PRIVACY STATEMENT

CITI CONSUMER BANK

PRIVACY STATEMENT FOR UK AND JERSEY CUSTOMERS

This Privacy Statement explains how Citi UK processes personal information about clients of the consumer bank under the brands Citigold®, Citigold® Private Wealth, Citigold Private Client, Citibank International Personal Bank (UK), Citigold Wealth Management, Citi (UK) and the beneficiaries, family members, signatories, associates and representatives of those clients. This Privacy Statement includes information about your data subject rights, including your right to access your personal data and to object to certain forms of processing.

This Privacy Statement replaces all Citi Privacy Statements relating to the retail bank that exist prior to its effective date.

The data controllers of your information are Citibank UK Limited and Citibank N.A, (Jersey Branch).

In almost all customer relationships, Citi UK acts as an independent Data Controller. In truly exceptional cases Citi UK may act as a Data Processor. If you enter into a contract in which Citi UK sets itself out as a data processor, this Privacy Statement will not be applicable to that contract unless otherwise agreed.

This Privacy Statement takes effect on 31 July 2023.

1.    When does this Privacy Statement apply to you?

1.1  It applies if:

    a.you are an individual client, or a person associated with a corporate client having an account or financial product with Citibank UK Limited and/or Citibank N.A., Jersey Branch; or

    b.your personal information is processed by any other Citi Company in connection to retail bank activities where the entities in paragraph (a) above act as intermediaries, and you are resident of, or domiciled or located in, a country in the European Union or European Economic Area, the United Kingdom, the Channel Islands (Jersey, Guernsey) or Switzerland, and receive offshore banking services from that Citi Company in those countries and territories; or

    c.your personal information is otherwise processed in relation to a retail bank operation by an affiliate or a subsidiary of Citigroup Inc., in the United Kingdom or Jersey.

1.2 For a list of countries in which Citi Companies operate please see https://www.citigroup.com/citi/about/countrypresence/.

2.    How can you contact Citi?

2.1 The contact details for the data controllers on this Privacy Statement are:

Citibank UK Limited
P.O. Box 4012
Swindon
SN4 4JZ
United Kingdom

Citibank N.A. (Jersey Branch)
Level 10, Citigroup Centre 1
25-33 Canada Square
London E14 5LB
United Kingdom

2.2 If you have any questions or requests in relation to your personal information, you may also contact

Citigroup Data Protection Officer (United Kingdom and Jersey Chief Privacy Officer- EMEA)
Level 9, Citigroup Centre 2
25- 33 Canada Square
London
E14 5LB
United Kingdom
Email: Dataprotectionofficer@citi.com

3. Why does Citi process your personal information?

Citi UK and Jersey and other Citi Companies may process your personal information for the reasons set below:

(a) Where the processing is necessary for us to perform a contract with you or for requested pre-contract steps
  1. To provide financial products and banking services to you where you have a contract with us, and to operate, maintain, and manage your account(s) under that contract. This includes processing instructions and generating confirmations, advices and statements and the carrying out instructions.
  2. For other activities prior to you entering into a contract with Citi for a product or service, including assessing your needs in relation to specific products or services, to determine the level of advice, asset management or support that you need.
  3. To allow a third party payment provider to access your personal and transactional data and/or initiate payment transactions as described in your account terms and conditions.
(b) Where we are required by applicable law
  1. To disclose information to governmental entities or regulatory authorities, courts, financial markets, brokers or other banking intermediaries or counterparties and other parties to an agreement.
  2. To conduct compliance activities such as auditing and reporting, assessing and managing risk, maintenance of account and tax records; the prevention and prosecution of fraud or other forms of crime, anti-money laundering (AML), debt recovery, and measures relating to UK and international government sanctions and anti-terrorism laws and regulations.
  3. This includes know your customer screening (identity checks and verifying addresses and contact details); screening of politically exposed persons (screening client records against internal and external databases to establish connections to politically exposed persons or ‘PEPs’); sanctions screening (screening client’s details against published sanctions lists); to exchange source of wealth data with background checking and credit reference agencies to open and maintain bank accounts and products, and with trustees to open and maintain a trust. We may verify certain information about you with your employer, spouse or partner. These confidential references are exempted from disclosure.
  4. For transaction reporting to regulators and for any other form of reporting required by law.
  5. For compliance with duties under any tax legislation and other applicable law.
  6. When and as required to assess if investments are suitable or appropriate for you based on your investment experience and statistical analysis for our or their business.
  7. To record your voice in conversations with you that result or may result in transactions, and to retain your picture, record video footage in our branches and to keep samples of your signature or handwriting.
(c) Where necessary for our or a third party’s legitimate interests (as listed here)
  1. To provide financial services to you and our clients and to communicate with you about these.
  2. To develop and maintain an up-to-date picture of you as a customer and assess your needs in relation to financial products or services, to determine the level of advice, asset management or support that a client needs or carry out transactions in compliance with contractual obligations.
  3. To review relationship details with a client or beneficiary to whom Citi owes a duty to account (such as a Citigroup wealth planner).
  4. To manage and administer Citi’s business and to manage and improve relationships with you and our clients and assist with client management and for marketing and business development activities and analysis.
  5. To inform you about our products or services or any products and services of any Citi Companies, subject to your marketing preference options and right to object to marketing communications.
  6. To monitor and analyse the use of Citi services, for risk assessment and control, for statistical and trend analysis, for compliance with policies and system administration, operation, testing and support, and to operate control and management information systems, and to manage our information technology and to ensure the security of our systems.
  7. To help detect, prevent, investigate and prosecute fraud and other criminal activity, and share this data with Citigroup legal, compliance, risk and managerial staff to assess suspicious activities.
  8. To disclose information to, and comply with instructions of relevant governmental, tax or regulatory bodies, financial markets, brokers or other intermediaries, counterparty, courts, auditors or other third parties and to conduct compliance activities, in our, or someone else's interests, as relevant to with any cross-border transaction or instruction outside the UK and territories in 1.1 and to make such disclosures (even to the detriment of the client or its beneficiaries) to prudential regulators in respect of US persons where required under applicable law.
  9. To make applications for protective orders or directions to courts supervising Citi as Trustee or to establish, exercise or defend legal claims and in order to protect and enforce Citi’s rights, property, or safety, or to assist our clients or others to do this.
  10. To investigate and respond to any complaints or any incidents about us or our business and to help maintain service quality and train staff, to deal with complaints and disputes.
  11. When you or our client instruct(s) us to make a payment from an account at Citi to a third party’s account, in order to enable the third party to perform payment reconciliations, and for ourselves to keep a record of your transactions.
(d) Where you consent to the processing of personal data
  1. To carry out compliance activities using information about donations and political affiliation and office, and criminal convictions and administrative sanctions. In some countries, we do not need your consent to process this information.
  2. For direct marketing from Citi, subject to your marketing preferences.
  3. Under your directions to establish a relationship with a financial institution other than Citigroup, in which Citi or any related party may release all required personal data and execute all secrecy waivers and consents for the disclosure and processing required by that other financial institution.
  4. Prior to making a distribution from the issuer of a security to shareholders, Citi may require that an interest holder provide authorisation and consent.
  5. For the purposes of providing and executing payments from and into your accounts or (further to your instructions) through payment services providers and to share your data with aggregated services providers authorised by law.
  6. To process sensitive personal data including to capture information on customers’ vulnerabilities unless you are unable to provide your consent or the processing of your information relies upon a legal exemption.

You can withdraw or revoke your consent at any time. However, if we need your consent to process or carry out an activity, we will not be able to perform that activity or provide those services and will we will cease using your data for this purpose, but may continue to process your data where we have other lawful grounds to do so, such as where we are legally required to keep records. Withdrawing or revoking your consent will not affect any processing of personal data that has already taken place.


4.    Where does Citi obtain information about you?

4.1 We process information that you provide to us directly and information we learn about you from our communications and dealings with you, such as data and cookies collected from your interactions with our website and Citibank Online (subject to your cookie choices), information about Citi publications and products you interact with in third party platforms and your responses when we send you emails and other communications (subject to your marketing contact preferences).

