6. Consumers and end-users (ESRS S4)
6.1 Material impacts, risks and opportunities and their interaction with strategy and business model (ESRS 2 SBM-3)
As a core business activity, the provision of insurance benefits may result in certain impacts, particularly on customers.
UNIQA is committed to the ten principles of the UN Global Compact, which include respect for human rights. In relation to customers, this commitment is reflected on the one hand in compliance with minimum social standards in UNIQA’s corporate business (see “Workers in the value chain (ESRS S2)”). On the other hand, the ESG strategies for the retail business (ESG Retail Strategy for Austria and ESG Customer Strategy for the international retail business) described in the following and the corresponding processes and actions ensure human rights are upheld in transactions with retail customers. Along with topics such as equal treatment and anti-discrimination, matters such as the right to data protection, the right to freedom of expression and information, the right to access essential services and the right to a fair trial with respect to the responsible handling of complaints are also relevant. No human rights violations in relation to consumers and end-users were reported for the financial year. As the various strategies (retail business, data protection and cybersecurity) have a pronounced customer-centric approach, positive or negative impacts on consumers and/or end-users are considered in the business strategies and processes.
6.1.1 Retail business
Insurance products offered by UNIQA are aligned to the greatest possible extent with customer requirements. As a result, the extent of insurance coverage varies from policy to policy. In certain cases, a violation of legal disclosure requirements in relation to the conclusion of insurance products or insurance-based investment products as well as incorrectly assessing customer requirements can lead to erroneous and unfavourable decisions on behalf of customers. The provision of incorrect advice represents a legal risk as it may result in insurance claims being asserted by the affected customers.
Negative impacts on customers can also occur in individual cases where certain groups of people do not have access to customised insurance products or insurance-based investment products and are therefore denied necessary insurance or financial coverage. Conducted in close cooperation with the specialist departments on the basis of internal knowledge and technical expertise, the materiality assessment identified the relevant disadvantaged groups. Negative impacts concern people who may not be able to afford insurance coverage due to their financial situation and other groups. Potential barriers to access posed by the (complex) language used in policies could also exclude migrants, people with mental illness and the elderly, while people with physical disabilities or pre-existing medical conditions are occasionally excluded from insurance products, such as health insurance.
Significant positive impacts are being made in the context of the sustainability topic of customers’ (financial) health. The provision of appropriate, needs-based products and services promotes and improves customer health. In addition, UNIQA helps to mitigate the societal challenges related to the stability of pension systems with its long-term pension and life insurance products.
6.1.2 Data protection
As an insurance company, UNIQA processes a large volume of data due to the nature of the business. Accordingly, data protection and all associated processes play a particularly important role at UNIQA. Failing to roll out internal processes and infrastructure for data protection and information security can result in the risk of data subjects’ rights being adversely affected, especially if data becomes accessible to third parties – something that can negatively impact both employees and customers. For UNIQA, data breaches can result in a financial risk in the form of fines.
6.1.3 Cybersecurity
A lack of internal processes and adequate cybersecurity infrastructure could potentially result in a loss of customer data, which can negatively impact customers. In response, the digitalisation of business processes is guaranteed through comprehensive measures to minimise cyber risks and increase cybersecurity.
6.2 Policies related to consumers and end-users (S4-1)
6.2.1 Retail business
In 2024, UNIQA developed an ESG Retail Strategy for its main market, Austria, which takes the outlined impacts and risks into account. Responsibility for the ESG Retail Strategy lies with the Customer & Market Austria Management Board function. This was followed in the financial year by the launch of an ESG Customer Strategy for the international markets. Responsibility for the strategy and its implementation lies with the respective companies, which have been granted access to the strategy developed based on international and cross-divisional cooperation as part of its Group-wide roll-out.
In the Group Product Development Process Policy, which also falls under the responsibility of the Customer & Market International Management Board function, the target market for each insurance product on the market is defined in accordance with the legal requirements. A description of the suitable customer group is also provided in the policy to permit targeted product sales. The target market definitions are based on certain criteria, including the customer category (consumer, business operator), shared characteristics, desires, objectives and needs, including the consideration of sustainability objectives. For insurance-based investment products, specific criteria such as risk and loss-bearing capacity are also considered. The target market is defined and approved by a dedicated committee established for this purpose as part of the product development process.
