This Privacy Statement explains how Citi UK processes personal information about clients of the consumer bank under the brands Citigold®, Citigold® Private Client, Citi International Personal Bank (UK) and the beneficiaries, family members, signatories, associates and representatives of those clients. This Privacy Statement includes information about your data subject rights, including your right to access your personal data and to object to certain forms of processing.
This Privacy Statement supersedes all Citi Privacy Statements relating to the retail bank that exist prior to its effective date.
The data controllers of your information are Citibank UK Limited and Citibank N.A., Jersey Branch.
In almost all customer relationships, Citi UK acts as an independent Data Controller. In truly exceptional cases Citi UK may act as a Data Processor. If you enter into a contract in which Citi UK sets itself out as a data processor, this Privacy Statement will not be applicable to that contract unless otherwise agreed.
This Privacy Statement takes effect on 01 January 2020.
1. When does this Privacy Statement apply to you?
1.1 It applies if:
1.2 For a list of countries in which Citi Companies operate please see https://www.citigroup.com/citi/about/countrypresence/.
2. How can you contact Citi?
2.1 The contact details for the data controllers on this Privacy Statement are:
Citibank UK Limited
P.O. Box 4012
Citibank N.A., Jersey Branch
Level 10, Citigroup Centre 1
25-33 Canada Square
London E14 5LB
2.2 If you have any questions or requests in relation to your personal information, you may also contact
CITIGROUP Data Protection Officer (Chief Data Privacy Officer - EMEA)
Level 9, Citigroup Centre 2
25- 33 Canada Square
3. Why does Citi process your personal information?
Citi UK and Jersey and other Citi Companies may process your personal information for the reasons set below.
|(a) Where the processing is necessary for us to perform a contract with you or for requested pre-contract steps||
|(b) Where we are required by applicable law||
|(c) Where necessary for our or a third party’s legitimate interests (as listed here)||
|(d) Where you consent to the processing of personal data||
You can withdraw or revoke consents in this section at any time. However, if we need your consent to process or carry out an activity, we will not be able to perform that activity or provide services and will we will cease using your data for this purpose, but may continue to process your data where we have other lawful grounds to do so, such as where we are legally required to keep records of transactions. Withdrawing or revoking your consent will not affect any processing of your information that has already taken place.
4. Where does Citi obtain information about you?
4.1 We process information that you provide to us directly and information we learn about you from our communications and dealings with you, such as data and cookies collected from your interactions with our website and Citi Online (subject to your cookie choices), information about Citi publications and products you interact with in third party platforms and your responses when we send you emails and other communications (subject to your marketing contact preferences).
4.2 We also process information about you from other sources as set out below.
|(a) Our clients||This is information that we learn from you through other dealings with you (or your organisation). We may also obtain contact information from you from an existing individual or corporate customer if you are associated with that customer and/or they think that you may be interested in our products or services. Clients of Citi clients may be based in the United Kingdom, the Channel Islands, and the EU/EEA or outside those countries or regions. We obtain your name, company, title and job description, and contact details such as email address and telephone number or business address.|
|(b) Public sources||Sources both inside and outside the UK, Jersey and the EU/EEA, such as credit reference agencies, fraud prevention agencies and outlets, professional background checking entities, international sanctions lists, any publically available databases or data sources. The information we obtain from credit reference agencies will include public information such as county court judgments and information from the electoral register. Data we may obtain may be shared with Citi Companies and include your name, gender (including any former gender), company, title and job description and contact details such as email address and telephone number or business address, details about your personal or business interests or activities.|
|(c) Other sources||Any research agencies who may carry out research on our behalf both inside and outside the United Kingdom and the EU/EEA. The data we may obtain could include any of the data listed in sections 4.1 (a) and (b).|
5. To whom does Citi disclose your personal information?
We disclose your personal information as follows:
6. Where does Citi transfer your personal information?
Your data is stored at Citibank UK Limited and Citibank N.A., Jersey Branch and copies are maintained at regional data centres in the EU. In addition, on order to ensure global consistency, enhance security and facilitate quick delivery of cross-border services, customer management data may also be accessed from other regional data centres. For a list of entities and countries in which Citi Companies operate please see https://www.citigroup.com/citi/about/countrypresence/.
We transfer your personal data to third parties (e.g. service providers or counterparty banks in a transaction) outside the European Economic Area which have different data protection standards to those which apply in the United Kingdom, Jersey and the European Economic Area. Some of these countries benefit from an European Commission adequacy or equivalence decision. For other countries, we have put in place standard contractual clauses within Citi or with the relevant third party to protect your personal data. We also rely on other permitted data transfer mechanisms such as specific contractual clauses and binding corporate rules.
