1. Entity responsible for processing your Personal Information

2. Sources of Personal Information

3. Categories of Personal Information we collect and process

4. Purposes and Uses of Personal Information

5. Lawful Bases for Data Processing

6. Consequences of Not Providing Personal Information if required

7. Your Privacy and Data Protection Rights

8. Disclosures and Recipients of Personal Information

9. International Transfers of Personal Information

10. Storage and Retention (Archiving) of Personal Information

11. Security

12. Minors (children)

13. Supplemental Provisions

      (1)  Countries and Territories

      (2) Information for Digital Platforms

      (3) Citi Research 

Contact Information

1. ENTITY RESPONSIBLE FOR PROCESSING YOUR PERSONAL INFORMATION

The Citi legal entity that provides the accounts, products and services to Your Organization, acts as an independent business and is responsible for determining how your Personal Information is collected, the purposes the information is collected for, and how it will be processed. This is the Data Controller, also known as Data User under the laws of certain countries.

Citi Data Controllers

Please refer to the Country or Territory Supplement relevant to your services for a list of Data Controllers where these are provided. A global list of Citi branches and affiliate is available here.

Citi as Data Processors

In certain operations, Citi entities act as a Data Processors, that is to say as service providers or operators (and not as Data Controllers): for example, where processing international payments, when executing commercial payments and transactions on behalf of banks and merchants and other institutions, in transfer agency and payment agency agreements, and where we explicitly indicate that we are acting as service providers or data processors. This Privacy Notice does not apply to activities where we are processors, service providers or operators (the relevant privacy notice will be issued by the Data Controllers in those operations). If, when acting as a Data Processor we are also required to comply with a legal obligation, for example, conducting age verification, scrutinizing payment beneficiaries names for international sanctions, fraud, money laundering or combating terrorism financing, or for our internal compliance and transaction reporting, we will undertake these discrete activities in the capacity of a Data Controller.

2. SOURCES OF PERSONAL INFORMATION

INDIRECT: From Your Organization and other entities

Your Organization

We obtain information from Your Organization or third parties, such as financial institutions, government entities, credit reference agencies, recognised fraud data sharing mechanisms, both from domestic and international organizations, and from companies specialised in fraud detection and background checks.

To uphold the security, integrity and legality of our operations we obtain personal information from company or commercial registers, insolvency lists, and registers of persons that have been bankrupted or banned temporarily or permanently from holding directorships. Our contracted subscription services also review estimated wealth, court listings, court judgments, and press articles (mainly on allegations of corruption and other red flags) on senior government figures and politically exposed persons, and our security and information services review international sanctions lists and anti-fraud cooperation mechanisms.

We also obtain (to a lesser degree) personal information from international and domestic payment infrastructures, financial and currency markets, investment and settlement infrastructures including clearing houses, securities depositories, stock exchanges, OTC or private exchanges and similar sources.

As required and/or permitted by law, we also monitor and record telephone, email, instant messaging, and other online communications with us have resulted or may result in a banking or financial transaction.

DIRECTLY: From You

We obtain information directly from You from various sources:

• Account activities: bill payments, deposits, withdrawals, investments, and any other transactions in which you are an authorised corporate or operational signer.
• Forms and Applications: product variation or modification, lines of credit and credit limit increases, signatory names and signature sample forms, and electronic instructions).
• Electronic and verbal communications with you, your banking representatives, or our corporate clients: calls to our trading desks, client service desks, text and electronic messages and any other communications we receive from you, Your Organization, institutions you are employed by or other third parties. We do this for the purposes of documenting instructions from you, authentication, and for the purposes of security and quality assurance.
• Citi Digital Platforms. We process technical data and personally identifiable data related to transactions you perform in our Internet sites and mobile applications, in accordance with your contact preferences, cookie and profiling choices. Please refer to the Digital Platforms Supplement for more information.

3. CATEGORIES OF PERSONAL INFORMATION WE COLLECT AND PROCESS

General Categories of Personal Information

Citi collects personal information about you, for purposes indicated in this Global Privacy Notice.