Diversity and inclusion are also important elements of the ESG Retail Strategy and the ESG Customer Strategy. Special attention is given to increasing the accessibility of products. Individual solutions are developed and offered as required to include socially disadvantaged groups and reduce social inequality.
The scope of both the ESG Retail Strategy in Austria and the international ESG Customer Strategy is clearly defined. Both policies focus on the product development process in the property insurance, liability, accident and motor vehicle business lines and include customers affected by the impacts and risks identified for these areas. With the establishment of mandatory, clear guidelines for the product development process throughout the Group, the scope of the Group Product Development Process Policy has also been clearly defined.
6.2.2 Data protection
The protection of personal data – a fundamental right that concerns the privacy of customers and employees alike – is a matter of particular importance to UNIQA. Considering this, processes and guidelines have been established to ensure that the requirements of employees and customers are met. Related measures are exclusively taken in compliance with national and international frameworks and regulations. A separate dialogue is not maintained with customers in this regard.
The Group-wide Data Protection Management Policy sets out the core functions of the data protection management system. This and other data protection guidelines set out rules, among other things, for ensuring appropriate technical and organisational measures, for guaranteeing data security, and for storing and deleting personal data. In addition, the guidelines stipulate that binding data protection agreements must be concluded with external service providers to ensure a degree of protection that is compatible with the degree required by UNIQA. Furthermore, the principles of purpose limitation and the lawfulness of the processing, transfer and disclosure of personal data are set forth.
These guidelines also govern the exercise of rights by data subjects, such as the obligation to provide the data subject with information on and access to their personal data and to implement the rectification and deletion of data by the required deadlines. Corresponding regulations and governance documents are continually refined and revised as part of an ongoing improvement process.
A separate Data Protection Management Standard governs the allocations of tasks, including the assignment of specific data protection tasks and responsibilities to different organisational units. External service providers that process the personal data of customers or employees are also required to sign data protection agreements to ensure data security.
Internal and external audits are carried out on a regular basis to ensure compliance with data protection requirements and guidelines. The Group Data Protection function performs audits to assess the compliance and effectiveness of data protection in Group companies, including assessments of external service providers. Individual processes in Austria were also audited in the financial year as part of an official audit by the data protection authority. The audit was completed without any conditions or recommendations being made.
Clear rules lay down the responsibilities in relation to data protection for individual business processes within the various functional areas. In principle, the division of responsibilities follows the three lines of defence principle. The management of each Group company is responsible for compliance with all data protection requirements and receives assistance from the local data protection organisation, which includes the respective data protection officers and data protection coordinators. The Group-wide requirements as well as the plans and tools required for their implementation are defined by the Group Data Protection Officer, who also monitors compliance with all requirements. The data protection officers at the individual Group companies continuously monitor data protection processes and measures. This procedure applies to both internal processes and processes related to corporate customers.
A variety of regulations govern the structure of business processes and the handling of personal data, including the EU General Data Protection Regulation (GDPR), the EU Regulation on Artificial Intelligence (AI Regulation) and the UN Global Compact. The criteria outlined in these frameworks provide the basis for regulating the handling of personal data in business processes. The latest interpretations and rulings of European and national courts as well as the guiding principles and regulations of the European and national supervisory authorities are also considered.
6.2.3 Cybersecurity
The UNIQA Security & Resilience Plan contains a clear commitment to improving security systems across the Group on an ongoing basis. This approach not only ensures a timely response in the event of an emergency, but it also helps to build trust among customers and promotes the development of innovative and secure digital solutions. It safeguards sensitive personal information, such as health and financial data, against cyber-attacks and ensures that digital services, including health apps and online insurance services, can be securely used. The UNIQA Group Cybersecurity Strategy was developed and implemented across the Group for this purpose. Responsibility for this strategy lies with the Management Board member responsible for Operations, Data & IT.
The strategy is based on several pillars, which include proactive measures to prevent and protect against cyber-attacks. To ensure business continuity, a comprehensive crisis management framework that covers strategic communication as well as structured decision-making has also been established.
