Citi Commercial Bank
Insights. Solutions. Network.
PRIVACY STATEMENT FOR EU/EEA AND UK CLIENTS OF CITI COMMERCIAL BANK
This Privacy Statement applies to:
- Citigroup branches and affiliates established in the EU/EEA and the UK carrying out general Citi Commercial Bank operations (such as credit agreements, commercial bank loans, and guarantees amongst others). Citi Commercial Bank is an internal division (a ‘business’) of Citigroup, Inc and its affiliates;
- Individuals that represent or act on behalf of our corporate clients at Citi Commercial Bank in the EU/EEA and the UK including, without limitation, their directors, staff and subcontractors; and any associated individuals who are loan/collateral guarantors, Promissory Note debtors, collateral owners, independent agents and persons related to those individuals (e.g. spouses), and individual beneficial owners/ultimate beneficiaries of those corporate entities (altogether ‘persons associated’).
- persons associated with a corporate client or prospective corporate client who engages Citi Commercial Bank for the purposes of opening, operating or maintaining an account or financial product with a Citigroup affiliate established in the EU/EEA and the UK;
- persons associated with a service provider or counterparty bank of Citi Commercial Bank acting through a Citigroup legal entity in the EU/EEA and the UK.
Citi has published Privacy Statements that apply to Citi Commercial Cards , Treasury and Trade Solutions and Markets and Securities which apply to those activities, even if you are a client of Citi Commercial Banking.
This document explains how Citi Commercial Bank processes personal data from persons associated to corporate entities (as described under Section 1 below) in the EU/EEA and the UK1 with whom we come into contact (referred to as “you” in this document) in the course of our dealings with corporate clients, suppliers and financial counterparties. These include employees, officers, directors, beneficial owners, and personnel of clients of Citigroup entities and/or affiliates listed in this Privacy Statement or their service providers, syndicate members, loan guarantors and other business or financial counterparties, (also referred to as "Your Organization" in this document).
-
Who is responsible for your personal data and how can you contact them?
Where you are a client, customer or counterparty, or holder of accounts, products, securities or loans, or a guarantor of any client or a third party associated with a commercial transaction of Citi Commercial Bank entities in the EU/EEA and the United Kingdom (which for compliance with legal obligations appear listed at the end of this Privacy Statement) the entity(ies) relevant to your relationship will be the Controller(s) of your personal data.
For further details you can contact your Commercial bank relationship manager/client service representative, or our Data Protection Officer, as follows:
EU/EEA UK EU/EEA Data Protection Officer
Citi
1 North Wall Quay
Dublin
D01 T8Y1
Ireland
Email: dataprotectionofficer@citi.comUK Data Protection Officer
Citi
Citigroup Centre
25 Canada Square
London
E14 5LB
United Kingdom
Email: dataprotectionofficer@citi.com
1The principal legislation on data protection in the European Union (EU) is the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) complemented by national law in each of the 27 EU Member States and the additional 3 States in the European Economic Area (EEA). The GDPR was retained in the UK following Brexit through the Data Protection Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019 effective 31 January 2020, which amend and complement the UK Data Protection Act 2018. Data transfers from the EU/EEA to the UK are based on the Commission Implementing Decision of 28 June 2021 pursuant to Regulation (EU) 2016/679 (‘Adequacy Decision’). The UK Government had granted equivalent treatment and recognizes all EU Adequacy decisions issued prior to 31 December 2020.
-
Why do we process your personal data?
We may process your personal data, as necessary to pursue legitimate business interests in providing services to you or our clients, for the following purposes:
- to provide products and services to our clients and to communicate with you and/or our clients about them;
- to manage, administer and improve our business and client and service provider engagements and relationships and for corporate marketing, business development and analysis purposes;
- to monitor and analyse the use of our products and services for system administration, operation, testing and support purposes;
- to manage our information technology and to ensure the security of our systems;
- to establish, exercise and/or defend legal claims or rights and to protect, exercise and enforce our rights, property or safety, or to assist our clients or others to do this;
- to investigate and respond to complaints or incidents relating to us or our business, to maintain service quality and to train staff to deal with complaints and disputes; and
- for any other purpose that we specifically tell you about when we obtain data about you (or our client tells you about on our behalf).
