CITI CONSUMER BANK
PRIVACY STATEMENT FOR EU/EEA CUSTOMERS
This Privacy Statement explains how Citi processes personal information about its clients and the beneficiaries, family members, signatories, associates and joint account holders of its clients. This Privacy Statement includes information about your data protection rights, including a right to object to certain processing.
This Privacy Statement supersedes all Citi Privacy Policies and Data Protection Notices that exist on its effective date to the extent they address the same issues or conflict with the provisions of this Privacy Statement.
This Privacy Statement takes effect on 25 May 2018.
1. When does this Privacy Statement apply to you?
1.1 It applies if:
- you are an individual customer, or a person associated with a corporate client having an account or financial product with:
Citibank Europe plc, UK Branch
Citibank N.A., (London Branch)
Citibank N.A., (Jersey Branch);
- your personal information is also processed by any other Citi entity if you
are resident of, or domiciled or located in, a European Union, or European
Economic Area country, Switzerland or Jersey and you receive offshore banking
services from a Citi entity from outside those countries and territories; and
- your personal information is otherwise processed by an affiliate or subsidiary of Citigroup Inc., in the EU/EEA.
1.2 For a list of countries in which Citi Companies operate please see http://www.citigroup.com/citi/about/countrypresence/
Some of these countries are subject to a European Commission adequacy decision. For other countries, we have put in place European Commission-approved standard contractual clauses within Citi or with the relevant third party to protect this personal data. We also rely on other permitted data transfer mechanisms such as Privacy Shield certifications or binding corporate rules (approved by EU data protection authorities and put in place to protect your personal data). You have a right to ask us for a copy of the safeguard used by contacting us as set out below.
2. How can you contact Citi?
2.1 The contact details for the data controllers on this Privacy Statement are:
Citibank Europe plc, UK Branch
P.O. Box 4012
Citibank N.A., (London) and Citibank N.A., (Jersey)
Level 10, Citigroup Centre 1
33 Canada Square
2.2 If you have any questions or requests in relation to your personal information, you may also contact your Relationship Manager, CitiPhone or the EMEA Chief Privacy Officer as follows:
Data Protection Officer (Chief Data Privacy Officer - EMEA)
33 Canada Square
3. Why does Citi process your personal information?
Citi entities, branches, subsidiaries or affiliates, may process your personal information for the reasons set out below.
|(a) Where the processing is necessary for us to perform a contract with you or for requested pre-contract steps
- To provide financial services and related services to you where you have a contract with us, and to operate, maintain, and manage your account(s) pursuant to that contract. This includes processing of instructions and generation of confirmations, advices and statements and the carrying out of instructions.
- For other activities prior to entering into a contract with us for a product or service, including to assess your needs in relation to specific products or services, to determine the level of advice, asset management or support that you need.
- To allow a third party payment provider to access your personal and transactional data and/or initiate payment transactions as described in your account terms and conditions.
|(b) Where we are required by EU law
- To disclose information to governmental entities or regulatory authorities, financial markets, brokers or other intermediaries or counterparties, courts or other parties.
- To conduct compliance activities such as audit and reporting, assessing and managing risk, maintenance of accounting and tax records, the prevention and prosecution of fraud, anti-money laundering (AML) and other forms of crime, debt recovery, prevention and measures relating to sanctions, anti-terrorism laws and regulations. This includes know your customer screening (which involves identity checks and verifying address and contact details); screening of politically exposed persons (which involves screening client records against internal and external databases to establish connections to politically exposed persons or ‘PEPs’); sanctions screening (which involves the screening of clients details against published sanctions lists); exchange source of wealth data and passports with an account carrier to open and maintain a bank account, and with any Citigroup trustee to open and maintain a trust; as part of client due diligence and onboarding. We may verify information from you and/or your spouse or partner.
- For transaction reporting to our regulators.
- For compliance with duties under any Tax Act and applicable laws, including under the Foreign Account Tax Compliance Act and the Common Reporting Standard.
- When and as required by applicable law to assess if investments are suitable or appropriate for you based on your investment experience and statistical analysis for our or their business.
- To record telephone conversations and electronic communications with you that result or may result in transactions, to retain your picture, record video footage in our branches (subject to separate voice or video recording notices as may be applicable) and to keep samples of your signature or handwriting.
|(c) Where necessary for our or a third party’s legitimate interests (as listed here)
- To provide financial services to you and our clients and to communicate with you about these.
- To develop and maintain an up-to-date picture of you as a customer and assess your needs in relation to financial products or services, to determine the level of advice, asset management or support that a client needs or carry out transactions in compliance with contractual obligations.
- To review relationship details with a client or beneficiary to whom Citi owes a duty to account (such as a Citigroup wealth planner).
- To manage and administer Citi’s business and to manage and improve relationships with you and our clients and assist with client management and for marketing and business development activities and analysis.
- To inform you about our products or services or any products and services of any Citi Companies, subject to your contact preference options and rights to object to marketing communications.
- To monitor and analyse the use of Citi services, for risk assessment and control, for statistical and trend analysis, for compliance with policies and system administration, operation, testing and support, and to operate control and management information systems.