7. For how long does Citi store your personal information?
Where we process personal data in connection with performing an agreement we have with you or our client, we keep your personal data for as long as is required in order to fulfil our contractual obligations to you or our clients, and for a prudential term thereafter, reflecting the statutory limitation period (or ‘statute of limitations’) under the law governing that contract or transaction.
Where we process personal data in connection with a legal obligation (for example for AML purposes) such personal data will be kept for as long as is required under applicable law. A copy of telephone recordings or electronic communications that result (or may result) in a transaction will also be available to you from the date of that communication for the duration of the legal retention period.
Where we process personal data solely with your consent, we process the personal data until you ask us to stop, and for a reasonable period for completion of any pending transactions upon your request.
8. What automated decision taking does Citi carry out?
8.1 All our decisions, including investor suitability, are conducted and/or checked by persons. We do not use fully automated decision-making in providing services to you.
8.2 We process some personal data automatically in order to make certain assessments about you. This is known as profiling. We do this, for instance, to assess your investment maturity and objectives and your risk tolerance, and to assess your ability to repay any loans; to meet regulatory or for legal requirements, including for the prevention of crime and money laundering.
8.3 Where we rely on profiling, we will seek your consent unless we must do it in order to enter into, or to perform, a contract with you or where we are authorised by any applicable law to carry out this activity. You have the right to request a person to re-assess any profiling in respect of loans, mortgages and other financial product applications. In the event we use any automated decision-making in our products, you will be entitled and given the option to opt-out in our product applications.
8.4 For the automated or profiling activities you have the right to request a person to re-assess any decision.
9. What are your rights in relation to personal information?
9.1 You can ask us to: (a) provide you with a copy of your personal data; (b) correct your personal data; (c) erase or delete your personal data; (d) transfer your personal data to other organisations; and (e) restrict processing of your data. You can also object to processing of your personal information, in particular where related to direct marketing or where we process your information on the basis of legitimate interests (see Section 3.1(c)) unless we have an overriding interest or a legal obligation. Upon receiving any request from you in relation to these rights we will take reasonable steps to verify your identity (or the identity and authority of your representative) prior to releasing any personal data.
9.2 You can change or update your contact details and your marketing preferences at any time by accessing Citi Online or contacting your Relationship Manager (if applicable) or on CitiPhone.
9.3 If you wish to exercise your rights or if you have any queries about your personal data, please contact your Relationship Manager (if applicable), CitiPhone, or the Data Protection Officer using the contact details in Section 2 above. If you have unresolved concerns, you have the right to direct your complaint to the relevant data protection authorities: the Information Commissioner’s Office in the United Kingdom and the Jersey Office of the Information Commissioner.
10. Cookies and Online Data
10.1 Any processing of information that we collect in our websites using electronic methods including cookies or online identifiers is detailed in our Bank Online Privacy Notice and Cookies Policy. Cookies and online identifiers that are not strictly necessary for the operation and security of our websites (‘essential cookies’) are subject to your consent.
10.2 We also collect information about how you manage and use your Account(s), the type of purchases you pay from your Account(s) (whether by a Card, Direct Debit, online or in any other way) and electronic payments made into your Account(s). This information will include the name of the payer (for example, your employer) and the supplier (for example, a shop) and the general nature of the goods and services paid for. We obtain this information automatically as part of operating your Account(s). Cash and cheque payments are safe alternatives if you do not want us to have information.
10.3 If you operate your account on the Citi Online site, we use essential cookies and web logs (information about how you use our website) to improve the security of our service and information. Please refer to our Online Privacy Statement and Cookies Policy for more details.
10.4 Where Citi places online adverts or uses a third party to carry out data analytics (including measuring responses to online advertisements), Citi is a data controller of such data.
11. Changes to this Privacy Statement
If we modify this Privacy Statement at any time we will place the modified versions on this website. We encourage you to regularly review this Privacy Statement to ensure that you are always aware of what personal information we collect and how we use, store and disclose.
12. The EU General Data Protection Regulation and the California Consumer Privacy Act
12.1 In this Privacy Statement any references to the ‘GDPR’ mean the General Data Protection Regulation (EU) 2016/679 and any complementing, substituting or equivalent legislation in the UK including without limitation, the UK Data Protection Act 2018, and at the end of the Transition Period established in the European Union (Withdrawal) Act, the GDPR as it forms part of UK statutes pursuant to the Privacy, Electronic Communications and Personal Data (Amendment) (EU Exit) Regulations 2019.
12.2 If you are, or will be, a resident of the U.S. State of California, you have certain rights with respect to your Personal Information under the California Consumer Privacy Act ("CCPA") as of January 1, 2020.
To assert your rights under CCPA, please call the U.S. number +1 833-971-1191 or access the California privacy hub https://online.citi.com/US/ag/dataprivacyhub/home.