4.2 We also process information about you from other sources as set out below.

(a) Our clients This is information that we learn from you through other dealings with you (or your organisation). We may also obtain contact information from you from an existing individual or corporate customer if you are associated with that customer and/or they think that you may be interested in our products or services. Clients of Citi clients may be based in the United Kingdom, the Channel Islands, and the EU/EEA or outside those countries or regions. We obtain your name, company, title and job description, and contact details such as email address and telephone number or business address.
(b) Public sources Sources both inside and outside the UK, Jersey and the EU/EEA, such as credit reference agencies, fraud prevention agencies and outlets, professional background checking entities, international sanctions lists, any publically available databases or data sources. The information we obtain from credit reference agencies will include public information such as county court judgments and information from the electoral register. Data we may obtain may be shared with Citi Companies and include your name, gender (including any former gender), company, title and job description and contact details such as email address and telephone number or business address, details about your personal or business interests or activities.
(c) Other sources Any research agencies who may carry out research on our behalf both inside and outside the United Kingdom and the EU/EEA. The data we may obtain could include any of the data listed in sections 4.1 (a) and (b).

5. To whom does Citi disclose your personal information?

We disclose your personal information as follows:

  1. to other Citi Companies for the purposes of managing our and their relationship with you, so that we (as their intermediaries) or them where permitted, may provide their products and services to you.
  2. we will also give details of how you open and manage your Account to credit reference agencies (we do not use credit reference agencies in connection with applications for, or the management of savings products). An “association” between joint applicants and/or any individual identified as your financial partner will be created at credit reference agencies, which will link your financial records. You and anyone else with whom you have a financial link understand that each other’s information will be taken into account in all future applications by either or both of you. This linking will continue until one of you successfully files a “disassociation” at the credit reference agencies.
  3. if false or inaccurate information is provided, or in case of a criminal or money laundering investigation, Citi and any Citi Company may cooperate with authorities and process and disclose personal data to any government, judicial, or regulatory authority or body of which a Citi Company is a member or is subject to that body’s jurisdiction or rules.
  4. we and other organisations access and use information about you, and anyone linked to you, recorded with credit reference agencies and financial services industry bodies (including UK Finance):
    1. to prevent economic crime (including fraud and money laundering) and to share economic crime information with law enforcement agencies.
    2. to freeze and repatriate assets and frozen funds following unauthorised or fraudulent use.
    3. for credit assessment and account management, tracing and debt recovery, identity verification and statistical analysis and systems testing.
  5. we will also disclose your information:
    1. to our insurers, sub-contractors, and persons acting as our agents who have agreed to keep your information strictly confidential.
    2. to linked suppliers to the extent that they need your information to provide your additional contracted benefits or services.
    3. to any bank, financial institution or company to whom we may assign or transfer our rights and/or duties under our Agreement.
    4. where we are required or permitted to do so by applicable law, including to public authorities.
  6. for the management of business risk and for compliance with laws, risk criteria, procedures, and policies, with the responsible Citigroup chief trust officer, senior risk officer, compliance officer, legal officer, tax officer, anti-money laundering officer, fraud officer, audit officer, data protection officer, control officer, Citi leadership team, and Citi managers.
  7. at the request of any counterparty bank, payment infrastructure provider, custodian, sub-custodian, fund houses, fund administrators or issuers of securities in relation to any payment or investment or business process and to service your account and investment as per the provisions of any specific product or service agreement relevant to such investment or service.
  8. with management and internal and external tax, professional and legal advisors or consultants, as required, in order to establish, exercise or defend or to protect legal claims, including in relation to our contracts with our clients and in order to protect the rights, property, or safety of us, our business, any Citi Companies, our clients or third parties involved in, or contemplating, legal proceedings.
  9. to any competent regulatory, prosecuting, tax or governmental authority, courts or other tribunals in any jurisdiction: (i) for or in connection with an examination of us by bank or other examiners; (ii) pursuant to subpoena or other legal process; (iii) at the express direction of any other authorised government agency; (iv) to our internal or external attorneys or auditors; (v) to others to whom we are required to make such disclosure by applicable law.
  10. to third parties in connection with a change of ownership in Citi or any of its assets.


6.    Where does Citi transfer your personal information?

Your personal data is stored at Citibank UK Limited and Citibank N.A. (Jersey Branch) in the United Kingdom and Jersey, respectively, and your account data and transactions are processed digitally at our regional data centres in the European Union (Frankfurt and Warsaw). In addition, in order to ensure global consistency, enhance security and facilitate prompt delivery of cross-border services (for example for 24/7 customer support on CitiPhone) customer data may be accessed from other Citi regional data centres. For a list of entities and countries in which Citi Companies operate please see http://www.citigroup.com/citi/about/countrypresence/.