- To help detect, prevent, investigate, and prosecute fraud and other criminal activity, and share this data with Citigroup legal, compliance, risk and managerial staff to assess suspicious activities.
- To manage our information technology and to ensure the security of our systems.
- To disclose information to and comply with instructions of relevant governmental, tax or regulatory bodies, financial markets, brokers or other intermediaries, counterparty, court, auditors or other third parties and to conduct compliance activities, in our, or someone else's interests, in connection with any transaction or instruction anywhere in the world (and specifically outside the territories in 1.1) and to make such disclosures (even to the detriment of the client or its beneficiaries) to prudential regulators in respect of US persons, including under the Foreign Account Tax Compliance Act and the Common Reporting Standard.
- To make applications for protective orders or directions to courts supervising Citi as Trustee or to establish, exercise or defend legal claims and in order to protect and enforce Citi’s rights, property, or safety, or to assist our clients or others to do this.
- To investigate and respond to any complaints about us or our business or any incidents relating to us or our business and to help maintain service quality and train staff, to deal with complaints and disputes.
- When you or our client instruct(s) us to send money from an account to a third party’s account, in order to enable the third party to perform payment reconciliations, and for ourselves to keep a record of your transactions.
|(d) Where you consent to the processing of personal data
- To carry out compliance activities using information about political affiliation and office and criminal convictions and sanctions. In some countries we do not need your consent to process this information.
- For direct marketing from Citi, subject to your marketing and contact preferences.
- Under your directions to establish a relationship with a financial institution other than Citigroup, in which Citi or any related party may release all necessary personal data and execute all secrecy waivers and consents for disclosure and data processing required by that other financial institution.
- Prior to making a distribution from the issuer of a security to shareholders, Citi may require that an interest holder provide authorisation and consent.
- For the purposes of providing and executing payments from and into your accounts or (further to your instructions) through payment services providers and to share your data with aggregated services providers authorised by law.
You can withdraw or revoke consents in this section at any time. However, if we need your consent to process to carry out an activity, we will not be able to perform that activity or provide services and will we will cease using your data for this purpose, but may continue to process your data for purposes where we have other lawful grounds to do so, such as where we are legally required to keep records of transactions. Withdrawing or revoking your consent will not affect any processing of your information which has already taken place by that date.
4. Where does Citi obtain information about you?
We process information that you provide us directly and information we learn about you from our communications and dealings with you. We also obtain some information about you from others, as set out below.
|(a) Our clients
||This is the individual, corporate or institutional client, or prospective client, you are associated with (if relevant). Our clients may be based in the EU or outside the EU. We obtain your name, company, title and job description and contact details such as email address and telephone number or business address.
|(b) Public sources
||Sources both inside and outside the EU, such as credit reference agencies, fraud prevention agencies and outlets, professional background checking entities, international sanctions lists, any publically available databases or data sources. The information we obtain from credit reference agencies will include public information such as county court judgments and information from the electoral register. Data we may obtain may be shared with Citi Companies and include your name, gender (including any former gender), company, title and job description and contact details such as email address and telephone number or business address, details about your personal or business interests or activities.
|(c) Other sources
||Any research agencies who may carry out research on our behalf both inside and outside the EU. The date we may obtain could include any of the data listed in sections 4.1 (a) and (b).
5. To whom does Citi disclose your personal information?
We disclose your personal information to others as follows:
- to any Citi Company for the purpose of managing our and their relationship with you and other purposes identified in this Privacy Statement;
- in case of threatened or filed litigation, Citi and Citigroup may process and exchange personal data with management and counsel;
- if false or inaccurate information is provided or in case of a criminal or money laundering investigation, Citi and any Citi Company may cooperate with authorities and process and disclose personal data to any government, judicial body, or regulatory body of which a Citigroup entity is a member or is subject to that body’s jurisdiction or rules;
- we will also give details of how you manage your Account to credit reference agencies (we do not use credit reference agencies in connection with applications for, or the management of, savings products). An “association” between joint applicants and/or any individual identified as your financial partner will be created at credit reference agencies, which will link your financial records. You and anyone else with whom you have a financial link understand that each other’s information will be taken into account in all future applications by either or both of you. This linking will continue until one of you successfully files a “disassociation” at the credit reference agencies;
- we and other organisations access and use information about you, and anyone linked to you, recorded with credit reference agencies to prevent fraud and money laundering, for credit assessment and account management, tracing and debt recovery, identity verification and statistical analysis and systems testing;
- we will also disclose your information:
- to our insurers, sub-contractors and persons acting as our agents who have agreed to keep your information strictly confidential;
- to linked suppliers to the extent that they need your information to provide additional contracted benefits or services to you;
- to any bank, financial institution or company to whom we may assign or transfer our rights and/or duties under our Agreement; and
- if we are required or permitted to do so by Applicable Law, including to Authorities;
- in case of substantial business risks and for compliance with laws, risk criteria, procedures, and policies, Citi and Citigroup may process and exchange personal data with the responsible Citigroup chief trust officer, senior risk officer, compliance officer, legal officer, tax officer, anti-money laundering officer, fraud officer, audit officer, data protection officer, control officer, Citi leadership team, and Citi managers;
- at the request of any counterparty bank, payment infrastructure provider, custodian, sub-custodian, fund houses, fund administrators or issuers of securities in relation to any payment or investment or business process and to service your account and investment as per the provisions of any specific product or service agreement relevant to such investment or service;
- with management and counsel as required in order to establish, exercise or defend or to protect legal claims, including in relation to our contracts with our clients and in order to protect the rights, property, or safety of us, our business, any Citi entities, our clients or others including to legal, tax or other professional advisors, government and law enforcement authorities and with other parties involved in, or contemplating, legal proceedings;
- to any competent regulatory, prosecuting, tax or governmental authorities, courts or other tribunals in any jurisdiction: (i) for or in connection with an examination of us by bank or other examiners; (ii) pursuant to subpoena or other legal process; (iii) at the express direction of any other authorised government agency; (iv) to our internal or external attorneys or auditors; (v) to others to whom we are required to make such disclosure by applicable law; and
- to third parties in connection with a change of ownership in Citi or any of its assets.
