This Privacy Statement explains how the Data Controllers named in Section 1 (‘Citi’ or ‘we’) process personal data from officers and employees, representatives and associates, shareholders or partners, syndicate and other members, ultimate beneficial owners and other individuals associated with or related to institutional or corporate entities, or to banking, legal or financial counterparties (‘Your Organization’) in the European Union, the European Economic Area, Switzerland, the United Kingdom and Crown Dependencies with whom we come into contact in relation to Banking, Capital Markets and Advisory (‘BCMA’) and related activities (as described below) (these individuals are referred to as ‘you’ and ‘your’ in this document).

The BCMA and related activities relevant to this Privacy Statement are as follows:

This Privacy Statement sets out how we use and protect your personal data, and provides you with information such as:

This Privacy Statement supersedes all Privacy Statements of the same business organizations that existed prior to its effective date.

Terms capitalized below will have the meaning described in the GDPR or as indicated herein.

The Citi entities listed in Section 9 of this Privacy Statement (referred to as “we” and "Citi" in this document) are the Data Controllers.

The Data Controller in that Section that is relevant to your personal data is:

a) the Citi entity providing financial, banking or advisory services to a corporate customer or institution you are related or associated with in a Member State of the European Union (“EU”) or the European Economic Area (“EEA”), Switzerland, the United Kingdom and Crown Dependencies (UK, Jersey, Guernsey);

b) the Citi entity carrying out BCMA and related activities on an entity that is a ‘target’ of investment, divestiture, acquisition, financing or similar activities, on behalf of Citi customer(s);

c) the Citi entity in a territory in Section (a) above that is processing your personal data on behalf of a Citi entity outside those territories.

Keep in mind that other financial institutions engaged in a transaction in the context of BCMA and related activities may also act as Data Controllers (independently to Citi), and you should contact them in order to exercise any data subject rights regard to the personal data that they process. If we receive a request regarding information that we have received from them, we will direct you to these institutions and notify them of your request.

The contact details of the Citi Data Controllers can be found in the Annex to this Privacy Statement.

If you have any questions or requests in relation to your personal data, please contact your relationship manager, or you can contact our Data Protection Officer, as follows:

EU/EEA Data Protection Officer
1 North Wall Quay
D01 T8Y1
UK Data Protection Officer
Citigroup Centre
25 Canada Square
E14 5LB
United Kingdom

We process your personal data under the legal basis and for the following purposes:

(a) Where the processing is necessary for us to perform a contract with you or for requested pre-contract steps

  • to provide products and services to our clients and to communicate with you and/or our clients about them;
  • For pre-contract steps prior to entering into a contract with us, including customer and third party due diligence;
  • When Your Organization furnishes instructions in relation to any contract or transaction, including to make a payment;

(b) Where we are required EU or EEA Member State law, UK or Swiss law or the law of any applicable jurisdiction

  • to cooperate with, respond to requests from, and to report transactions and/or other activity to, government, tax or regulatory bodies, financial markets, brokers or other intermediaries or counterparties, courts or other third parties;
  • to conduct compliance activities such as audit and reporting, assessing and managing risk, maintenance of accounting and tax records, fraud and anti-money laundering (AML) prevention and measures relating to sanctions and anti-terrorism laws and regulations and fighting crime. This includes know your customer (KYC) screening (which involves identity checks and verifying address and contact details), politically exposed persons screening (which involves screening client records against internal and external databases to establish connections to ‘politically exposed persons’ (PEPs) as part of client due diligence and on-boarding) and sanctions screening (which involves the screening of clients and their representatives against published sanctions lists);

(c) Where necessary for our or a third party’s legitimate interests (as listed here) and where your interests and fundamental rights do not override these interests. We will perform a balancing test of the interests prior to relying on legitimate interest to process personal data.

  • to manage, administer and improve our business and client and service provider engagements and relationships and for corporate marketing, business development and analysis purposes;
  • to monitor and analyse the use of our products and services for system administration, operation, testing and support purposes;
  • to manage our information technology and to ensure the security of our systems;
  • to establish, exercise and/or defend legal claims or rights and to protect, exercise and enforce our rights, property or safety, or to assist our clients or others to do this;
  • to investigate and respond to complaints or incidents relating to us or our business, to maintain service quality and to train staff to deal with complaints and disputes;
  • to monitor and analyse the use of our products and services for risk assessment and control purposes (including detection, prevention and investigation of fraud);
  • to record and/or monitor telephone conversations so as to maintain service quality and security, for staff training and fraud monitoring and to deal with complaints, disputes and potential and/or actual criminal activity; and/or
  • to disclose information to governmental, tax or regulatory bodies, financial markets, brokers or other intermediaries, counterparties, court, auditors or other third parties, including third parties that assist us in complying with our regulatory or legal requirements or conduct compliance activities, when this is relevant to a transaction or activity regulated by applicable law other than EU/EEA, Swiss, UK or Crown Dependency law and such disclosure in in our (or a third party’s) legitimate interest.

We process personal data that you provide to us directly and information that we learn from our communications and other dealings with you and/or Your Organisation. We may also obtain some personal data about you from the public domain.

