1. Entity responsible for processing your Personal Information

2. Sources of Personal Information

3. Categories of Personal Information we collect and process

4. Purposes and Uses of Personal Information

5. Lawful Bases for Data Processing

6. Consequences of Not Providing Personal Information if required

7. Your Privacy and Data Protection Rights

8. Disclosures and Recipients of Personal Information

9. International Transfers of Personal Information

10. Storage and Retention (Archiving) of Personal Information

11. Security

12. Minors (children)

13. Supplemental Provisions

      (1)  Supplemental Provisions for Countries and Territories

      (2) Information for Digital Platforms (CitiDirect and CitiVelocity) 

      (3) Citi Research 

Contact Information for Complaints

1. ENTITY RESPONSIBLE FOR PROCESSING YOUR PERSONAL INFORMATION

The Citi legal entity that provides the accounts, products and services to Your Organization, whether as a client or a service recipient, or makes a payment to you acts as an independent business and is responsible for determining how your Personal Information is collected, the purposes that information is collected for, and how it will be processed. This is the “Data Controller,” also known as Principal. Responsible Party, Data Custodian or Data User under the laws of certain countries.

Citi Data Controllers

Please refer to the list of Data Controllers for the Country or Territory relevant to the services you receive. For geographies without a specific Supplement, please refer to the global list of Citi branches and affiliate available here.

Citi as Data Processors

In certain cases, Citi entities act as intermediaries, and consequently as Data Processors, or service providers (and not as Data Controllers): for example, where Citi entities are links a payment chain and are neither the institution originating a payment instruction, nor the final link that processes a payment to the beneficiary); when executing card payments on behalf of banks and merchants, and in transfer agency and payment agency agreements. This Privacy Notice is not intended for activities where Citi is an intermediary and a data processor. (the relevant privacy notice will be issued by the Data Controllers in those operations). Please note that Data Processors are sometimes required to comply with legal obligations, for example, scrutinizing payment beneficiaries names for international sanctions, fraud, money laundering or combating terrorism financing and undertake these discrete activities in a special capacity as Data Controller.

2. SOURCES OF PERSONAL INFORMATION

INDIRECTLY: From Your Organization and other entities

Your Organization

We obtain most of our information about you indirectly from Your Organization or from other third parties, including financial institutions, government entities, credit reference agencies, recognized anti-fraud data sharing from domestic and international organizations, and from companies specialized in background checks. This includes your name, place and date of birth, nationality, account routing information, nationality and business and/or home contact address and phone numbers, and certain information required for Know-Your-Client (KYC), Anti Money Laundering (AML) and Countering Terrorism Financing information, and for sanctions-checking purposes. In some countries we require a form of government ID. 

To uphold the security, integrity and legality of our operations we obtain personal information from company or commercial registers, insolvency lists, and registers of persons that have been bankrupted or banned temporarily or permanently from holding directorships. Our contracted subscription services also review estimated wealth, court listings, court judgments, and press articles (mainly on allegations of corruption and other red flags) on senior government figures and politically exposed persons, and our security and information services review international sanctions lists and anti-fraud cooperation mechanisms.

We also obtain (to a lesser degree) personal information from international and domestic payment infrastructures, financial and currency markets, investment and settlement infrastructures including clearing houses, securities depositories, stock exchanges, OTC or private exchanges and similar sources.

As required and/or permitted by law, we also monitor and record telephone, email, instant messaging, and other online communications with us have resulted or may result in a banking or financial transaction.

DIRECTLY: From You

We obtain information directly from You from various sources:

• Account activities: bill payments, deposits, withdrawals, investments, and any other transactions in which you are an authorized corporate or operational signer.
• Forms and Applications: product variation or modification, lines of credit and credit limit increases, signatory names and signature sample forms, and electronic instructions).
• Electronic and verbal communications with you, your banking representatives, or our corporate clients: calls to our trading desks, client service desks, text and electronic messages and any other communications we receive from you, Your Organization, institutions you are employed by or other third parties. We do this for the purposes of documenting instructions from you, authentication, and for the purposes of security and quality assurance.
• Citi Digital Platforms. We process technical data and personally identifiable data related to transactions you perform in our Internet sites and mobile applications, in accordance with your contact preferences, cookie and profiling choices. Please refer to the Digital Platforms Supplement for more information.

