Citi Commercial Bank

Insights. Solutions. Network.


The General Data Protection Regulation is being introduced across the European Union and European Economic Area (EU/EEA) and comes into force on 25 May 2018. This Privacy Statement makes it easier for you to find out how we use and protect your personal information at Citi. We are not changing the way we process your information, but this Privacy Statement provides you with additional information such as:

  • Your increased rights in relation to the information we hold on you;
  • The types of personal information Citi collects about you and how we use it; and
  • The legal grounds on which we use your information.

This Privacy Statement applies to:

  • Citigroup branches and affiliates established in the EU/EEA carrying out general Citi Commercial Bank operations (such as credit agreements, commercial bank loans, and guarantees amongst others). Citi Commercial Bank is an internal division (‘business’) of Citigroup, Inc and its affiliates;
  • Individuals that represent or act on behalf of corporate entity customers of Citi Commercial Bank in the EU/EEA including, without limitation, their directors, staff, and subcontractors; and any associated individuals who are loan/collateral guarantors, Promissory Note debtors, collateral owners, independent agents and persons related to those individuals (e.g. spouses), and individual beneficial owners/ultimate beneficiaries of those corporate entities (altogether ‘persons associated’).
  • persons associated with a prospective corporate customer who is approached by Citi Commercial Bank for the purposes of opening an account or financial product with a Citigroup affiliate established in the EU/EEA;
  • Persons associated with a service provider or counterparty bank of Citi Commercial Bank acting through a Citigroup affiliate established in the EU/EEA**1

Citi has published business-specific Privacy Statements that apply to Citi Commercial Cards, Treasury and Trade Solutions and Markets and Securities which apply to those activities in preference to this Privacy Statement, even if you are also a Citi Commercial Banking customer.

This Privacy Statement explains how Citi Commercial Bank processes personal data about persons associated to corporate entities of Citi Commercial Bank in the EU/EEA with whom we come into contact (referred to as “you” in this document) in the course of our dealings with corporate clients, suppliers and financial counterparties**1. These include employees, officers, directors, beneficial owners, and personnel of clients of Citigroup entities and/or affiliates listed in this Privacy Statement or their service providers, syndicate members, loan guarantors and other business or financial counterparties, (also referred to as "Your Organization" in this document).

  1. Who is responsible for your personal data and how can you contact them?

    If you are a customer or counterparty, or guarantor of any customer or a third party associated with a commercial transaction**1 of our EU Commercial Bank Citi entities (listed at the end of this Privacy Statement) the entity(ies) relevant to your EU relationship will Controller(s) of your personal data.

    For more detail you can contact your Commercial bank relationship manager/customer service representative of your branch or our Data Protection Officer (EMEA), Citigroup Centre, 33 Canada Square, Canary Wharf, London E14 5LB, United Kingdom.

    1Unless the Citigroup branch or affiliate you are a supplier or financial counterparty of has provided a separate privacy notice.

  2. Why do we process your personal data?

    We may process your personal data, as necessary to pursue legitimate business interests in providing services to you or our clients, for the following purposes:

    • to provide products and services to our clients and to communicate with you and/or our clients about them;
    • to manage, administer and improve our business and client and service provider engagements and relationships and for corporate marketing, business development and analysis purposes;
    • to monitor and analyse the use of our products and services for system administration, operation, testing and support purposes;
    • to manage our information technology and to ensure the security of our systems;
    • to establish, exercise and/or defend legal claims or rights and to protect, exercise and enforce our rights, property or safety, or to assist our clients or others to do this;
    • to investigate and respond to complaints or incidents relating to us or our business, to maintain service quality and to train staff to deal with complaints and disputes; and
    • for any other purpose that we specifically tell you about when we obtain data about you (or our client tells you about on our behalf).

    Where we process your data under the legal basis of legitimate interests described above, we take into consideration your interests, your fundamental rights or freedoms, and your right to object, also considering that for fraud prevention, network or information security purposes, a data subject’s objection may not be sufficient in itself to override the Controller’s legitimate interests.

    We also process your personal data to comply with laws and regulations applicable to the contract, operation or transaction, and in cooperating with our regulators and relevant authorities, complying with foreign laws where applicable, preventing or detecting financial and other crimes and regulatory breaches, and protecting our businesses and the integrity of financial operations. This involves processing your personal data for the following reasons:

    • to cooperate with, respond to requests from, and to report transactions and/or other activity to, government, tax or regulatory bodies, financial markets, brokers or other intermediaries or counterparties, courts or other third parties;
    • to monitor and analyse the use of our products and services for risk assessment and control purposes (including detection, prevention and investigation of fraud);
    • to conduct compliance activities such as audit and reporting, assessing and managing risk, maintenance of accounting and tax records, fraud and anti-money laundering (AML) prevention and measures relating to sanctions and anti-terrorism laws and regulations and fighting crime. This includes know your customer (KYC) screening (which involves identity checks and verifying address and contact details), politically exposed persons screening (which involves screening client records against internal and external databases to establish connections to ‘politically exposed persons’ (PEPs) as part of client due diligence and on-boarding) and sanctions screening (which involves the screening of clients and their representatives against published sanctions lists); and
    • to record and/or monitor telephone conversations so as to maintain service quality and security, for staff training and fraud monitoring and to deal with complaints, disputes and potential and/or actual criminal activity. To the extent permitted by law, these recordings are our sole property.

    If you do not provide information that we request, we may not be able to complete certain transactions or provide (or continue providing) relevant products or services to, or otherwise do business with, you or Your Organisation.

