the following information regarding your rights as personal data subjects which you can exercise in compliance with the provisions of Regulation (EU) 2016/679:

The right to demand access from the controller to your personal data pursuant to art.15 of the Regulation.

The right to request from the controller rectification of your personal data pursuant to art.16 of the Regulation.

The right to request erasure of your personal data (‘right to be forgotten’) pursuant to art.17 of the Regulation in cases where:

  • There are no legal or contractual grounds for such processing
  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
  • The data subject withdraws his/her explicit consent in cases where personal data is processed only on the grounds that the data subject has given his/her explicit consent
  • In other cases stipulated in Regulation (EU) 2016/679


The right to obtain restriction of processing pursuant to art. 18 of the Regulation.

The right to object to the processing of personal data pursuant to art. 21 of the Regulation where processing is based on legitimate interests, including profiling or where data is processed for the purposes of direct marketing which includes profiling.

The right to portability of personal data concerning you which you have provided to the controller under the provisions of art. 20 of the Regulation.

The right to lodge a complaint with the Commission for Personal Data Protection.

UniCredit Bulbank AD provides you with an opportunity to exercise your rights under the Regulation in a clear and accessible way. For your convenience we provide you with a sample Request for Exercising Rights under Regulation (EU) 2016/679.

In case you would like to submit your request/application to UniCredit Bulbank AD in free wording, it is necessary to give specific mandatory details in your request/application so that you can be identified in a timely and due fashion. With the purpose of your timely and due identification and in order to prevent any unlawful use of your personal data available in requests submitted by third parties acting in bad faith, we recommend that you use a specific set of details when submitting your request to UniCredit Bulbank AD:

  • Your full name.
  • Your Personal Number or Foreigner's Personal Number.
  • Date and place of birth (if you are not a citizen of the Republic of Bulgaria).
  • The number of your ID card, date of issue, issuing body, expiry date.
  • Permanent address/mailing address if different from the permanent address.
  • Email address if you want to receive a response on your email address.
  • Phone number if you would like us to contact you.
  • In what capacity want to exercise your rights under Regulation (EU) 2016/679, for example, a customer/former customer; provider; employee/former employee; legal representative/beneficiary owner/proxy/ legal entity related to the company, BULSTAT/ UIC/ foreign reg. number; in another capacity: person who has made a deposit at a cash desk; person who has withdrawn funds from a cash desk; mortgagor, co-debtor; pledgor, etc.
  • Description of the request/application sent to the controller.
  • Preferred method of receiving a response from the controller: at the email address specified in your request; at a mailing address; at a bank branch/center convenient for you.

If the details are not complete and/or false, we may be unable to satisfy part of/the whole of your request.

We are constantly striving to improve the way we service our customers. In this respect, with the purpose of greater transparency and awareness we provide you with the following options for submitting a request under Regulation (EU) 2016/679:

  • At a branch/center of UniCredit Bulbank AD which is convenient for you.
  • Electronically by sending e-mail and letter signed in accordance with the Electronic Document and Electronic Certification Act to DbmmDfousfAVojDsfejuHspvq/Ch

When you submit your request we recommend that you specify the means thereby you would like to receive the response to your request:

  • At a branch/center of UniCredit Bulbank AD which is convenient for you. We hereby inform you that in case you have declared that you will exercise your rights under art.15 and/or art. 20 of Regulation (EU) 2016/679, UniCredit Bulbank AD can provide you with personal data only at a branch/center of UniCredit Bulbank AD which is convenient for you.
  • Electronically: by e-mail.
  • At your permanent address or at the specified mailing address.

In case of any dispute or disagreement concerning the processing of your personal data, please, contact the Commission for Personal Data Protection which is the country’s effective supervisory authority responsible for any matters relating to personal data.

Data Protection Officer

The Data Protection Officer of UniCredit Bulbank AD is Mr. A. Todorov. Contact details:



7, Sveta Nedelya Sq., 1000, Sofia, Bulgaria

Contact form


Send inquiry


Frequently asked questions for natural persons

Because the Bank is obliged to perform this operation by law. The anti-money laundering and anti-terrorism financing legislation obliges all banks to make a copy of the identity document of their customers.

Because the Bank is obliged by law to authenticate the identity documents of its current and potential customers. UniCredit Bulbank uses technical means for this purpose, which provides a swift service and ensures an adequate level of protection from potential fraudulent activity. There are information boards in all branches which notify customers about the use of technical means in the authentication procedures.

You can submit a request any time you want. Every request which has been submitted in accordance with the applicable procedure will be reviewed and will receive an answer within the deadline set by law.

Despite this please bear in mind that the Bank is obliged by law to keep your personal data for a definite retention period after the termination of the relationship. Your data can’t be erased during the retention period.

Information for corporate clients

UniCredit Bulbank is one of the leading banks in the country and as a leader we always try to offer our customers quality service, full transparency and mutually beneficial partnership. Adherence to applicable law, including the General Data Protection Regulation (GDPR), is a top priority for UniCredit Bulbank.

With regard to the contractual relationship with our corporate customers, in light of the GDPR requirements, our in-house analysis shows that in delivering banking services the Bank acts as a data controller. That is why, in order to avoid formal breach and to fulfill our legal obligations, we don’t sign contracts with our corporate customers in which the Bank is defined as data processor. 

With the aim of enhancing the trust in the relationship between UniCredit Bulbank and our corporate customers, we addressed the competent Supervisory Authority (the Commission for Personal Data Protection) with request for opinion on the controller/processor issue. The official opinion issued by the Supervisory Authority stated categorically that when delivering banking services (account opening and maintenance, handling financial transactions, deposit-taking, issuing bank guarantees etc.) banks act as data controllers. The opinion emphasizes on the fact that “the delivery of services which normally lead to exchange of personal data between the customer and the service provider doesn’t automatically mean that relationship between the two parties can be defined as a controller – processor one under the GDPR’’. In a nutshell when performing their core activity banks always act as data controllers.

For the users of the service Payments by phone number in Bulbank Mobile

BULBANK MOBILE requires Read Contacts permission to use Phone Payments functionality. If CUSTOMER grants the permission application can read and display Contacts. In Payment process the chosen Phone Number from Contacts is used for the Payment. Phone Payments functionality cannot be used without Read Contacts permission.