6.3 Processes for engaging with consumers and end-users about impacts (S4-2) and processes to remediate negative impacts and channels for consumers and end-users to raise concerns (S4-3)
6.3.1 Retail business
Customers can express their opinions and provide feedback in a variety of ways. Several different approaches have been established for incorporating customers’ views into decision-making processes and measuring their satisfaction on an ongoing basis. A number of processes have been put in place to review the effectiveness of these approaches and to reduce any resulting negative impacts. Customers are informed about the available feedback mechanisms and channels through regular e-mail invitations to participate in surveys, which they will receive if they have opted in to marketing, or through prompts to submit feedback on their preferred channel. One of these prompts includes the submission of the standard survey based on five-star ratings, which can be supplemented by free text fields. These free-text comments are analysed using AI technologies to identify topical clusters and simplify the subsequent analysis. Such surveys are carried out automatically throughout the entire customer journey, but especially after new contracts are signed, after claims for damages or entitlements have been paid out or rejected, or after individual contact at a UNIQA location or with customer service. Using a scale of 1–5, with 1 being “not sufficient” and 5 being “very good”, customers can indicate whether they are willing to participate in an individual telephone interview. Findings from the customer feedback obtained are then incorporated into product development. The customer complaints process is governed by a Complaints Management Policy. The policy ensures that virtually every time a customer interacts with UNIQA, they are given ample opportunity to provide feedback and gain additional trust. In general, great importance is attached to careful handling of feedback received. Aside from these structured feedback avenues, detailed interviews with customers who have volunteered to participate are conducted on a regular basis to gain comprehensive insights on a wider scale.
UNIQA Österreich Versicherungen AG and its service providers, which are in contact with end customers, conduct ongoing customer centricity index (CCI) surveys. Following an interaction with a customer at any stage of the customer journey, surveys are regularly used to assess customer satisfaction with the specific processes they are currently involved in. The rating is based on a five-star scale. Accordingly, the CCI serves as an operational analytical tool that makes customer centricity in Austria measurable and comparable. In addition, the point-in-time relational net promoter score (a one-off survey on customers’ general willingness to recommend UNIQA) was also compiled for the first time in 2025 to gain an overall picture of UNIQA customers’ willingness to recommend the company. It focused on the question of how likely the customer is to recommend UNIQA on a scale of 0 to 10. In the future, this relational net promoter score survey will be emailed once a year to all customers that have consented to marketing, regardless of whether they have recently interacted with UNIQA. UNIQA also compiles an ongoing transactional net promoter score (recommended following a specific incident) in Austria as part of the CCI surveys.
In 2025, the CCI score in Austria was 4.72 (2024: 4.61) calculated on the basis of 333,985 (2024: 258,666) feedback responses. The insights gained are used to develop actions as part of a customer-driven continuous improvement process which are implemented in a structured manner.
Harmonised C-SAT
Harmonised C-SAT stands for harmonised customer satisfaction and refers to the internationally calculated score for measuring customer satisfaction based on a five-star scale. A standard set of questions is sent to all customers who have consented to marketing at various points of contact with UNIQA along the customer journey in the form of a survey. Only the satisfaction of end customers is assessed. The questions are coordinated Group-wide once a year and modified as necessary. The Harmonised C-SAT is compiled for all UNIQA insurance companies and their service providers. The relational net promoter score as of the reporting date is also included in the Harmonised C-SAT score. The Harmonised C-SAT score serves as the basis for achieving the Group’s goal of becoming the best service provider. This concept serves as a key metric for managing customer centricity. As a result, the customer satisfaction rating is consistent and comparable.
The metric is composed of the number of feedback responses and the score. By 2028, UNIQA aims to achieve an average rating of at least 4.5 stars. In the financial year, the number of feedback responses was 1,170,153 (2024: 1,194,905) and the Group-wide score was 4.61 (2024:4.58). The target has therefore already been achieved.
