Supplemental Provision — Nigeria

Citibank Nigeria Limited 

Citibank Nigeria Limited is a bank licensed by the Central Bank of Nigeria

Released March 5, 2025

Privacy Notice for Consumer Banking 

This Privacy Notice is directed to individuals (“you”), and describes how Citibank Nigeria Limited (collectively, “CNL”, “us” or “we”) collects, uses, transfers cross-border, or otherwise ‘processes’, personal data in consumer banking products and investments, including HR payroll services. It delineates the fundamental principles and limitations governing the collection, use, processing, transfer and deletion of your personal data, outlines your privacy rights, and provides guidance on how you can exercise them. 

This Privacy Notice is not a binding contract that would be enforceable against you or any other person, and may be amended by CNL from time to time to incorporate changes in our banking operations.

Other Important Privacy Notices 

Depending on other ways that you interact with CNL, other privacy notices may be applicable to you, including:

• Global Privacy Notice for (Institutional Clients of) Global Markets, Investment Banking and Financial Services, and its Nigeria Country Supplement if you interact with us in relation to corporate entities (e.g., as an officer, employee or beneficial owner) or their services recipients (e.g. a merchant or a beneficiary).
• Citi Events Privacy Notice, for invitations to live, pre-recorded or virtual events.
• Online Privacy Notice for visitors to the Citigroup.com for information on how we collect personal data when you visit our Citigroup global website.

Key Definitions
In this Notice:

Data Controller: is the legal entity (CNL) that is responsible for your personal data and who, alone or jointly with others, determined the purposes and the means or processing of personal data.

“Personal Information, or Personal Data” means any information about you as an individual, that CNL collects, uses or otherwise processes from which you can be identified such as a name, an identification number, date of birth, physical address, an email address, bank details, and any other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, etc.

Sensitive Personal Data, or Special Categories of Personal Information: These are interchangeable terms that refer to categories of Personal Information that require special handling under applicable law, and relate to an individual’s (a) genetic or biometric data, for the purpose of uniquely identifying an individual; (b) race or ethnic origin; (c) religious or similar beliefs, such as those referencing conscience and philosophy; (d) health status; (e) sex life; (f) political opinions of affiliations; (g) trade union memberships; and (h) other information prescribed by the Nigerian Data Protection Commission, as sensitive personal data under Section 30 of the Nigerian Data Protection Act, 2023.

CONTENTS
1. Entity Responsible for Processing Personal Data 
2. Sources of Personal Data
3. Categories of Personal Data that we Collect and Process
4. Purposes and Uses of Your Personal Data
5. Principles and Lawful Basis for our Personal Data Processing
6. Disclosures and Recipients of Personal Data
7. Consequences of not Providing Your Personal Data if Required
8. Accuracy of your Personal Data
9. Automated Processing and Artificial Intelligence
10. Your Privacy or Data Protection Rights
11.  International Transfers of Personal Data
12. Storage and Retention (Archiving) of Personal Data
13. Data Security
14. Minors (Children)
15.Cookies and Online Trackers

1.    ENTITY RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA 
The ‘Data Controller’ as defined in this document is Citibank Nigeria Limited, of 27 Kofo Abayomi Street, Victoria Island, Lagos, Nigeria (‘CNL’).
CNL is the data controller responsible for the lawful collection, use, processing and disposal of personal data in Nigeria and its lawful transfer across international borders. CNL has ensured that is has appropriate contractual, technical and operational measures in place with its sub-processors and service providers to protect the processing of personal data. 
You can request or enforce personal data rights by E-mailing or writing to the Data Protection Officer to the address provided above, or by Email to the Data Protection Officer: 
Email: dponigeria@citi.com

2.    SOURCES OF PERSONAL DATA
We may obtain personal data from the following sources: 
•    You directly when you request a service from us, in your onboarding or product opening documentation, or indirectly, which we learn from your use of our systems, from communications or from other dealings with you. 
•    Third parties, such as other financial institutions, government entities, credit reference agencies, recognized fraud data sharing mechanisms, both from domestic and international organizations, and from companies specialized in fraud detection and background checks.
•    Automatically when you visit our Citigroup global flagship website or communicate with us online. We may collect this information through the use of “cookies” or similar tracking technologies, based on your options and consents, to allow us to better tailor our website and services to you and to enable us to analyze our services and better tailor our services to you. To manage your cookies and online trackers please visit the Cookie Preferences link at the footer of Citigroup.com. To learn more about cookies please go to https://www.citigroup.com/global/institutional-clients/cookiepolicy.