6. Where does Citi transfer your personal information?
We transfer your personal data to Citi Companies (see the link in Section 1.2 for their locations) and to third parties (e.g. service providers) outside the European Economic Area which have different data protection standards to those which apply in the European Economic Area. Some of these countries benefit from a European Commission adequacy decision. For others, we have put in place EU-approved standard contractual clauses within Citi or with the relevant third party to protect this personal data. We also rely on other permitted data transfer mechanisms such as Privacy Shield or third party binding corporate rules (approved by EU data protection authorities and put in place to protect your personal data). You can ask us for a copy of the safeguards used by contacting us as set out above. There will be instances where it is necessary for our contract with you to transfer your data.
7. For how long does Citi store your personal information?
Where we process personal data in connection with performing an agreement we have with you or our client, we keep your personal data for as long as is required in order to fulfil our contractual obligations to you or our clients, and for a prudential term thereafter, reflecting the statutory limitation period (or ‘statute of limitations’) under the law governing that contract or transaction.
Where we process personal data in connection with a legal obligation (for example for AML purposes) such personal data will be kept for as long as is required under applicable law. A copy of telephone recordings or electronic communications that result (or may result) in a transaction will also be available to you from the date of that communication, for the duration of the legal retention period.
Where we process personal data solely with your consent, we process the personal data until you ask us to stop, and for a reasonable period for completion of any pending transactions upon your request.
8. What automated decision taking does Citi carry out?
8.1 All our decisions, including investor suitability, are conducted and/or checked by persons. We do not use any fully automated decision-making in providing services to you.
8.2 We process some personal data automatically in order to make certain assessments about you. This is known as profiling. We do this, for instance, to assess your investment maturity and objectives and your risk tolerance, and to assess your ability to repay any loans; to meet regulatory or for legal requirements, including for the prevention of crime and money laundering.
8.3 Where we rely on profiling, we will seek your consent unless we have to do it in order to enter into, or to perform, a contract with you or where we are authorised by law in the EU to carry out this activity. You have the right to request a person to re-assess any profiling in respect of loans, mortgages and other financial product applications. In the event we use any automated decision-making in our products, you will be entitled and given the option to opt-out in our product applications.
8.4 For the automated or profiling activities you have the right to request a person to re-assess any decision.
9. What are your rights in relation to personal information?
9.1 You can ask us to: (a) provide a copy of your personal information; (b) correct your personal information; (c) erase your personal information; (d) transfer your personal information to other organisations; and (e) restrict processing of your personal information. You can also object to some processing of your personal information, including in relation to direct marketing and where we process your information because this is in our legitimate interests (see Section 3.1(c)). These rights may be limited in some situations; for example, where we are required to process your personal information by law.
9.2 You can change your marketing preferences at any time by accessing Citibank Online or contacting your Relationship Manager or CitiPhone.
9.3 If you wish to exercise these rights or if you have any queries about your personal information, please contact your Relationship Manager, CitiPhone, or the Data Protection Officer using the contact details in Section 2 above. If you have unresolved concerns you have the right to complain to the relevant data protection authorities. You can bring the complaint in the Member State where you reside, where you work or where the alleged infringement of data protection law occurred.
10. Cookies and Online Identifiers
10.1 Any personal information we collect using electronic methods including cookies or online identifiers includes information about how you manage and use your Account(s), the type of purchases you make from your Account(s) (whether by a Card, Direct Debit or in any other way) and payments which are made into your Account(s). This information will include the name of the payer (for example, your employer) and the supplier (for example, a shop) and the general nature of the goods and services paid for. We obtain this information automatically as part of operating your Account(s). If you do not want us to have it you should consider an alternative to using your Account(s).
11. Changes to this Privacy Statement
If we modify this Privacy Statement at any time we will place the modified versions on this website. We encourage you to regularly review this Privacy Statement to ensure that you are always aware of what personal information we collect and how we use, store and disclose.