Market research
Market research also plays an important role in product development processes, regardless of whether they involve changes to existing products or designing new products. Customer segmentation is similarly based on the continuous evaluation of market research data. Information is generally collected anonymously and does not follow a specified timetable. Market research on sustainability issues regarding health insurance, motor vehicle insurance and household insurance products was carried out in the financial year. In addition to the insights gained from these findings, the results of the customer surveys are incorporated into the product development process. The Product Experience department is responsible for implementing the findings, while responsibility for engaging with customers lies with the Management Board members for the Customer & Market Austria and Customer & Market International departments.
6.3.2 Data protection
Data subject rights under data protection legislation constitute core elements of the GDPR and permit data subjects to maintain control over their data. Corresponding processes have been defined and introduced to ensure data subjects’ rights are reliably upheld and observed for the duration of the statutory retention periods. One of the most important measures was the creation of a single point of contact with a dedicated e-mail address to which enquiries regarding data subject rights in relation to data protection can be sent. All customers are informed about this central point of contact in the privacy notices they receive at the time their data is collected for each data processing operation. Depending on the type of data processing and the form in which they communicate, customers may receive these privacy notices in paper form, in the app, through various other electronic channels, or on the website. The central point of contact ensures that all incoming enquiries are documented, efficiently processed and reliably handled by the legally prescribed deadlines. If the enquiries received reveal systematic shortcomings in the operating processes or in the data protection concept, measures are developed and implemented, and the Data Protection Management Policy is updated. An electronic complaints management system that complies with data protection legislation has been set up to ensure standardised handling of customer concerns, requests and complaints along with demands made under data protection legislations. Customers can report potential compliance or legal violations through various channels (including anonymous channels). The Compliance team, which can be contacted by e-mail, post or in person, and the UNIQA Whistleblowing Platform are available for this purpose (see also “Business conduct (ESRS G1)”). Information on the complaints management system can also be found on the UNIQA website.
To ensure comprehensive follow-up and transparent processing in the event of data breaches, enquiries regarding data subject rights are recorded and documented by the data protection team. Every case is carefully evaluated and the potential impacts on existing processes are analysed. In accordance with the GDPR, risks affecting the rights and freedoms of natural persons are reported in due time to the data protection authority and, where applicable, to the affected customers and employees. At the same time, measures are being taken to eliminate the risk and prevent future incidents. The measures taken include, in particular, technical and organisational measures derived from the specific case. With this remedial approach, it can be ensured that the measures are effective and adhered to in the long term. Regular reports and expert panels provide information to all top management levels and to experts (Management Board, Supervisory Board, management, data protection coordinators) on specific data protection incidents and action taken. Raising awareness of the measures taken and exchanges with the specialist departments also help to ensure the effectiveness of the measures. The management of each individual Group company is responsible for compliance with data protection regulations. The data protection organisation provides the support required in the form of processes and resources to ensure that data protection is properly implemented.
Customers and employees receive comprehensive and transparent information on the processing of their data and have the right to obtain information about their data stored by UNIQA and to request the rectification or erasure thereof at any time.
6.3.3 Cybersecurity
Customer requirements in terms of data protection are met through a combination of seamless compliance with ongoing improvements of protective measures. Due to the complexity of the topic, an active dialogue is not maintained with customers on the subject of cybersecurity. The alignment of the cybersecurity policy with legal and regulatory requirements such as the GDPR or the European Union’s Digital Operational Resilience Act (DORA) ensures that stakeholders are afforded comprehensive protection. For example, the EU’s DORA requirements were introduced in the financial year, which, together with the implementation of ICT third-party security risk management and measures for managing security risks, will contribute to ensuring uniform standards and meeting third-party security requirements. The Management Board and the Supervisory Board regularly receive formal reports on cybersecurity risks and incidents. UNIQA regularly conducts external and internal digital resilience tests to ensure that critical or important functions have the required level of security and resilience. Please refer to the section below for more information on the transparency and processing of customer data, including with respect to the development and implementation of remedial actions.