3.    CATEGORIES OF PERSONAL DATA THAT WE COLLECT AND PROCESS
The categories of personal data that we process, with their elements include: 
•    Identity data: name, company, title, job description and position in Your Organization.
•    Contact details: such as email address, telephone number, business address and for KYC purpose, residential address. 
•    Organizational Information: Title and authorisations to represent the legal entity you general work or are associated with  and your current and prior relationships. 
•    Communication and marketing information: Your relationship with us, including preferred methods of services communications, communications, and your marketing preferences. 
•    Information relating to your personal assets: part of our Know Your Client (KYC) legal and regulatory obligations, including background and credit checks, your investment holdings and any other corporate entity you are associated with.
•    Financial background checks: as part of due diligence and identity verification checks, where you open and maintain accounts, products, and services on behalf of the corporate or institutional entity you represent.
•    Information required for legal or regulatory purposes including AML and/or sanctions and investor screening processes (e.g., copies of your passport or a specimen of your signature) and for transaction management purposes.

4.    PURPOSES AND USES OF YOUR PERSONAL DATA
We collect, receive, use, store, transfer and otherwise process your personal data for the following purposes:
•    to provide financial products and services to you as a CNL client (and where appropriate, as a client that is a workforce member of CNL), and to communicate with you and/or CNL’s clients about them;  
•    to manage, administer and improve CNL’s client service engagements and relationships and to communicate with you changes to those services. Based on your choices or consents,  for marketing, and business development;  
•    to monitor and analyze the use of CNL’s products and online services, and conduct compliance activities for security, anti-money laundering (AML), terrorism financing, or attempts to circumvent international sanctions against countries, organizations and individuals, and for the prevention and detection of fraud and other forms of economic crime; 
•     To conduct Know Your Customer (KYC) due diligence (which involves identity checks and verifying address and contact details), Politically Exposed Persons screening (which involves screening client records against internal and external databases to establish connections to ‘Politically Exposed Persons’ (PEPs) as part of client due diligence and onboarding), and sanctions screening (which involves the screening of clients, their representatives and counterparties against published sanctions lists)    
•     To manage CNL’s information technology and to train automated systems, and for system integrity, administration, operation, testing and support purposes;  
•    to establish, exercise and/or defend legal claims or rights and to protect, exercise and enforce CNL’s or its affiliates, parent company or a counterparty financial institution’s rights, property or safety, or to assist their and our clients, or others to do this;  
•    to investigate and respond to complaints or incidents relating to CNL’s business, to maintain service quality and to train staff to deal with complaints and disputes; 
•    to cooperate with, respond to requests from, and to report transactions and/or other activity to a government, central bank, tax or regulatory bodies, and to competent financial markets, brokers or regulators, intermediaries or counterparties, courts or third parties;   
and  
•    to record and/or monitor telephone conversations so as to maintain service quality and security, for staff and system training (including automated processing), fraud monitoring and to deal with complaints, disputes and potential and/or actual criminal activity. To the extent permitted by law, these recordings are CNL’s sole property. 
These purposes are summarized in the table in the next Section.

5.    PRINCIPLES AND LAWFUL BASIS FOR OUR PERSONAL DATA PROCESSING
The following principles are the foundation of CNL’s commitment to data protection: 
•    Transparency 
•    Purpose limitation 
•    Proportionality 
•    Accuracy 
•    Confidentiality 
•    Storage Limitation
•    Accountability 
•    Compliance with applicable Data Protection laws and regulations. CNL will cooperate with CNL’s regulators and other authorities to prevent and detect financial crimes and regulatory breaches as well as protect CNL’s businesses and the integrity of the financial markets.  