3. CATEGORIES OF PERSONAL INFORMATION WE COLLECT AND PROCESS

General Categories of Personal Information

Citi collects personal information about you, for purposes indicated in this Global Privacy Notice.

The categories of personal information that we process, with their elements include:

• Your identity: name, organization, title, and role or job description within Your Organization. We also collect your home address and country of residence and date of birth, as required by international payment and securities infrastructures.
• Sensitive personal information we collect: For certain operations, including payroll or international payments into the Euro area and other geographies, and for age and /or identity verification, we may collect, certify and store images and other details from your passport or other ID document, unique tax ID registration, and collect samples in signature cards. In some countries these data are considered sensitive.
• Business contact details in Your Organization, such as business and email address, and your telephone number.
• Information about your banking authorizations as an officer or attorney for Your Organization, authorized/corporate and operational signatures, and your other interactions in relation to Your Organization.
• Your direct interactions with us, your preferences and methods of communications, corporate marketing options, cookie and tracker choices, and your service preferences.
• Information relating to your personal assets, as part of our Know Your Client (KYC) legal and regulatory obligations, and to identify your holdings in the ownership structure of Your Organization and any other corporate entities you are associated with.
• Information relating to your financial and credit background, and your personal address, in order to open and maintain accounts, products, and services contracted for you by Your Organization.
• Information required for specific legal or regulatory purposes including anti-money laundering (AML) and/or sanctions and investor screening processes (e.g., copies of your passport or signature specimens) or for transaction performance and management purposes.
• Personal Data gathered from contracts or arrangements Your Organization has opened with us.

Sensitive Personal Information or “Special Categories of Data”

Where required by law (to comply with legal obligations) or as appropriate to protect a substantial public interest, we process sensitive information (or special categories of personal data), including information such as your Social Security and other national identity. We have systems that compartmentalize such information, and operational, technical and governance measures, including access controls that protect the confidentiality and security of all information.

We only collect and process the amount of personal information that is necessary to provide our services, and as required by business, legal, and regulatory aims. We will offer detailed information and additional disclosures if appropriate where we collect or otherwise process sensitive or “special categories of personal data”, including biometric or behavioral data that we obtain from your interactions with our systems and applications, including by way of example your mouse speed and movements, your keyboard usage, and voice pattern recognition for telephone banking, which we use to detect threat actors, or demonstrate that you are not being impersonated (‘prove you are human’ tests). When we use the built-in biometric authentication technology in your mobile device, we do not have access to the data, that remains locked in your mobile device.

Digital Personal Information

For details on the information we collect from your device, and your use of digital resources consult :

• For internet banking and mobile banking platforms (including CitiVelocity and CitiDirect) review the Digital Platforms Schedule).
• For information collected from Cookies, Online Trackers and similar technologies used in our Apps and websites, please read our Cookie Policy.
   

4. PURPOSES AND USES OF PERSONAL INFORMATION

We use your Personal Information for the following purposes:

• Communicate with you in relation to banking and financial services provided to Your Organization, or of interest to You as a member of Your Organization, and as an individual customer referred by your Organization:
  • To verify your identity and communicate with you.
  • To improve our relationship with you and Your Organization.
  • To inform you about products and services Your Organization has, and other services that may be of interest to your and/or Your Organization (subject to your marketing preferences).
• Deliver our services to Your Organization:
  • To provide our products and services, including opening and maintaining accounts for your organization.
  • To manage and administer our banking business.
  • For system and IT network administration, and for the operation, testing and support of our Digital Platforms.
  • To enable third parties to deliver products or services on our behalf, including payment services.
  • In communicate with credit reference and financial background research agencies.
  • To meet our obligations to and cooperate with stock exchanges, alternative trading systems, clearing and settlement agencies, brokers and similar entities.
• Manage our business:
  • For business development activities, analysis and planning purposes.
  • To investigate and respond to IC client issues and complaints.
  • To establish, exercise, or defend Citi and third party’s legal claims, including for breach of contract or of adherence to terms of use.
  • For research and other statistical and trend analysis, in each case de-identifying and aggregating or anonymizing sample data so that it is no longer personal data.
  • To guarantee our property rights, protect our own safety, the safety of your organization and of third parties, including loss and fraud prevention.
• For our own legitimate interests and those of other financial institutions (provided they are not overridden by your own rights and interests) and to comply with applicable laws:
  • For fraud prevention and other financial criminal activity.
  • For internal risk assessment and controls, by way of example, to detect or resolve cyber incidents or fraud.
  • To comply with judicial requirements, including to exercise our rights in judicial, administrative or arbitration litigation.
  • Some laws will require you to provide us with certain tax information, or complete tax declarations.
  • For regulatory reporting requirements, e.g., financial reporting, Central Bank reporting.

Use and Disclosure Limitation Rights

Certain countries and territories require Citi to offer to individuals the options and means to limit their use or disclosure of personal information. Please refer to the Special Provisions for your country or territory for information on these additional rights and how to exercise them. Citi corporate businesses do not sell or share your Personal information with third parties for cross-contextual advertising or other commercial purposes. We also do not disclose the Personal Information of persons under the age of 16 (see ‘Minors and Children’ further below).

Artificial Intelligence, Automated Decision-Making and Profiling

Citi does not delegate control or decision-making functions to automated processing means (including Artificial Intelligence) and does not engage in profiling that may result in legal or similarly significant effects. Nevertheless, we use artificial intelligence to monitor transaction data, to ensure the consistency and correctness of outputs, detect and prevent illegal activities, for risk management and investment analysis, as an information assistance tool for our personnel. We use fully automated means for example in algorithmic securities trading solely where all information is de-personalized. 

If Your Organization is a Citi client, depending on your digital marketing choices, we may create AI profiles to offer you products targeted to your organization. Our marketing communications have ‘unsubscribe’ links to change your preferences or suppress further notifications.
We do not use your personal data to train third party models. However, when processing involves machine learning or statistical models, it may not be always technically feasible to remove all traces of an individual’s data; however, we will take reasonable steps to ensure rights are respected to the extent required by law.

5. LAWFUL BASES OF DATA PROCESSING

The lawful bases that we rely on for data processing do vary, depending on the applicable law in the location where data is collected. These include as the case may be:

• Consent: We use consent as a lawful basis, subject to conditions applicable in the country where consent is collected, where:
  • We are required by law to obtain consent or
  • Where consent can be assumed or inferred from your conduct; or
  • Where it is the primary or only legal basis for processing, or a legal basis that data protection authorities expect should be used
• Performance or Delivery of a contract
  • We will use this lawful basis for processing if:
    • We have a contract with you (or with Your Organization, for your benefit) and we need to process your personal data in order to deliver the products and services referred to in that contract. For example, to set up and manage an account with us, or to process payments.
    • You have asked us to take steps in order to enter into a contract with us or Your Organization. For example, to provide you with a quote or to process your account application.
• Legitimate interests
  • We will use this lawful basis for processing if it is available in the country or territory where personal information is collected and if:
    • We have a legitimate business purpose for processing your personal information; and
    • Processing your personal information is necessary to achieve this purpose; and
    • Our legitimate business interest is not overridden by your individual interests, rights and freedoms.
• Compliance with a legal obligation
  • We will use this lawful basis for processing if we need to process your personal information to comply with a legal obligation. This may include without limitation:
    • Providing information on request to government and regulatory bodies securities and commodities markets, securities brokers, and our intermediaries or counterparties
    • Conducting regulatory compliance activities such as: audit and reporting, accounting and tax records, prevention of fraud and other forms of economic crime, complying with international sanctions and anti-terrorism legislation background or KYC verification and screening of senior government officers and politically exposed persons (PEPs)