Transfers of personal data between the UK and Jersey, and between these two jurisdictions and the EU, rely on reciprocal ‘adequacy’ decisions. Where we access your personal data within Citi from other regional data centres, or transfer it to electronic communications service providers in order to provide Internet and mobile App banking, or to third parties such as other banks in relation to any banking operation or transaction you request outside the UK, the EU, Jersey, or the EEA, we ensure that sufficient protection will be afforded to your personal data through one of the following:

  • When we transfer your data to countries that have a formal declaration of adequacy afforded to the protection for personal data by the European Commission under the GDPR, or the United Kingdom under the UK GDPR, your data benefits from such protections; or
  • When we transfer your data to countries or territories without a formal declaration of adequacy, we use data transfer agreements incorporating Standard Contractual Clauses (SCCs) in the form issued by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and their UK Addendum issued as an Order in Council on 2 February 2022, which grant your personal data equivalent protections to those afforded under the GDPR. These agreements are complemented by data transfer risk assessments and technical and operational measures. In some cases (where we can avail of them) we rely in other permitted data transfer mechanisms such as binding corporate rules.

7.     For how long does Citi store your personal information?

Where we process personal data in connection with performing an agreement we have with you or our client, we keep your personal data for as long as is required in order to fulfil our contractual obligations to you or our clients, and for a prudential term thereafter, reflecting the statutory limitation period (or ‘statute of limitations’) under the law governing that contract or transaction.

Where we process personal data in connection with a legal obligation (for example for AML purposes) such personal data will be kept for as long as is required under applicable law. A copy of telephone recordings or electronic communications that result (or may result) in a transaction will also be available to you from the date of that communication for the duration of the legal retention period.

Where we process personal data solely with your consent, we process the personal data until you ask us to stop, and for a reasonable period for completion of any pending transactions upon your request.

8.    What automated decision making does Citi carry out?

8.1 All our decisions, including investor suitability, are conducted and/or checked and approved by persons. We do not delegate decision-making in providing services to you.

8.2 We process some personal data automatically in order to make certain assessments about you. This is known as profiling. We do this, for instance, to assess your investment maturity and objectives and your risk tolerance, and to assess your ability to repay any loans; to meet regulatory or for legal requirements, including for the prevention of crime and money laundering.

8.3 Where we rely on profiling, we will seek your consent unless we must do it in order to enter into, or to perform, a contract with you or where we are required or authorised by applicable law to carry out this activity. You have the right to request a person to re-assess any decision based on profiling in respect of loans, mortgages and other financial product applications. In the event we use machine learning or automated decision-making in our products, you will be entitled and given the option to opt-out in our product applications.

8.4 You have the right to request a person to re-assess any decision that results from our automated or profiling activities.

9. What are your rights in relation to personal information?

9.1 You can ask us to: (a) provide you with a copy of your personal data; (b) correct your personal data; (c) erase or delete your personal data; (d) transfer your personal data to other organisations; and (e) restrict processing of your data. You can also object to processing of your personal information, in particular where related to direct marketing or where we process your information on the basis of legitimate interests (see Section 3.1(c)) unless we have an overriding interest or a legal obligation. Upon receiving any request from you in relation to these rights we will take reasonable steps to verify your identity (or the identity and authority of your representative) prior to releasing any personal data.

9.2 You can change or update your contact details and your marketing preferences at any time by accessing Citi Online or contacting your Relationship Manager (if applicable) or on CitiPhone.                                 

9.3 If you wish to exercise your rights or if you have any queries about your personal data, please contact your Relationship Manager (if applicable) CitiPhone, or the Data Protection Officer using the contact details in Section 2 above. If you have unresolved concerns, you have the right to direct your complaint to the relevant data protection authorities: the Information Commissioner’s Office in the United Kingdom and the Jersey Office of the Information Commissioner.

10.   Cookies and Online Data

10.1   Any processing of information that we collect in our websites using electronic methods including cookies or online identifiers is detailed in our Bank Online Privacy Notice and Cookies Policy. Cookies and online identifiers that are not strictly necessary for the operation and security of our websites (‘essential cookies’) are subject to your consent.