Where we process your data under the legal basis of legitimate interests described above, we take into consideration your interests, your fundamental rights or freedoms, and your right to object, also considering that for fraud prevention, network or information security purposes, a data subject’s objection may not be sufficient in itself to override the Controller’s legitimate interests.
We also process your personal data to comply with laws and regulations applicable to the contract, operation or transaction, and in cooperating with our regulators and relevant authorities, complying with foreign laws where applicable, preventing or detecting financial and other crimes and regulatory breaches, and protecting our businesses and the integrity of financial operations. This involves processing your personal data for the following reasons:
- to cooperate with, respond to requests from, and to report transactions and/or other activity to, government, tax or regulatory bodies, financial markets, brokers or other intermediaries or counterparties, courts or other third parties;
- to monitor and analyse the use of our products and services for risk assessment and control purposes (including detection, prevention and investigation of fraud);
- to conduct compliance activities such as audit and reporting, assessing and managing risk, maintenance of accounting and tax records, fraud and anti-money laundering (AML) prevention and measures relating to sanctions and anti-terrorism laws and regulations and fighting crime. This includes know your client (KYC) screening (which involves identity checks and verifying address and contact details), politically exposed persons screening (which involves screening client records against internal and external databases to establish connections to ‘politically exposed persons’ (PEPs) as part of client due diligence and on-boarding) and sanctions screening (which involves the screening of clients and their representatives against published sanctions lists); and
- to record and/or monitor telephone conversations so as to maintain service quality and security, for staff training and fraud monitoring and to deal with complaints, disputes and potential and/or actual criminal activity. To the extent permitted by law, these recordings are our sole property.
If you do not provide information that we request, we may not be able to complete certain transactions or provide (or continue providing) relevant products or services to, or otherwise do business with, you or Your Organisation.
For the avoidance of doubt we do not process personal data in transactions, payments or account services under any consents used to process these operations, but as explained above, under the legal basis of legitimate interests of Citi and of Citi’s counterparties in the transaction chain, and for compliance with applicable law.
-
What personal data does Citi process?
We process personal data that you provide to us directly or indirectly via our communications and other dealings with you and/or Your Organisation. Your Organisation may also give us some personal data about you. This may include your name, company, title, date of birth and job description, contact details such as your business email address, physical address and telephone number and other information required for legal or regulatory purposes including our KYC, AML and/or sanctions and investor screening processes (e.g., copies of your passport or a specimen of your signature) or for transaction management purposes. We may also obtain some personal data about you from the public domain.
-
To whom do we disclose your personal data?
We may disclose your personal data, for the reasons set out in Section 2, as follows:
- to Your Organisation in connection with the products and services that we provide to it if Your Organisation is our client, or otherwise in connection with our dealings with Your Organisation;
- to other Citi entities (this includes the entities referenced at http://www.citigroup.com/citi/about/countrypresence/) for the purpose of managing your or Your Organisation’s relationships;
- to counterparty banks, central banks, payment infrastructure providers and other persons from whom we receive, or to whom we make, payments on Your Organisation’s behalf;
- to central clearing counterparties and other similar entities other persons from whom we receive, or to whom we make, payments on our clients' behalf, in each case to service your or Your Organisation’s account;
- to service providers that provide application processing, fraud monitoring, call centre and/or other client services, hosting services and other technology and business process outsourcing services;
- to our professional service providers (e.g., legal advisors, accountants, auditors, insurers and tax advisors);
- to legal advisors, government and law enforcement authorities and other persons involved in, or contemplating, legal proceedings;
- to competent regulatory, prosecuting, tax or governmental authorities, courts or other tribunals in any jurisdiction or market, domestic or foreign;
- to other persons where disclosure is required by law; and
- to enable products and services to be provided to you, Your Organisation or our clients.
-
Where do we transfer your personal data?
We may transfer your personal data to Citi entities, regulatory, prosecuting, tax and governmental authorities, courts and other tribunals, service providers and counterparties located in countries outside the EU/EEA (and the UK), including countries which have different data protection standards to those established in the GDPR. This includes transfers of personal data to India, Singapore and the United States of America. When we transfer your personal data to Citi entities, service providers or other business counterparties in these countries, we will do so lawfully taking into consideration the GDPR data protection principles, and will ensure that they protect your personal data in accordance with EU/EEA-approved standard data transfer agreements or other GDPR- compliant safeguards.
