Citi Commercial Bank

Insights. Solutions. Network.

PRIVACY STATEMENT FOR EU/EEA AND UK CUSTOMERS OF CITI COMMERCIAL BANK

This Privacy Statement applies to:

  • Citigroup branches and affiliates established in the EU/EEA and the UK carrying out general Citi Commercial Bank operations (such as credit agreements, commercial bank loans, and guarantees amongst others). Citi Commercial Bank is an internal division (a ‘business’) of Citigroup, Inc and its affiliates;
  • Individuals that represent or act on behalf of our corporate customers at Citi Commercial Bank in the EU/EEA and the UK including, without limitation, their directors, staff, and subcontractors; and any associated individuals who are loan/collateral guarantors, Promissory Note debtors, collateral owners, independent agents and persons related to those individuals (e.g. spouses), and individual beneficial owners/ultimate beneficiaries of those corporate entities (altogether ‘persons associated’).
  • persons associated with a corporate customer or prospective corporate customer who engages Citi Commercial Bank for the purposes of opening, operating or maintaining an account or financial product with a Citigroup affiliate established in the EU/EEA and the UK;
  • persons associated with a service provider or counterparty bank of Citi Commercial Bank acting through a Citigroup legal entity in the EU/EEA and the UK.

Citi has published business-specific Privacy Statements that apply to Citi Commercial Cards , Treasury and Trade Solutions and Markets and Securities which apply to those activities in preference to this Privacy Statement, even if you are also a Citi Commercial Banking customer.

This Privacy Statement explains how Citi Commercial Bank processes personal data about persons associated to corporate entities who are customers of Citi Commercial Bank in the EU/EEA and the UK1 with whom we come into contact (referred to as “you” in this document) in the course of our dealings with corporate clients, suppliers and financial counterparties. These include employees, officers, directors, beneficial owners, and personnel of clients of Citigroup entities and/or affiliates listed in this Privacy Statement or their service providers, syndicate members, loan guarantors and other business or financial counterparties, (also referred to as "Your Organization" in this document).

  1. Who is responsible for your personal data and how can you contact them?

    If you are a customer or counterparty, or guarantor of any customer or a third party associated with a commercial transaction of our EU Commercial Bank Citi entities (listed at the end of this Privacy Statement) the entity(ies) relevant to your EU relationship will Controller(s) of your personal data.

    For more detail you can contact your Commercial bank relationship manager/customer service representative or our Data Protection Officer (EMEA), Citigroup Centre, 33 Canada Square, Canary Wharf, London E14 5LB, United Kingdom.


    1Post-Brexit, the GDPR has been transposed into UK law through the Data Protection Privacy and Electronic Communications (Amendment etc) (EU Exit) Regulations 2019 effective 31 January 2020, complementing the Data Protection Act 2018. HM Government has clarified that flows of data from the UK to the EU will continue after 31 December 2020 even if there is no EU-UK Free Trade Agreement, and flows of EU data to the UK will rely on data transfer agreements (and for staff and contractors, Biding Corporate Rules).

  2. Why do we process your personal data?

    We may process your personal data, as necessary to pursue legitimate business interests in providing services to you or our clients, for the following purposes:

    • to provide products and services to our clients and to communicate with you and/or our clients about them;
    • to manage, administer and improve our business and client and service provider engagements and relationships and for corporate marketing, business development and analysis purposes;
    • to monitor and analyse the use of our products and services for system administration, operation, testing and support purposes;
    • to manage our information technology and to ensure the security of our systems;
    • to establish, exercise and/or defend legal claims or rights and to protect, exercise and enforce our rights, property or safety, or to assist our clients or others to do this;
    • to investigate and respond to complaints or incidents relating to us or our business, to maintain service quality and to train staff to deal with complaints and disputes; and
    • for any other purpose that we specifically tell you about when we obtain data about you (or our client tells you about on our behalf).

    Where we process your data under the legal basis of legitimate interests described above, we take into consideration your interests, your fundamental rights or freedoms, and your right to object, also considering that for fraud prevention, network or information security purposes, a data subject’s objection may not be sufficient in itself to override the Controller’s legitimate interests.