The categories of personal information that we process, with their elements include:

• Your identity: name, organization, title, and job description within Your Organization. We also collect your home address and country of residence and date of birth, as required by international payment and securities infrastructures.
• Sensitive personal information we collect: For certain operations, including payroll or international payments into the Euro area and other geographies, and for age and /or identity verification, we may collect, certify and store images and other details from your passport or other ID document, unique tax ID registration, and collect samples in signature cards. In some countries these data are considered sensitive.
• Business contact details in Your Organization, such as business and email address, and your telephone number.
• Information about your banking authorizations as an officer or attorney for Your Organization, authorised/corporate and operational signatures, and your other interactions in relation to Your Organization.
• Your direct interactions with us, your preferences and methods of communications, corporate marketing options, cookie and tracker choices, and your service preferences.
• Information relating to your personal assets, as part of our Know Your Client (KYC) legal and regulatory obligations, and to identify your holdings in the ownership structure of Your Organization and any other corporate entities you are associated with.
• Information relating to your financial and credit background, and your personal address, in order to open and maintain accounts, products, and services contracted for you by Your Organization.
• Information required for specific legal or regulatory purposes including anti-money laundering (AML) and/or sanctions and investor screening processes (e.g., copies of your passport or signature specimens) or for transaction performance and management purposes.
• Personal Data gathered from contracts or arrangements Your Organization has opened with us.

General Categories of Sensitive Personal Information or “Special Categories of Data”

Where required by law, we process sensitive information (special categories of personal data), your Social Security and other national identity indicators. We have systems that compartmentalize such information, and operational, technical and governance measures, including access controls that protect the confidentiality and security of all information.

We only collect and process personal information that is necessary for us to provide our services and as required by business, legal, and regulatory aims. We will offer detailed information and additional disclosures if appropriate where we collect or otherwise process special categories of personal data, such as biometric or behavioural personal data that we obtain from your interactions with our systems and applications, including by way of example your mouse speed and movements, your keyboard usage, and voice pattern recognition for telephone banking. When we use the built-in biometric authentication technology in your mobile device, we do not have access to your biometric data, which remains stored in your mobile device.

Digital Personal Information

For details on the information we collect from your device, and your use of digital resources please consult :

• For internet banking and mobile banking applications for persons related to institutional clients please read the Information for Digital Platforms in Section 12.b).
• For information collected from Cookies, Trackers and Similar technologies used in our websites, please read our Cookie Policy for IC Clients.
• Visitors to our global webpage and investors, can consult our Privacy Notice for Visitors.

4. PURPOSES AND USES OF PERSONAL INFORMATION

We use your Personal Information for the following purposes:

• Communicate with you in relation to banking and financial services provided to Your Organization, or of interest to You as a member of Your Organization, and as an individual customer referred by your Organization:
  • To verify your identity and communicate with you.
  • To improve our relationship with you and Your Organization.
  • To inform you about products and services Your Organization has, and other services that may be of interest to your and/or Your Organization (subject to your marketing preferences).
• Deliver our services to Your Organization:
  • To provide our products and services, including opening and maintaining accounts for your organization.
  • To manage and administer our banking business.
  • For system and IT network administration, and for the operation, testing and support of our Digital Platforms.
  • To enable third parties to deliver products or services on our behalf, including payment services.
  • In communicate with credit reference and financial background research agencies.
  • To meet our obligations to and cooperate with stock exchanges, alternative trading systems, clearing and settlement agencies, brokers and similar entities.
• Manage our business:
  • For business development activities, analysis and planning purposes.
  • To investigate and respond to IC client issues and complaints.
  • To establish, exercise, or defend Citi and third party’s legal claims, including for breach of contract or of adherence to terms of use.
  • For research and other statistical and trend analysis, in each case de-identifying and aggregating or anonymizing sample data so that it is no longer personal data.
  • To guarantee our property rights, protect our own safety, the safety of your organization and of third parties, including loss and fraud prevention.
• For our own legitimate interests and those of other financial institutions (provided they are not overridden by your own rights and interests) and to comply with applicable laws:
  • For fraud prevention and other financial criminal activity.
  • For internal risk assessment and controls, by way of example, to detect or resolve cyber incidents or fraud.
  • To comply with judicial requirements, including to exercise our rights in judicial, administrative or arbitration litigation.
  • Some laws will require you to provide us with certain tax information, or complete tax declarations.
  • For regulatory reporting requirements, e.g., financial reporting, Central Bank reporting.

Use and Disclosure Rights

Certain countries and territories require Citi to offer to individuals the options and means to limit their use or disclosure of personal information. Please refer to the Special Provisions for your country or territory for information on these additional rights and how to exercise them. Citi does not sell or share your Personal information with third parties for their advertising or other commercial purposes. We also do not disclose the Personal Information of persons under the age of 16 (see ‘Minors and Children’ further below).