LEGAL BASES FOR PROCESSING SENSITIVE PERSONAL DATA / SPECIAL CATEGORIES OF DATA 

When we collect and process sensitive personal information, or ‘Special Categories of Information’, we will request your consent unless the law allows us to rely on prescribed exceptions based on a substantial public interest:

• If the processing of personal data is clearly needed for your benefit, and your consent for its collection, use or disclosure cannot be obtained in a timely manner, or where you would not be reasonably expected to withhold consent.
• If your consent is for a substantial or recognized public interest or in the legitimate interest of another person (including us) provided that processing must not extend to what is reasonable to provide a legitimate outcome and the protected interest outweighs any adverse effects of the processing your personal information.

6. CONSEQUENCES OF NOT PROVIDING YOUR CONSENT OR PERSONAL INFORMATION WHEN REQUESTED

If we request you to provide consent, we will make clear to you if it is our legal basis at the point of gathering. For example, your consent may be needed to: (a) initiate any contract or transaction between us, that will subsequently enable us to use other lawful basis  (e.g. contract necessity); (b) to send you commercial communications or marketing about Citi services, that can be of interest to you and your organization, (c) where we use certain technologies such as online trackers (e.g. to determine your location); (d) where we record and/or monitor service chats, and voice or video conversations, for service quality, security, fraud monitoring, staff training, and to deal with complaints, disputes and to prevent criminal activity’ To the extent permitted by law, these recordings are our sole property.

If you choose not to agree or provide this personal information we will be unable to it may impact our ability to provide you or your organization with our services. For example:

• Account Management: Without accurate contact and financial information, we may not be able to manage your accounts effectively, which could impact your access to our banking services.
• Compliance: Failure to provide necessary legal and regulatory information may result in non-compliance with applicable laws and regulations, which could have legal consequences for your institution.

7. YOUR PRIVACY OR DATA PROTECTION RIGHTS

You have rights over your personal information that are protected by law in many countries. Most countries grant 4 basic rights: Access, Rectification, Cancellation and Objection (by their initials, the so-called ARCO rights). Citi responds to these rights globally in order to provide a consistent standard to corporate clients.

You can CONTACT US to request any of the following rights:

• Right to be informed
  • You have the to be informed of sub-processors (sub-contractors) that receive your data and a summary of processing purposes and of how we use operational and technical measures to protect your data.
• Right to access your information:
  • You can CONTACT US to request a copy of the personal information we hold about you. This is often known as a ‘subject access request’.
• Right to rectify your information
  • You can CONTACT US to ask us to correct personal information that you believe we hold which may be inaccurate or incomplete.
• Right to erase your information (or “right to be forgotten”)
  • You can CONTACT US to ask us to erase personal information that we hold about you, which we will carry out unless we are required to retain it for a specific duration, in order to prevent fraud and other forms of crime, or for our defence in claims.
  • There may be some instances where we are not able to erase your personal information if we are under a legal requirement to store product applications or information in relation to banking or securities transactions. If this is the case, we will clearly explain in our reply to your request the reason we are unable to cease processing (and storing) your personal information.
• Right to transfer your information to another organisation
  • You can CONTACT US to ask us to transfer your personal information to other organisations. This is often known as the ‘right to data portability’.
    • There may be some instances where we are not able to transfer your information, if we are relying on a lawful basis other than ‘consent’ or ‘contract’ to process your personal information.
• Right to restrict processing of your personal information
  • You can CONTACT US to ask us to restrict processing of your personal information.
  • There may be some instances where we are not able to restrict processing of your personal information if you do not provide us with a particular reason for wanting the restriction.
• Right to object to processing.
  • You can CONTACT US to object to us processing your information.
    • We may not always be able to accept your objection, if we need to continue to process your information for our business, legal and regulatory and other purposes.
• Right to object to the grounds of legitimate interests for processing
  • Where legitimate interests are available as the lawful basis for processing your personal information, you can CONTACT US to object to us processing your information on this basis.
  • We will always consider your reasons for objecting to us processing personal information on these grounds, and balance your interests, rights, and freedoms with our legitimate business interests.
• Right to withdraw your consent for processing your personal information
  • You can CONTACT US to withdraw your consent for processing your personal information.
  • If you withdraw your consent for processing of your personal information and it is necessary for us to conclude a transaction or for legal and regulatory purposes, then we may not be able to provide you with the relevant products and / or services that require such consent.
  • There may be situations where we are unable to stop processing your personal information after you withdraw your consent, where it is a legal requirement for us to continue using or storing certain information. If this is the case, we will clearly explain the reason we are unable to stop using (and storing) your personal information.
     