    For the avoidance of doubt we shall not process personal data under any payment or any other consents in a contract with you as the legal basis for processing personal data, under EU/EEA data protection laws or other laws equivalent to EU/EEA data protection laws, but explained above, under the legal basis of our legitimate interests and for compliance with applicable law.

  3. Where does Citi obtain personal data about you?

    We process personal data that you provide to us directly or indirectly via our communications and other dealings with you and/or Your Organisation. Your Organisation may also give us some personal data about you. This may include your name, company, title, date of birth and job description, contact details such as your business email address, physical address and telephone number and other information required for legal or regulatory purposes including KYC, AML and/or sanctions checking purposes (e.g., copies of your passport or a specimen of your signature) or for transaction management purposes. We may also obtain some personal data about you from the public domain.

  4. To whom do we disclose your personal data?

    We may disclose your personal data, for the reasons set out in Section 2, as follows:

    • to Your Organisation in connection with the products and services that we provide to it if Your Organisation is our client, or otherwise in connection with our dealings with Your Organisation;
    • to other Citi entities (this includes the entities referenced at for the purpose of managing your or Your Organisation’s relationships;
    • to counterparty banks, central banks, payment infrastructure providers and other persons from whom we receive, or to whom we make, payments on Your Organisation’s behalf;
    • to central clearing counterparties and other similar entities other persons from whom we receive, or to whom we make, payments on our clients' behalf, in each case to service your or Your Organisation’s account;
    • to service providers that provide application processing, fraud monitoring, call centre and/or other customer services, hosting services and other technology and business process outsourcing services;
    • to our professional service providers (e.g., legal advisors, accountants, auditors, insurers and tax advisors);
    • to legal advisors, government and law enforcement authorities and other persons involved in, or contemplating, legal proceedings;
    • to competent regulatory, prosecuting, tax or governmental authorities, courts or other tribunals in any jurisdiction or market, domestic or foreign;
    • to Your Organisation in connection with the products and services that we provide to it if Your Organisation is our client, or otherwise in connection with our dealings with Your Organisation;
    • to other persons where disclosure is required by law; and Organisation is our client, or otherwise in connection with our dealings with Your Organisation;
    • to enable products and services to be provided to you, Your Organisation or our clients.

  5. Where do we transfer your personal data?

    We may transfer your personal data to Citi entities, regulatory, prosecuting, tax and governmental authorities, courts and other tribunals, service providers and other business counterparties located in countries outside the EU/EEA, including countries which have different data protection standards to those which apply in the EU/EEA. This includes transfers of personal data to countries including India and the United States of America. When we transfer your personal data to Citi entities, service providers or other business counterparties in these countries, we will ensure that they protect your personal data in accordance with EU/EEA-approved standard data transfer agreements or other appropriate safeguards.

  6. How long do we keep your personal data?

    We retain personal data in connection with a financial transaction, followed by a prudential retention period thereafter. The length of this retention period is determined by the legal statute of limitations in the country where the transaction took place or the law governing the contract or transaction. On average this period has duration of 10 years from closure of the account or transaction.

    Telephone recordings or electronic communications that resulted (or may have resulted) in a transaction will be retained and will be available to you from the date of that communication also for the duration of the legal retention period applicable in your country. On average, this retention period is 7 years from the time of recording.

  7. What are your rights in relation to personal data?

    You can ask us to: (i) provide you with a copy of your personal data; (ii) correct your personal data; (iii) erase your personal data; or (iv) restrict our processing of your personal data. You can also opt out of the processing of your personal data for direct marketing purposes or object to our other processing of your personal data. These rights will be limited in some situations; for example, where we are required to process your personal data by EU/EEA or EU/EEA member state law, or the guidelines from our financial or prudential regulators require us to retain your data for a certain period after a transaction is closed.

    To exercise these rights or if you have questions about how we process your personal data, please contact us using the contact details of our data protection officer in Section 1.

    If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with our lead data protection authority (the Information Commissioner’s Office) in cross-border transactions, or the relevant data protection authorities in the EU/EEA member state where you live or work or where the alleged infringement of data protection law occurred. Contact details for the Information Commissioner’s Office and other relevant data protection authorities can be found here:

  8. Changes to this Privacy Statement

    This Privacy Statement takes effect on 25 May 2018. We will review it regularly, and if we change it, to keep you fully aware of our processing of your personal data and related matters, we will post the new version to this website.

  9. Data controllers

    The relevant data controllers of your personal data in relation to Citi's Commercial bank businesses are one or more of the following entities:

Head Office Branches
Citibank Europe plc
1 North Wall Quay
Dublin, 1
Citibank Europe plc, Belgium Branch
Citibank Europe plc, organizacni slozka
Citibank Europe plc, Finland Branch
Citibank Europe plc, Greece Branch
Citibank Europe plc, Austria Branch
Citibank Europe plc, Bulgaria Branch
Citibank Europe plc, Denmark Branch
Citibank Europe plc, France Branch
Citibank Europe plc, Netherlands Branch
Citibank Europe plc, Norway Branch
Citibank Europe plc, Dublin - Romania Branch
Citibank Europe plc, pobocka zahranicnej banky
Citibank Europe plc, Sucursal en España
Citibank Europe plc, Sucursal em Portugal
Citibank Europe plc, Sweden Branch
Citibank Europe plc, Hungarian Branch Office
Citibank Europe plc, Germany branch
Citibank, N.A., London Branch
Citigroup Centre
Canada Square, Canary Wharf
London E14 5LB
United Kingdom
Bank Handlowy w Warszawie S.A.
ul. Senatorska 16
00-923 Warsaw