CNL relies on various lawful bases as permissible by law for the collection and processing of personal data In Nigeria, as further detailed in the table below, and will rely on consents, obtained on your account or product opening documentation for the cross-border transfers of personal information. Consents for specific operations may also be collected on a transactional basis, for example, where you issue instructions to deposit funds in another country, or to pay a foreign beneficiary. If CNL relies at any time on your consent, this will be made clear to you at the time it is needed. Your silence will never be assumed to be consent. Where your consent is the legal basis for processing, you are at liberty to withdraw it at any time by sending a request to CNL’s Data Protection Officer through the contact details provided in this Privacy Notice. Please note that withdrawal of your consent shall not affect, retrospectively, the lawfulness of the processing of your Personal Information before your consent is withdrawn.  
We rely in other lawful basis for processing, including (a) where processing is necessary for the performance of a contract (for a consumer account or product) to which you are party; (b) for compliance with an obligation under applicable law; (c) for the performance of a task carried out in the public interest, provided that the public interest is recognized in a statute, (d)  where it is necessary for the establishment,  exercise or defense of legal claims; or (e) for the purposes of a legitimate interest pursued by CNL, or a third party to whom your data is disclosed, provided this legitimate interests do not override your fundamental, rights, freedoms and liberties as a data subject, and where these legitimate interests are not incompatible with other lawful basis of processing, and you would have a reasonable expectation of your personal data being processed in the manner envisaged.

Additional Protections for the Processing of Sensitive Personal Data

Without prejudice to the principles set out in the NDPA, CNL shall not process your Sensitive Personal Data, unless:

(a) you have given and not withdrawn consent to the processing for the specific purpose or purposes for which it will be processed;
(b) processing is necessary for the purposes of performing the obligations of CNL or exercising your rights under employment or any other similar laws;
(c) processing is necessary to protect your vital interests or of another person, where the data subject is physically or legally incapable of giving consent ;
(d) processing is carried out in the course of its legitimate activities, with appropriate safeguards, by a foundation, association, or such other non-profit organisation with charitable, educational, literary, artistic, philosophical, religious, or trade union purposes, and the —
(i) processing relates solely to the members or former members of the entity, or to persons, who have regular contact with it in connection with its purposes, and
(ii) sensitive personal data is not disclosed outside of the entity without the explicit consent of the data subject ;
(e) processing is necessary for the establishment, exercise, or defense of a legal claim, obtaining legal advice, or conduct of a legal proceeding ;
(f ) processing is necessary for reasons of substantial public interest, on the basis of a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights, freedoms and interests of the data subject ;
(g) processing is carried out for purposes of medical care or community welfare, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality ;
(h) processing is necessary for reasons of public health and provides for suitable and specific measures to safeguard the fundamental rights, freedoms and interests of the data subject ; or
(i) processing is necessary for archiving purposes in the public interest, or historical, statistical, or scientific research, in each case on the basis of a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights and freedoms and the interests of the data subject.

6.    DISCLOSURES AND RECIPIENTS OF PERSONAL DATA

For the purposes of providing consumer accounts and retail products for which sharing your personal data is necessary, we may disclose it to third parties (including our affiliates) confidentially, as follows:
•    to your organization in connection with Wealth at Work products and services that CNL provides to you if your organization is CNL’s client, or otherwise in connection with CNL’s dealings with your organization; 
•    to other CNL affiliates  and parent companies (including entities referenced at http://www.citigroup.com/citi/about/countrypresence/)  to the extent permitted by law and your contract documentation, for the purposes of managing our clients; 
•    to counterparty banks, payment infrastructure providers and other persons from whom CNL receives, or to whom CNL makes deposits or payments on your behalf; 
•    to credit agencies, multilateral agencies, development finance institutions, other financial institutions, governmental authorities and their agents, insurers, due diligence service providers and credit assessors, in connection with the products and services that CNL provides to you; 
•    to our CNL parent companies, affiliates and service providers that provide application processing, AML, fraud monitoring, call center and/or other customer services, hosting services and other technology and business process outsourcing services, who are bound by service contracts to protect your data and keep it confidential to provide consumer banking accounts or products; 
•    to CNL’s professional service providers (e.g., legal advisers, accountants, auditors, insurers and tax advisers);  
•    to government and law enforcement authorities and other persons involved in, or contemplating, legal proceedings;  
•    to competent financial regulatory, prosecuting, tax or governmental authorities, courts or other tribunals, in any jurisdiction; 
•    to other persons where disclosure is required by law or to enable products and services to be provided to you or CNL’s clients; and  
•    to prospective buyers as part of a sale, merger or other disposal of any of CNL’s business or assets.
•    To our affiliates or internal business groups, who receive or have access to your personal data, if you request or use their services.
We only disclose personal data that is strictly necessary to use the abovementioned aims, as required or permitted by laws and regulations. We will only share your personal data for the purposes outlined in this Privacy Notice.