Citi may not always be able to provide requested information or fulfil other rights where certain exceptions apply to a rights request. In our reply, if we need to withhold certain information or cannot fulfil your request we will explain the rationale for our decision, and the subsequent steps you can take.

We will always respond to your request within the timeframes provided under applicable law.
To ensure your safety and given the confidentiality of financial information, we must verify your identity before disclosing any personal data related to financial or banking operations. If you are making a request on behalf of someone else (as an attorney or a friend or relative) we may require further information to ensure that you are duly authorized to make that request.

8. DISCLOSURES AND RECIPIENTS OF PERSONAL INFORMATION

For the purpose of providing banking and financial services, we disclose personal information to third parties confidentially, and where necessary, as follows:

• To Your Organization, in connection to the services that we provide to them.
• To our own affiliates or business groups, who receive or have access to personal information about you, if you request or use their services including online portals and Apps.
• To Citi’s service providers who assist business functions such as application processing, fraud and money laundering monitoring, and the provision of client service centres and web hosting, and data analysis.
• To stock and security trading houses and exchanges, alternative trading systems, settlement agencies, facilities and similar entities, including clearing houses, payment infrastructure providers, counterparty banks, and any persons from whom we receive or make payments instructed or received by you.
• To securities brokers, custodians, sub-custodians, fund administrators, fund houses, depositaries, trustees, financial market infrastructure service providers (including settlement and securities payment providers), and
• To professional services providers: auditors, insurers, legal counsel, and to competent regulatory, tax, governmental or jurisdictional authorities, including central banks and financial regulators, and to the courts of any competent jurisdiction, domestic or foreign.

We will only share your information for the purposes outlined in the Section 4 (“Purposes and Use of Personal Information”) in this Global Privacy Notice.

Where required by applicable law, we shall add to Country or Territory Supplemental Provisions, and to our client terms, details of third parties we share information with, their locations, and the categories of information that we share.

9. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

We provide services to corporations and institutions in more than 120 countries and territories. Your personal information is stored and processed where Your Organization opens a product or receives a service, and backed up and further processed (unless your country or territory has data localization laws) in global service centres, for operational and regulatory purposes. The Supplemental Provisions indicate their location.

We transfer personal data in outgoing payment orders and other cross-border instructions to correspondent banks. Where there is an incoming payment or any other transaction, we will transfer beneficiary account information to our correspondent bank if the payment is processed through our WorldLink ® service, or if the funding account is held in another Citi affiliate, or if we are required by statutory obligations.

Citi and its service providers transfer your personal information to countries and territories that may not provide legal protection that is equivalent to that offered in the place of business or establishment of Your Organization. For this reason, we take steps to ensure that your personal information receives an optimal level of protection wherever we process it, by using our own affiliate organizations, or if otherwise, by introducing appropriate contractual and technical and operational means, including standard contractual clauses, complemented with transfer impact assessments (TIA) and specific measures to resolve any issues detected in a TIA. Where transferring data is an essential pre-requisite for executing a banking instruction, carried out as mandated, and with the knowledge and in the interest of the client, we may rely in legal exceptions or derogations for international data transfers in countries that have no formal declaration of data equivalence or ’adequacy’.