    We also process your personal data to comply with laws and regulations applicable to the contract, operation or transaction, and in cooperating with our regulators and relevant authorities, complying with foreign laws where applicable, preventing or detecting financial and other crimes and regulatory breaches, and protecting our businesses and the integrity of financial operations. This involves processing your personal data for the following reasons:

    • to cooperate with, respond to requests from, and to report transactions and/or other activity to, government, tax or regulatory bodies, financial markets, brokers or other intermediaries or counterparties, courts or other third parties;
    • to monitor and analyse the use of our products and services for risk assessment and control purposes (including detection, prevention and investigation of fraud);
    • to conduct compliance activities such as audit and reporting, assessing and managing risk, maintenance of accounting and tax records, fraud and anti-money laundering (AML) prevention and measures relating to sanctions and anti-terrorism laws and regulations and fighting crime. This includes know your customer (KYC) screening (which involves identity checks and verifying address and contact details), politically exposed persons screening (which involves screening client records against internal and external databases to establish connections to ‘politically exposed persons’ (PEPs) as part of client due diligence and on-boarding) and sanctions screening (which involves the screening of clients and their representatives against published sanctions lists); and
    • to record and/or monitor telephone conversations so as to maintain service quality and security, for staff training and fraud monitoring and to deal with complaints, disputes and potential and/or actual criminal activity. To the extent permitted by law, these recordings are our sole property.

    If you do not provide information that we request, we may not be able to complete certain transactions or provide (or continue providing) relevant products or services to, or otherwise do business with, you or Your Organisation.

    For the avoidance of doubt we do not process personal data in transactions, payments or account services under any consents used to process these operations, but as explained above, under the legal basis of legitimate interests of Citi and of Citi’s counterparties in the transaction chain, and for compliance with applicable law.

  3. What personal data does Citi process?

    We process personal data that you provide to us directly or indirectly via our communications and other dealings with you and/or Your Organisation. Your Organisation may also give us some personal data about you. This may include your name, company, title, date of birth and job description, contact details such as your business email address, physical address and telephone number and other information required for legal or regulatory purposes including our KYC, AML and/or sanctions and investor screening processes (e.g., copies of your passport or a specimen of your signature) or for transaction management purposes. We may also obtain some personal data about you from the public domain.

  4. To whom do we disclose your personal data?

    We may disclose your personal data, for the reasons set out in Section 2, as follows:

    • to Your Organisation in connection with the products and services that we provide to it if Your Organisation is our client, or otherwise in connection with our dealings with Your Organisation;
    • to other Citi entities (this includes the entities referenced at http://www.citigroup.com/citi/about/countrypresence/) for the purpose of managing your or Your Organisation’s relationships;
    • to counterparty banks, central banks, payment infrastructure providers and other persons from whom we receive, or to whom we make, payments on Your Organisation’s behalf;
    • to central clearing counterparties and other similar entities other persons from whom we receive, or to whom we make, payments on our clients' behalf, in each case to service your or Your Organisation’s account;
    • to service providers that provide application processing, fraud monitoring, call centre and/or other customer services, hosting services and other technology and business process outsourcing services;
    • to our professional service providers (e.g., legal advisors, accountants, auditors, insurers and tax advisors);
    • to legal advisors, government and law enforcement authorities and other persons involved in, or contemplating, legal proceedings;
    • to competent regulatory, prosecuting, tax or governmental authorities, courts or other tribunals in any jurisdiction or market, domestic or foreign;
    • to other persons where disclosure is required by law; and
    • to enable products and services to be provided to you, Your Organisation or our clients.

  5. Where do we transfer your personal data?

    We may transfer your personal data to Citi entities, regulatory, prosecuting, tax and governmental authorities, courts and other tribunals, service providers and counterparties located in countries outside the EU/EEA (and the UK), including countries which have different data protection standards to those established in the GDPR. This includes transfers of personal data to India, Singapore and the United States of America. When we transfer your personal data to Citi entities, service providers or other business counterparties in these countries, we will ensure that they protect your personal data in accordance with EU/EEA-approved standard data transfer agreements or other appropriate safeguards.