10.2   We also collect information about how you manage and use your Account(s), the type of purchases you pay from your Account(s) (whether by a Card, Direct Debit, online or in any other way) and electronic payments made into your Account(s). This information will include the name of the payer (for example, your employer) and the supplier (for example, a shop) and the general nature of the goods and services paid for. We obtain this information automatically as part of operating your Account(s). Cash and cheque payments are safe alternatives if you do not want us to have information.

10.3   If you operate your account on the Citibank Online site, we use essential cookies and web logs (information about how you use our website) to improve the security of our service and information. Please refer to our Online Privacy Statement and Cookies Policy for more details.

10.4   Where Citi places online adverts or uses a third party to carry out data analytics (including measuring responses to online advertisements), Citi is a data controller of such data.

10.5   Some companies we work with use cookies to provide services to us. These services include analysing non-personal data to assist us with our management of our website and our marketing activity. Further information on the cookies they use can be found in the table below and in the Privacy and Cookies Policy.

Media Partner Description
Adobe Analytics Adobe uses cookies to give website operators the ability to track user's online activity.
Find out more
Adobe Target Adobe Target uses cookies to give website operators the ability to test which online content and offers are more relevant to visitors.
Find out more
Google Ads Google Ads Cookies and other technologies used for personalisation enhance your experience by providing personalised content and features, depending on your settings. Personalised content and features include things like more relevant results and recommendations, a customised YouTube homepage, and ads that are tailored to your interests.
Find out more
Google DoubleClick Google Ads Cookies and other technologies used for personalisation enhance your experience by providing personalised content and features, depending on your settings. Personalised content and features include things like more relevant results and recommendations, a customised YouTube homepage, and ads that are tailored to your interests.
Find out more
DV360 Pixel DV360 Cookies and other technologies used for personalisation enhance your experience by providing personalised content and features, depending on your settings. Personalised content and features include things like more relevant results and recommendations, a customised YouTube homepage, and ads that are tailored to your interests.
Find out more
Bing Ads Bing tags are used to measure the effectiveness of Citibank online marketing campaigns.
Find out more
Facebook Pixel Cookies help us provide, protect and improve the Meta Products, such as by personalising content, tailoring and measuring ads, and providing a safer experience. The cookies that we use include session cookies, which are deleted when you close your browser, and persistent cookies, which stay in your browser until they expire or you delete them.
Find out more
LinkedIn Conversion LinkedIn tags are used to measure the effectiveness of Citibank online marketing campaigns.
Find out more
Affle Affle uses cookies to complement user browsing experience and build out a more contextual experience for them.
Find out more
InMobi/Taboola Inmobi uses cookies to provide a personalised experience to users as well as to provide reporting information regarding user engagemnet with websites and applications.
Find out more
Hawk Hawk uses cookies to optimise their website and services.
Find out more
Ogury Ogury provides user web analytics data to improve user experience with the use of cookies.
Find out more
TTD Pixel TTD uses cookies to give website operators the ability to test which online content and offers are more relevant to visitors.
Find out more
Blis Blis uses cookies to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.
Find out more
Outbrain Outbrain tags are used to measure the effectiveness of Citibank online marketing campaigns.
Find out more

11.   Changes to this Privacy Statement

If we modify this Privacy Statement at any time we will place the modified versions on this website. We encourage you to regularly review this Privacy Statement to ensure that you are always aware of what personal information we collect and how we use, store and disclose.

12.   The EU General Data Protection Regulation and the California Consumer Privacy Act

12.1   In this Privacy Statement any references to the ‘GDPR’ mean the General Data Protection Regulation (EU) 2016/679 and any complementing, substituting or equivalent legislation in the UK including without limitation, the UK Data Protection Act 2018, and at the end of the Transition Period established in the European Union (Withdrawal) Act, the GDPR as it forms part of UK statutes pursuant to the Privacy, Electronic Communications and Personal Data (Amendment) (EU Exit) Regulations 2019.

12.2   If you are, or will be, a resident of the U.S. State of California, you have certain rights with respect to your Personal Information under the California Privacy Rights Act ("CPRA") as of January 1, 2023. For more information about what this means to you, please click here https://www.citigroup.com/citi/privacy.html.

To access your rights under CPRA, please call U.S. +1-833-981-0270 or click here CPRA non-US Request to print a form and mail to us.