10. STORAGE AND RETENTION (ARCHIVING) OF PERSONAL INFORMATION

We process personal information only for the length of time that is necessary to carry out the purposes for which personal data was collected, and retain your data during the time Your Organization’s accounts and products are open, or a transaction is underway, and for a certain length pf time after its closure. Our retention periods vary in accordance with applicable law in the country where we collect personal information, including under commercial banking and securities and anti-money laundering legislation, and, in accordance with statutory limitation periods. When the retention of your personal information is no longer necessary, we will securely dispose of it by destroying the data, or we will irreversibly anonymize it, so that it is no longer personal data. The Country and Territory Supplements indicate the applicable retention terms. Please note that retention periods for sensitive personal information, or protected categories of personal information are significantly constrained: if we do not need the information for a protected function any further we will erase or destroy it.

11. SECURITY

Citi takes all steps required by law to preserve the security of personal information.
All personal information is held in a protected environment with sufficient organizational and technology measures appropriate to a professional financial organization. 
We have put in place and implemented appropriate technical and organizational measures to provide an high information security level that is appropriate to the risks associated with a large financial institution, and in accordance with recognized international standards including ISO/IEC 27001:2013 to prevent your personal information being accidentally lost, used¸ altered disclosed or accessed in an unauthorized way.

In addition, we apply appropriate safeguards, including strict role-based access, encryption in transit and at rest, operational and logical separations, need-to-know approvals and data deletion once the processing of your personal information is no longer necessary.

12. MINORS (CHILDREN)

Our products and financial services are intended for corporate, government and institutional clients, and are not designed for persons that cannot enter into business transactions in their own name, including children. 

We do not knowingly collect without consent from their parents or guardians, personal information from persons under the age of 16, other than for executing payments. We do not sell, share, or use their data for social media and we do not have targeted advertising directed to children. 

We may process personal information relating to minors with prior consent from their parents or guardians, if they are named beneficiaries of trusts, wills or insurance policies, and for similar uses permitted by law. If you have reason to believe that information about a child has been provided to us in error, please contact us.

13. SUPPLEMENTAL PROVISIONS

13.a Supplemental Provisions for Countries and Territories 

NORTH AMERICA

CALIFORNIA 

• California Supplemental Provision
• California Notice at Collection

ASIA-PACIFIC

• HONG KONG
• INDONESIA (in English) (Bahasa Indonesia)
• JAPAN
• MALAYSIA
• PHILIPPINES
• SINGAPORE
• SRI LANKA
• THAILAND (in English) (ภาษาไทย)
• VIETNAM 

LATIN AMERICA

• ARGENTINA
• ECUADOR
• JAMAICA
• PANAMA (in English) (en Español)
• URUGUAY 

EUROPE, MIDDLE EAST AND AFRICA

• ALGERIA
• EUROPEAN ECONOMIC AREA, EUROPEAN UNION, UNITED KINGDOM and OTHER EUROPEAN COUNTRIES.**

• NIGERIA
• KENYA
• SAUDI ARABIA
• TANZANIA

b)     Digital Platforms

Please click here to review our Digital Platforms supplement, which apples to Citi’s online banking and trading portals, and mobile Apps including CitiVelocity and CitiDirect.

c)    Citi Research 

Please click here to review the Citi Research supplement. 
 

CONTACT INFORMATION

Please use the Contact Us links provided under Section 6 (“Your Privacy or Data Protection Rights”) to exercise your data subject rights, or refer to the Supplemental Provisions for the location were we provide services. You may also contact our Data Protection Officers as indicated in the Supplements, including:

If you feel that your data has not been handled correctly by Citi, or you are unhappy with our response or have concerns regarding the use of your data, you have the right to lodge a complaint with a data protection authority in the country where the alleged infringement of data protection law occurred. Contact details for data protection authorities can be found here, and as otherwise indicated in any country or territory-specific supplemental provisions: 

EU/EEA: http://ec.europa.eu/justice/article-29/structure/data-protection- authorities/index_en.htm 

United Kingdom: Information Commissioner’s Office (ICO): www.ico.org.uk 

Jersey: Office of the Information Commissioner: https://jerseyoic.org