-
How long do we keep your personal data?
We keep your personal data during our relationship, and for the duration of accounts or product agreements opened by You or your Organization and retain in for a certain time after termination of your relationship accounts or products, as required to retain evidence of them and protect You and us against legal claims and audits, and to enforce our rights, subject always to applicable law, regulation or instructions by judicial or administrative authorities.
We are continually assessing whether it is necessary to continue processing personal data for a particular purpose. If we find that they are no longer needed for the purposes for which they were collected, we will no longer keep such data.
Additionally, we retain personal data in connection with any financial transactions, followed by a retention period determined by the statute of limitations in the country where the transaction is executed, where securities are held, and by the law governing the contract or transaction.
Telephone recordings or electronic communications that resulted (or may have resulted) in a markets transaction are retained and will be available to you from the date of that communication also for the duration of the legal retention period applicable in your country.
-
Security
We classify and protect your personal data and process it in a manner that prevents unauthorized or accidental use or access to, change, destruction or loss of your personal data, unauthorized transmissions and other processing or misuse. We have appropriate technical and organizational measures in place. Any individuals and entities who come in contact with your personal data are subject to a contractual and legal duty to maintain confidentiality. We pseudonymize, encrypt, or de-personalise information that is transmitted or stored outside of our IT networks and take any additional measures appropriate to reduce the risks arising from the processing of your personal data.
-
What are your data subject rights in relation to personal data?
You (as a data subject) can ask us to: (i) provide you with a copy of your personal data; (ii) correct your personal data; (iii) erase your personal data; or (iv) restrict our processing of your personal data. You can also opt out of the processing of your personal data for direct marketing purposes or object to other processing of your personal data. These rights will be limited in some situations; for example, where we are required to process your personal data by EU/EEA or EU/EEA member state law, or under guidelines from our financial or prudential regulators that require us to retain your data for a certain period after transactions or accounts are closed.
To exercise these rights or if you have questions about how we process your personal data, please contact us using the contact details of our Data Protection Officer in Section 1.
If you feel that your data has not been handled correctly, or you are unhappy with our response regarding the use of your personal data, you have the right to lodge a complaint with a data protection authority in the UK or EU/EEA country where you are established or where the alleged infringement of data protection law occurred.
Contact details for data protection authorities can be found here:
EU/EEA: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
Switzerland: Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/edoeb/en/home.html
United Kingdom: Information Commissioner’s Office (ICO): www.ico.org.uk
Jersey: Office of the Information Commissioner: https://jerseyoic.org
-
Changes to this Privacy Statement
We will review this Privacy Statement regularly, and if we change it, to keep you fully aware of our processing of your personal data and related matters, we will post the new version to this website.
-
Data controllers
The relevant data controllers of your personal data in relation to Citi's Commercial bank businesses are one or more of the following entities:
| Head Office | Branches |
|---|---|
| Citibank Europe plc 1 North Wall Quay Dublin, 1 Ireland |
Citibank Europe plc, Belgium Branch Citibank Europe plc, organizacni slozka Citibank Europe plc, Finland Branch Citibank Europe plc, Greece Branch Citibank Europe plc, Austria Branch Citibank Europe plc, Bulgaria Branch Citibank Europe plc, Denmark Branch Citibank Europe plc, France Branch Citibank Europe plc, Netherlands Branch Citibank Europe plc, Norway Branch Citibank Europe plc, Italy Branch Citibank Europe plc, Dublin - Romania Branch Citibank Europe plc, pobocka zahranicnej banky Citibank Europe plc, Sucursal en España Citibank Europe plc, Sucursal em Portugal Citibank Europe plc, Sweden Branch Citibank Europe plc, Hungarian Branch Office Citibank Europe plc, Germany branch |
| Citibank, N.A., London Branch Citigroup Centre Canada Square, Canary Wharf London E14 5LB United Kingdom |
|
| Bank Handlowy w Warszawie S.A. ul. Senatorska 16 00-923 Warsaw Poland |