7.    CONSEQUENCES OF NOT PROVIDING YOUR PERSONAL DATA IF REQUIRED

We may require certain personal data to fulfil our contracts or to comply with legal obligations. Where we are collecting personal data from you, pursuant to a legal, statutory or contractual requirement, we will indicate in the relevant documents and forms if such data is not optional, and if it is, and you are unable or unwilling to provide it, we may be unable to provide the requested services.

8.    ACCURACY OF YOUR DATA 

We rely on the availability of accurate personal data to provide our consumer banking products to you. You should therefore notify us of any changes to your personal data, particularly changes concerning your contact details, banking details, or any other information that may affect the proper management and administration of the products or services provided to you.

9.    AUTOMATED PROCESSING AND ARTIFICIAL INTELLIGENCE

We will inform you of the existence of automated decision-making, including profiling, the significance and envisaged consequences for you. We will also restrict data processing pending —
(i) the resolution of a request,
(ii) objection by you, or
(iii) the establishment, exercise, or defence of legal claims. You can also opt out of the processing of your Personal Information for direct marketing purposes. 
We use automated processing, including artificial intelligence, for purposes of analysing and detecting potential money-laundering and other forms of economic crime. We will also use Artificial Intelligence to help us analyze, under similar standards, client information, and to create summaries of their file data.
We do not engage in automated decision-making, or profiling that may result in a legal or similarly significant negative outcome, nor do we rely solely on automated processing means (including Artificial Intelligence) for any product opening or closing purposes. 

Any use of AI systems by CNL in the context of consumer banking, will be carried out only after establishing rigorous controls to prevent, detect and correct biases. Similarly, CNL will continuously analyze and challenge its AI tools using those controls (as set out in governance).

We may use any personal data collected per this Notice to train, test and validate the accuracy of our AI tools.

10.    YOUR PRIVACY OR DATA PROTECTION RIGHTS

Under certain circumstances and in line with the provisions of the NDPR and NDPA, you have the right to:
•    Request access to your Personal Information (make a “data subject access request”). This enables you to receive a copy of the Personal Information CNL holds about you; 
•    Request rectification of the Personal Information that CNL holds about you. This enables you to correct any incomplete or inaccurate information CNL holds about you; 
•    Request the erasure of your Personal Information in certain circumstances. You also have the right to request the deletion or removal of your Personal Information where you have exercised your right to object to processing and your request is upheld; 
•    Object to the processing of your Personal Information. CNL shall discontinue the processing of your Personal Information on your request, unless CNL demonstrates a public interest or other legitimate grounds, which overrides your fundamental rights and freedoms and interests.
•    You may request the restriction of the processing of your Personal Information. CNL will agree to such requests except where there is a lawful basis to continue processing, such as public interest or other legitimate grounds; 
•    Request that your Personal Information be transmitted directly from one Data Controller to another, where technically feasible, provided that such data portability shall not adversely affect the rights and freedoms of other persons; and 
•    Not be subject to a decision based solely on automated processing, which does not require human involvement or influence on the outcome of the decision. 
•    CNL may need to request specific information from you for confirmation of your identity and to ensure your right to access the Personal Information held by CNL (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it and otherwise to assist CNL to process your request in a timely manner. 

To exercise these rights or if you have questions about how CNL processes your Personal Information, please contact the Data Protection Officer in Nigeria on the contact details provided in Section 1. 
Citi may not always be able to provide all requested information in a ‘data subject access request’ or fulfil other rights, when certain exceptions apply to protect the rights of others. If we need to withhold certain information or cannot fulfil your request we will explain the rationale for our decision, and the subsequent steps you can take. We will always respond to your request within the timeframes provided under the Nigeria Data Protection Act.
To ensure your safety and for confidentiality reasons, we will ask to verify your identity before disclosing any personal data. If you are making a request on behalf of someone else (as an attorney, relative or representative) we may require further information to ensure that you are duly authorized to make that request.

11.    INTERNATIONAL TRANSFERS OF PERSONAL DATA

Personal data about our CNL consumer bank clients is stored and processed at CNL in Nigeria.  