6.4 Taking action on material impacts on consumers and end-users, and approaches to managing material risks and pursuing material opportunities related to consumers and end-users, and effectiveness of those actions (S4-4)
6.4.1 Retail business
A key focus of the ESG Retail Strategy is on promoting comprehensive sustainability awareness among advisors both in Austria and internationally. The aim behind this is to expand their expertise on the topic of sustainability and ensure that they are able to incorporate this knowledge into their conversations with customers in a targeted manner. In Austria, the ESG Product Check, which incorporates environmental criteria as well as social criteria such as promoting equal opportunity and inclusion (for more information, see the disclosures in the section “Climate change in the retail business”), is an integral part of the product development process. Dedicated training on the ESG Guideline and ESG Product Check also helps product managers integrate ESG aspects directly into product developments.
Various IT tools for the advisory process in Austria have been implemented to ensure that advisers receive ESG-related support when documenting the requests and requirements of their customers during consultations.
To address the social aspects of the ESG Retail Strategy, work is also taking place to improve the accessibility of products.
In Austria, for example, the online customer service segment was expanded further in the financial year. A team set up for this purpose handles consultation appointments that customers can independently book on the website. As a result, consultations are available from any location. Customers can also choose from several different languages. Furthermore, a simplified risk assessment for outpatient health insurance was introduced in the financial year. The new product structure makes it possible for customers to start off with more limited insurance cover with lower requirements. However, they will be able to comprehensively extend their coverage at a later date. This significantly simplifies and broadens access to suitable insurance products for different customers.
A comprehensive process has been established to regularly assess all products on the market. As a result, targeted checks can be conducted to determine whether products are being sold successfully in the defined target market or whether new framework conditions have necessitated product updates. These criteria are reviewed based on the evaluation of any customer complaints received, a survey conducted among sales employees on the target market definitions and an analysis of key actuarial metrics. For life insurance products, a quantitative and qualitative product assessment is also carried out to ensure that the products in question continue to add value for customers. In addition, regular information exchanges take place with various advocacy groups.
UNIQA implements region-specific actions to promote health and improve access to healthcare and insurance benefits among customers. In Austria, the focus is on health promotion and prevention. This includes, in particular, digital health information, medical hotlines, coaching programmes and new outpatient product components. In Poland, access to health and insurance benefit services will be improved through the expansion of telemedicine services as well as automated processes to speed up the processing of claims. In Ukraine, telemedicine services help ensure access to medical care and enable rapid medical assistance.
Accordingly, in other markets in which UNIQA operates, specific plans and measures are being developed to reduce negative impacts for customers and to improve access to products. In addition, various new training formats were developed and rolled out in 2025, including sustainability training for sales employees in Slovakia, Czechia, Hungary and other countries.
6.4.2 Data protection
Comprehensive risk management in compliance with data protection legislation ensures that potential data protection risks are identified at an early stage through risk analyses to permit targeted action to be taken to minimise risk. At UNIQA, data protection is integrated into various management systems, in terms of both operations and strategy. The data protection management system (DPMS) is closely linked to the risk management system and the compliance management system.
One key component of the data protection management system is the provision of comprehensive advice on data protection legislation by the Data Protection department. All employees across the Group can access this advice. Consulting with the Data Protection department is also mandatory for new initiatives and projects related to data protection as part of a standardised process. This procedure ensures that business practices comply with regulatory requirements and do not result in any negative privacy-related impacts for data subjects. The data protection management system also involves a continuous improvement process that culminates in a regular review of data protection regulations and the Data Protection Guideline. Equally, in its capacity as the second line of defence, the Data Protection department reviews the management of data privacy incidents on a selective basis and determines whether this is effective and working in the interests of data subjects regarding content, timing and actions taken. In addition, remedial action may be taken on the basis of case-by-case assessments in the event of data breaches. Corresponding actions may include the deletion of data, the blocking of devices, password changes and training specific to certain target groups. When UNIQA takes these actions, the affected customers are informed accordingly if their active participation is required. Preventive measures such as implementing technical and organisational precautions, establishing privacy by design and privacy by default principles, authorisation policies, contingency plans, and regular privacy and security reviews also help to prevent data breaches.