Artificial Intelligence, Automated Decision-Making and Profiling

Citi does not delegate control or decision-making functions to automated processing means (including Artificial Intelligence) and does not engage in profiling that may result in legal or similarly significant effects. Nevertheless, we use artificial intelligence to monitor transaction data, to ensure the consistency and correctness of outputs, detect and prevent illegal activities, for risk management and investment analysis, as an information tool for our personnel. We use fully automated means on securities markets (for example in algorithmic trading) solely where all information is de-personalised. If Your Organization is our client, depending on your digital marketing choices, we may create user profiles to offer you products targeted to Your Organization. Our marketing communications have links to change your preferences or supress further notifications.

5. LAWFUL BASES OF DATA PROCESSING

The lawful basis that we rely on for data processing vary, depending on the applicable law in the location where we provide our services. These include as the case may be:

• Consent: We use consent as a lawful basis, subject to conditions applicable in the country where consent is collected, only where:
  • We are required by law to obtain consent or
  • Where consent can be assumed or inferred from your conduct
• Performance or Delivery of a contract • We will use this lawful basis for processing if:
  • We have a contract with you (or with Your Organization, for your benefit) and we need to process your personal data in order to deliver the products and services referred to in that contract. For example, to set up and manage an account with us, or to process payments.
  • You have asked us to take steps in order to enter into a contract with us or Your Organization. For example, to provide you with a quote or to process your account application. In countries where we process personal data under consent as legal basis, we will infer it from your continued use of our services, unless we are under a legal obligation to collect positive consent.
• Legitimate interests • We will use this lawful basis for processing if: • We have a legitimate business purpose for processing your personal information; and • Processing your personal information is necessary to achieve this purpose; and • Our legitimate business interest is not overridden by your individual interests, rights and freedoms.
• Compliance with a legal obligation
  • We will use this lawful basis for processing if we need to process your personal information to comply with a legal obligation. This may include without limitation:
  • Providing information on request to government and regulatory bodies securities and commodities markets, securities brokers, and our intermediaries or counterparties
  • Conducting regulatory compliance activities such as: audit and reporting, accounting and tax records, prevention of fraud and other forms of economic crime, complying with international sanctions and anti-terrorism legislation background or KYC verification and screening of senior government officers and politically exposed persons (PEPs)

When we collect and process sensitive personal information, or Special Categories of Information, we will do so by obtaining your explicit consent unless the law allows us to rely on prescribed exceptions:

• If the processing of personal data is clearly needed for your benefit, and your consent for its collection, use or disclosure cannot be obtained in a timely manner, or where you would not be reasonably expected to withhold consent.
• If your consent is for a substantial public interest or in the legitimate interest of another person (including us) provided that processing must not extend to what is reasonable to provide a legitimate outcome and the protected interest outweighs any adverse effects of the processing your personal information.

6. CONSEQUENCES OF NOT PROVIDING PERSONAL INFORMATION IF REQUIRED

We may require certain data to fulfil our contractual obligations or to comply with legal obligations. If you choose not to provide this required data, it may impact our ability to provide you with our services effectively. For example:

• Account Management: Without accurate contact and financial information, we may not be able to manage your accounts effectively, which could impact your access to our banking services.
• Compliance: Failure to provide necessary legal and regulatory information may result in non-compliance with applicable laws and regulations, which could have legal consequences for your institution.

7. YOUR PRIVACY OR DATA PROTECTION RIGHTS

You have rights over your personal information that are protected by law in many countries. Most countries grant 4 basic rights: Access, Rectification, Cancellation and Objection (by their initials, the so-called ARCO rights). Citi extends these, and other rights set out in the EU General Data Protection (GDPR), beyond the requirements under local law, in order to provide a consistent standard across our operations globally.

You can CONTACT US to request any of the following rights:

• Right to be informed
  • You have the to be informed of sub-processors (sub-contractors) that receive your data and a summary of processing purposes and of how we use operational and technical measures to protect your data.
• Right to access your information:
  • You can CONTACT US to request a copy of the personal information we hold about you. This is often known as a ‘subject access request’.
• Right to rectify your information
  • You can CONTACT US to ask us to correct personal information that you believe we hold which may be inaccurate or incomplete.
• Right to erase your information (or “right to be forgotten”)
  • You can CONTACT US to ask us to erase personal information that we hold about you, which we will carry out unless we are required to retain it for a specific duration, in order to prevent fraud and other forms of crime, or for our defence in claims.
  • There may be some instances where we are not able to erase your personal information if we are under a legal requirement to store product applications or information in relation to banking or securities transactions. If this is the case, we will clearly explain in our reply to your request the reason we are unable to cease processing (and storing) your personal information.
• Right to transfer your information to another organisation
  • You can CONTACT US to ask us to transfer your personal information to other organisations. This is often known as the ‘right to data portability’.
    • There may be some instances where we are not able to transfer your information, if we are relying on a lawful basis other than ‘consent’ or ‘contract’ to process your personal information.
• Right to restrict processing of your personal information
  • You can CONTACT US to ask us to restrict processing of your personal information.
  • There may be some instances where we are not able to restrict processing of your personal information if you do not provide us with a particular reason for wanting the restriction.
• Right to object to processing.
  • You can CONTACT US to object to us processing your information.
    • We may not always be able to accept your objection, if we need to continue to process your information for our business, legal and regulatory and other purposes.
• Right to object to the grounds of legitimate interests for processing
  • Where we rely on legitimate interests as the lawful basis for processing your personal information, you can CONTACT US to object to us processing your information on these grounds.
  • We will always consider your reasons for objecting to us processing personal information on these grounds, and balance your interests, rights, and freedoms with our legitimate business interests.
• Right to withdraw your consent for processing your personal information
  • You can CONTACT US to withdraw your consent for processing your personal information.
  • If you withdraw your consent for processing of your personal information and it is necessary for us to conclude a transaction or for legal and regulatory purposes, then we may not be able to provide you with the relevant products and / or services that require such consent.
  • There may be situations where we are unable to stop processing your personal information after you withdraw your consent, where it is a legal requirement for us to continue using or storing certain information. If this is the case, we will clearly explain the reason we are unable to stop using (and storing) your personal information.

Citi may not always be able to provide all requested information or fulfil other rights where certain exceptions apply to a privacy rights request. In our reply, if we need to withhold certain information or fulfil your request we will explain the rationale for our decision, and the subsequent steps.

We will always respond to your request within the timeframes provided under applicable law.

To ensure your safety and given the confidentiality of financial information, we must verify your identity before disclosing any personal data. If you are making a request on behalf of someone else (as an attorney or a friend or relative) we may require further information to ensure that you are duly authorised to make that request.

8. DISCLOSURES AND RECIPIENTS OF PERSONAL INFORMATION

For the purposes providing banking and financial services, we disclose personal information to third parties (including our affiliates) confidentially, and where necessary, as follows:

• to Your Organization, in connection to the services that we provide to them.
• To our affiliates or internal business groups, who receive or have access to personal information about you, if you request or use their services including online portals and Apps.
• To Citi’s service providers who assist business functions such as application processing, fraud and money laundering monitoring, and the provision of client service centres and web hosting, and data analysis.
• To stock and security trading houses and exchanges, alternative trading systems, settlement agencies, facilities and similar entities, including clearing houses, payment infrastructure providers, counterparty banks, and any persons from whom we receive or make payments instructed or received by you.
• To securities brokers, custodians, sub-custodians, fund administrators, fund houses, depositaries, trustees, financial market infrastructure service providers (including settlement and securities payment providers), and
• To professional services providers: auditors, insurers, legal counsel, and to competent regulatory, tax, governmental or jurisdictional authorities, including central banks and financial regulators, and to the courts of any competent jurisdiction, domestic or foreign.

We will only share your information for the purposes outlined in the Section 4 (“Purposes and Use of Personal Information”) in this Global Privacy Notice.

Where required by applicable law, we shall add to Country or Territory Supplemental Provisions, and to our client terms, details of third parties we share information with, their locations, and the categories of information that we share.

9. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

We provide services to corporations and institutions in more than 120 countries and territories. Your personal information is stored and processed where Your Organization opens a product or receives a service, and backed up and further processed (unless your country or territory has data localization laws) in global service centres, for operational and regulatory purposes. The Supplemental Provisions indicate their location.

We transfer personal data in outgoing payment orders and other cross-border instructions to correspondent banks. Where there is an incoming payment or any other transaction, we will transfer beneficiary account information to our correspondent bank if the payment is processed through our WorldLink ® service, or if the funding account is held in another Citi affiliate, or if we are required by statutory obligations.