We limit international transfers of personal data from CNL to operations required to perform banking and financial services: for example, where we need to send account details of the payer or beneficiary to a foreign corresponding bank

We ensure your personal information is transferred to countries that have an equivalent or ‘adequate’ level of data protection. Where we transfer personal information to other countries, we will do so in limited circumstances, such as under your instructions, where the transfer is necessary to perform a cross-border operation or transaction. We transfer your personal data using safeguards to appropriately address risks in data transfers.

We also transfer de-personalised and aggregated (or anonymized) data, such that it ceases to be personal data, to our head office and subsidiaries for our own accounting, security and management purposes. 

Because CNL forms part of a global financial group, your personal data may be also accessed and processed in service locations globally, as needed and indicated in your account or product documentation. For example, IT services may be backed-up by CNL affiliates in different locations, in a manner that causes your data to be transferred across national borders, or to be accessed from IT networks located or operated in another country, whether on infrastructure owned by Citi or operated on its behalf by a third-party. Such activities (known as international data transfers) are subject to certain requirements, including consents, which appear on your account or product documentation, or are requested for specific transactions.

CNL may transfer your Personal Information to other Citi entities, regulatory, prosecuting, tax and governmental authorities, courts and other tribunals, service providers and other business counterparties located outside Nigeria as necessary for these purposes, including countries which have different data protection standards to those in Nigeria.  

12.    STORAGE AND RETENTION (ARCHIVING) OF PERSONAL DATA

We process personal data only for the length of time that is necessary to carry out the purposes for which it was collected in the first place, and we will retain it in either electronic or hard copy form during such time for which your consumer banking products are open, and for reasonable time after their closure, in accordance with our legal and regulatory obligations and our internal policies and procedures. Our retention periods vary in accordance with legal requirements of the product you have and the expectations of the Central Bank of Nigeria. When the retention of your personal data is no longer necessary, we will securely dispose of it by destroying the data, or we will irreversibly anonymize it, so that it is no longer personal data.

13. DATA SECURITY

CNL will take reasonable and appropriate steps to preserve the security of your personal data, and protect it against misuse, accidental loss or from unauthorized access or disclosure. 
All information shared with external third parties is encrypted during transmission and in storage, and all information held internally is protected using security passwords and logons or other security procedures. However, due to the inherent risk of electronic communications, we cannot guarantee the security of personal data traversing outside our networks. 
In the event your Personal Information is compromised or interfered with, you may lodge a complaint with our CNL Data Protection Officer at the business address contained in Section 1 of this Privacy Notice. You can also  complain to the  Nigeria Data Protection Commission, at No. 12 Clement Isong Street, Asokoro, Abuja, Nigeria, or info@ndpc.gov.ng

14. MINORS (CHILDREN)

Our consumer products and services are designed for persons of legal age, and are not designed for underage persons, that are unable to represent themselves or enter into business transactions in their own name.
We do not knowingly collect personal information from anyone under the age of 18 except where the age of the individual cannot be determined (for instance, where a person is the beneficiary of a payment). If you are a parent or guardian, please read this Privacy Notice to thoroughly understand how personal information is handled, and contact us if you have any concerns. If we become aware of personal information collected without parental consent, we will take steps to obtain such consent or remove it from our records.

15. COOKIES AND ONLINE TRACKERS

This Site uses cookies. A cookie is a text-only string that is set on your browser. Cookies are used as a quick and convenient means of keeping the Site content fresh and relevant to your interests and as a means of improving the utility of the Site by being able to securely store any personal data that you have shared with the Site. For example, this Site uses session-based cookies, which are cookies that are downloaded to your computer only for the duration of your visit to the Site. It helps you to move around the Site faster, and measures traffic activity on the Site. This type of cookie automatically expires when you close down your browser.
Please refer to the https://www.citigroup.com/global/institutional-clients/cookiepolicy for further information. 

Do Not Track: Most web browsers allow you to change your cookies options to accept all, some, or no cookies or to warn before accepting cookies; however, setting your web browser to not accept any cookies may inhibit the performance of this Site. Our Site currently responds to browser do not track signals.

Changes to this Privacy Notice
We may modify this Notice from time to time. Where changes are made, we will post a new version on the Nigeria country page in our Citigroup flagship site.