Regular training on the fundamental aspects of data protection and how to handle personal data ensures that all employees are kept up to date on the latest data protection requirements and know how to implement them in their daily work. This reduces the risk of data breaches and increases overall data security within the company. Data protection training is mandatory for all employees and takes place every two years as well as during the onboarding process. Various guidance documents were created in the financial year for the individual specialist departments to provide assistance with the implementation of data protection. These include, for example, instructions on how to handle marketing consents with data protection regulations, tools to help identify and document legitimate interests as well as tools for automated decision-making, and quick guides on how to work with service providers outside the European Economic Area in compliance with data protection regulations. Furthermore, during the financial year, data protection aspects relating to the use of artificial intelligence (AI) in the consulting process were also implemented more effectively and comprehensively. In addition, an expanded process for reviewing and monitoring service providers used by UNIQA was introduced to enable their compliance with data protection legislation to likewise be assessed.
Moreover, a Group-wide platform was established which allows all data protection experts from the Group companies to engage in structured exchanges, network and coordinate on important regulatory issues.
In the financial year, the focus for the implementation of additional measures was on the necessary updates to the data protection management system in order to meet the regulatory requirements on AI and to ensure that the data protection and data security principles are guaranteed when using innovative technologies. UNIQA’s task is to develop and implement specific measures to achieve the set targets. Continuous monitoring of progress and adjustments of the action plan as necessary will contribute significantly to achieving the set targets.
6.4.3 Cybersecurity
For more information on how potential negative impacts for customers that could arise as a result of a cyber incident are handled and related remedial actions, please refer to the procedure outlined in the section above. Related measures include regular security updates, threat assessments, security policies and the use of state-of-the-art technologies such as firewalls, intrusion detection systems and encryption. Sophisticated tools are used to identify and monitor unusual activity and threats early on. Employees receive training on cybersecurity each year and during their onboarding. They also participate in awareness programmes that help to raise awareness of the associated risks. These programmes are updated to cover the latest threats and types of attacks and – depending on the target group – include both theoretical knowledge and practical exercises such as crisis simulations.
The Cybersecurity Action Plan, which is based on the Cybersecurity Strategy, entails a combination of technical, organisational and personnel measures. With regard to technical measures, the primary focus in the financial year was on further strengthening network security, automated threat identification, data backups and restoration plans. Organisational measures include the risk assessment, risk management and the incident response plan. Personnel measures encompass training and raising awareness, the recruitment of experts and specialists, and addressing the corporate culture, in particular general handling of the topic of cybersecurity.
A comprehensive resilience management system that combines several approaches to security and crisis management has been introduced to strengthen resilience to cyber threats. Business Continuity Management (BCM) ensures critical business processes continue uninterrupted based on defined plans and processes both during and after an incident.
IT Service Continuity Management (ITSCM) involves the establishment of disaster recovery plans and the regular review of IT risks. In the event of a security breach, an incident response team takes action to minimise the damage and ensure timely system recovery based on clearly defined processes for identifying, mitigating, remediating and analysing security breaches. The plans and measures for managing acute emergency scenarios that jeopardise business operations are enshrined in the emergency management approach along with the coordination of internal and external resources.
6.5 Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities (S4-5)
6.5.1 Retail business
Formulation of quantitative targets and defining metrics to help UNIQA manage and leverage the identified impacts, risks and opportunities remains in progress. The goal over the next few years is to establish a quantitative basis for all UNIQA markets. A corresponding monitoring process can only be set up in the course of establishing quantitative targets.
6.5.2 Data protection
To meet regulatory requirements arising in particular from the EU Digital Strategy, it will be necessary, among other things, to adopt a holistic approach to data protection and to further develop the Governance Framework for Data Governance. A data protection action plan sets annual targets for mitigating material risks related to the processing of personal data of employees and customers and for taking appropriate action. For 2026, these targets primarily relate to the measures and legal requirements listed above. Due to the complexity of the topic and the absence of specific targets, no further quantitative or time-sensitive targets can be stated in this regard.
6.5.3 Cybersecurity
In the future, UNIQA will continue to expand its cybersecurity strategy in compliance with regulatory requirements to strengthen and guarantee its cyber resilience. This will be achieved in particular through the implementation of the described measures. Due to the complexity of the topic and the absence of specific targets, no further quantitative or time-sensitive targets can be stated for cybersecurity.