  6. How long do we keep your personal data?

    We keep your personal data during our relationship, and for the duration of accounts or product agreements opened by You and retain in for a certain time after termination of your relationship accounts or products, as required to retain evidence of them and protect You and us against legal claims and audits, and to enforce our rights, subject always to applicable law, regulation or instructions by judicial or administrative authorities.

    We are continually assessing whether it is necessary to continue processing personal data for a particular purpose. If we find that they are no longer needed for the purposes for which they were collected, we will no longer keep such data.

    Additionally, we retain personal data in connection with any financial transactions, followed by a retention period determined by the statute of limitations in the country where the transaction is executed, where securities are held, and by the law governing the contract or transaction.

    Telephone recordings or electronic communications that resulted (or may have resulted) in a markets transaction are retained and will be available to you from the date of that communication also for the duration of the legal retention period applicable in your country.

  7. Security

    We protect your personal data and process it in a manner that prevents unauthorized or accidental use or access to, change, destruction or loss of your personal data, unauthorized transmissions and other processing or misuse of your data. We have appropriate technical and organizational measures in place to ensure a level of security; and individuals and entities who come in contact with your personal data are subject to a contractual and legal duty to maintain confidentiality. We pseudonymize, encrypt, or de-personalise information that is transmitted or stored outside of our IT networks or if such measure is appropriate to reduce the risks arising from the processing of your personal data.

  8. What are your rights in relation to personal data?

    You can ask us to: (i) provide you with a copy of your personal data; (ii) correct your personal data; (iii) erase your personal data; or (iv) restrict our processing of your personal data. You can also opt out of the processing of your personal data for direct marketing purposes or object to our other processing of your personal data. These rights will be limited in some situations; for example, where we are required to process your personal data by EU/EEA or EU/EEA member state law, or the guidelines from our financial or prudential regulators require us to retain your data for a certain period after a transaction is closed.

    To exercise these rights or if you have questions about how we process your personal data, please contact us using the contact details of our EMEA Data Protection Officer in Section 1.

    If you feel that your data has not been handled correctly, or you are unhappy with our Data Protection Officer’s response regarding the use of your personal data, you have the right to lodge a complaint with a data protection authority in the UK or EU/EEA country where you are established or where the alleged infringement of data protection law occurred.

    Contact details for data protection authorities can be found here:

    EU/EEA: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

    Switzerland: Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/edoeb/en/home.html

    United Kingdom: Information Commissioner’s Office (ICO): www.ico.org.uk

    Jersey: Office of the Information Commissioner: https://jerseyoic.org

  9. Changes to this Privacy Statement

    We will review this Privacy Statement regularly, and if we change it, to keep you fully aware of our processing of your personal data and related matters, we will post the new version to this website.

  10. Data controllers

    The relevant data controllers of your personal data in relation to Citi's Commercial bank businesses are one or more of the following entities:

Head Office Branches
Citibank Europe plc
1 North Wall Quay
Dublin, 1
Ireland
Citibank Europe plc, Belgium Branch
Citibank Europe plc, organizacni slozka
Citibank Europe plc, Finland Branch
Citibank Europe plc, Greece Branch
Citibank Europe plc, Austria Branch
Citibank Europe plc, Bulgaria Branch
Citibank Europe plc, Denmark Branch
Citibank Europe plc, France Branch
Citibank Europe plc, Netherlands Branch
Citibank Europe plc, Norway Branch
Citibank Europe plc, Dublin - Romania Branch
Citibank Europe plc, pobocka zahranicnej banky
Citibank Europe plc, Sucursal en España
Citibank Europe plc, Sucursal em Portugal
Citibank Europe plc, Sweden Branch
Citibank Europe plc, Hungarian Branch Office
Citibank Europe plc, Germany branch
Citibank, N.A., London Branch
Citigroup Centre
Canada Square, Canary Wharf
London E14 5LB
United Kingdom
Bank Handlowy w Warszawie S.A.
ul. Senatorska 16
00-923 Warsaw
Poland