Citi and its service providers transfer your personal information to countries and territories that may not provide legal protection that is equivalent to that offered in the place of business or establishment of Your Organization. For this reason, we take steps to ensure that your personal information receives an optimal level of protection wherever we process it, by using our own affiliate organizations, or if otherwise, by introducing appropriate contractual and technical and operational means, including standard contractual clauses, complemented with transfer impact assessments (TIA) and specific measures to resolve any issues detected in a TIA. Where transferring data is an essential pre-requisite for executing a banking instruction, carried out as mandated, and with the knowledge and in the interest of the client, we may rely in legal exceptions or derogations for international data transfers in countries that have no formal declaration of data equivalence or ’adequacy’.

10. STORAGE AND RETENTION (ARCHIVING) OF PERSONAL INFORMATION

We process personal information only for the length of time that is necessary to carry out the purposes for which personal data was collected and retain your data during such time Your Organization’s accounts and products are open, or a transaction is active, and for a certain time after their closure. Our retention periods vary in accordance with applicable law in the country where we provide services, including under relevant commercial codes, banking and securities acts, anti-money laundering and external legislation, and lastly, in accordance with statutory limitation periods. When the retention of your personal information is no longer necessary, we will securely dispose of it by destroying the data, or we will irreversibly anonymize it, so that it is no longer personal data. The Country and Territory Supplements indicate the applicable retention terms.

11. SECURITY

Citi stakes reasonable steps to preserve the security of personal information.

All personal information is held in a protected environment with sufficient organizational and technology measures appropriate to a professional financial organization. We have implemented security controls, procedures and protocols across our different business lines, physical premises, and IT networks to minimize loss, misuse, unauthorized access, modification, or disclosure of personal information. All information shared with external third parties is encrypted during transmission and in storage, and all information held internally is protected using security passwords and logons or other security procedures. However, due to the inherent nature or electronic communications, we cannot guarantee the security of personal information outside our networks.

12. MINORS (CHILDREN)

Our products and financial services are intended for corporate, government and institutional clients, and are not designed for persons that cannot enter into business transactions in their own name, including children. 

We do not knowingly collect without consent from their parents or guardians, personal information from persons under the age of 16, other than for executing payments. We do not sell, share, or use their data for social media and we do not have targeted advertising directed to children. 

We may process personal information relating to minors with prior consent from their parents or guardians, if they are named beneficiaries of trusts, wills or insurance policies, and for similar uses permitted by law. If you have reason to believe that information about a child has been provided to us in error, please contact us.

13. SUPPLEMENTAL PROVISIONS

13.a Supplemental Provisions for Countries and Territories 

NORTH AMERICA

CALIFORNIA 

• California Supplemental Provision
• California Notice at Collection
• California Privacy Hub 

ASIA-PACIFIC

• HONG KONG
• INDONESIA (in English) (Bahasa Indonesia)
• JAPAN
• PHILIPPINES
• SINGAPORE
• SRI LANKA
• THAILAND (in English) (ภาษาไทย)
• VIETNAM 

LATIN AMERICA

• JAMAICA
• PANAMA (in English) (en Español)
• URUGUAY 

EUROPE, MIDDLE EAST AND AFRICA

• ALGERIA
• EUROPEAN ECONOMIC AREA, EUROPEAN UNION, UNITED KINGDOM and OTHER EUROPEAN COUNTRIES.**

• NIGERIA
• KENYA
• SAUDI ARABIA
• TANZANIA

b)     Digital Platforms Schedule

Please click here to access out Digital Platforms supplement, which apples to Citi’s online banking and trading portals, and mobile Apps.

c)    Citi Research Schedule 

Citi Research activities are covered by a separate document, accessible here.
 

CONTACT INFORMATION

Please use the Contact Us links provided under Section 6 (“Your Privacy or Data Protection Rights”) to exercise your data subject rights, or refer to the Supplemental Provisions for the location were we provide services. You may also contact our Data Protection Officers as indicated in the Supplements, including:

If you feel that your data has not been handled correctly by Citi, or you are unhappy with our response or have concerns regarding the use of your data, you have the right to lodge a complaint with a data protection authority in the country where the alleged infringement of data protection law occurred. Contact details for data protection authorities can be found here, and as otherwise indicated in any country or territory-specific supplemental provisions: 

EU/EEA: http://ec.europa.eu/justice/article-29/structure/data-protection- authorities/index_en.htm 

United Kingdom: Information Commissioner’s Office (ICO): www.ico.org.uk 

Jersey: Office of the Information Commissioner: https://jerseyoic.org