Your Organization

This information may include your name, company, title, date of birth and job description, contact details such as your business email address, physical address and telephone number and other information required for legal or regulatory purposes including our KYC, AML and/or sanctions and investor screening processes (e.g., copies of your passport or a specimen of your signature) or for transaction management purposes

Our clients and Financial and Legal Counterparties

To the extent that Your Organization is a ‘target’ of BCMA and related activities, from our clients. Please be advised that and we are legally precluded from notifying you of our processing or of engaging in any other activity that would disclose a merger, divestiture or any corporate actions, until that information is released publicly

Public and private research sources

Public domain and subscription-based sources both inside and outside your country, the EU/EEA, Switzerland and the UK. Data we may obtain may include your name, company, title and job description and business contact details, and your holdings of shares, participations and investments in our clients or any entity that is a ‘target’ of any BCMA or related activities by our clients; and international economic sanctions lists.

We disclose your personal data, under the legal basis and for the purposes set out in Section 2, as follows:

a) to Your Organisation in connection with the products and services that we provide to it, if Your Organisation is our client, or otherwise in connection with our dealings with Your Organisation;

b) to other Citi entities (this includes the entities referenced at for the purpose of managing your or Your Organisation’s relationships;

c) to counterparty banks, central banks, payment infrastructure providers and other persons from whom we receive, or to whom we make, payments on Your Organisation’s behalf;

d) to brokers, custodians, sub-custodians, fund administrators, fund houses, depositaries, trustees, financial market infrastructure service providers (including settlement service providers, central securities depositories, exchanges, central clearing counterparties and other similar entities) and other persons from whom we receive, or to whom we make, payments on our clients' behalf, in each case to service your or Your Organisation’s account and investments;

e) to service providers that provide application processing, fraud monitoring, call centre and/or other customer services, hosting services and other technology and business process outsourcing services;

f) to our professional service providers (e.g., legal advisors, accountants, auditors, insurers and tax advisors);

g) to legal advisors, government and law enforcement authorities and other persons involved in, or contemplating, legal proceedings;

h) to competent regulatory, prosecuting, tax or governmental authorities, courts or other tribunals in any jurisdiction or market, domestic or foreign;

i) to other persons where disclosure is required by law; and

j) to enable products and services to be provided to you, Your Organisation or our clients.

We may transfer your personal data to Citi entities, regulatory, prosecuting, tax and governmental authorities, courts and other tribunals, service providers and counterparties located in countries outside the EU/EEA (and the UK), including countries which have different data protection standards to those established in the GDPR. This includes transfers of personal data to India, Singapore and the United States of America. When we transfer your personal data to Citi entities, service providers or other business counterparties in these countries, we will ensure that they protect your personal data in accordance with data transfer agreements based on EU/EEA (or, when issued by the ICO)- standard contractual clauses or other valid transfer mechanisms.

We retain personal data in connection with an agreement or a financial transaction we have with Your Organization or our client, followed by a prudential retention period thereafter. The length of this retention period is determined by the statute of limitations in the country where the transaction is executed, where securities are held, and by the law governing the contract or transaction.

Telephone recordings or electronic communications that resulted (or may have resulted) in a transaction will be retained and will be available to you from the date of that communication also for the duration of the legal retention period applicable in your country.

Generally, when Your Organization is also our client, we will store data about you for as long as you continue to have a relationship with us through our client and for a retention period thereafter as indicated in this section.

You can ask us to: (i) provide you with a copy of your personal data; (ii) correct your personal data; (iii) erase your personal data; or (iv) restrict our processing of your personal data. You can also object to the processing of your personal data for direct marketing purposes or to the processing of your personal data because our legitimate interests may not override yours (see section 2(c) above). These rights will be limited in some situations; for example, where we are required by law to withhold any information until a transaction or corporate action is disclosed to the public, where we process your personal data for AML, fraud and sanction screening activities, or where guidelines from our financial regulators require us to retain your data for a certain period after a transaction is closed.

If you wish to exercise these rights or if you have questions about how we process your personal data, please contact us using the contact details of our EMEA Data Protection Officer in Section 1.

If you feel that your data has not been handled correctly, or you are unhappy with our Data Protection Officer’s response regarding the use of your personal data, you have the right to lodge a complaint with a lead data protection authority in the UK or in EU/EEA member state where you reside or where the alleged infringement of data protection law occurred.

Contact details for data protection authorities in the EU/EEA can be found here:

The Data Protection Authority in the UK is the Information Commissioner’s Office (ICO). The ICO can be contacted as set out on

The Data Protection Authority in Jersey is the Jersey Information Commissioner, who can be contacted as set out in

We will review this Privacy Statement regularly, and if we change it, to keep you fully aware of our processing of your personal data and related matters, we will post the new version to this website.

From 31 December 2020, if Your Organization is a client of Citigroup Global Markets Limited, Citibank Europe plc, UK Branch or Citibank, N.A., (London Branch), the treatment and transfer of your Personal Data is governed the EU General Data Protection Regulation 2016/679 and the Privacy and Electronic Communications Directive 2002 as implemented in UK law by the Privacy Electronic Communications and Data Protections (Amendment etc) (EU Exit) Regulations 2019 and the Data Protection Act 2018.

If Your Organization is a client of Citibank N.A. Jersey Branch the treatment and transfer of your Personal Data is governed by Jersey law, such as the Data Protection (Jersey) Law 2018.

You should note that UK and Jersey data protection legislation is historically closely tied to EU laws and regulations and EU law imposes high standards of personal data protection with extra-territorial reach which means that entities outside the EU are, in certain circumstances, bound by such EU provisions.

The relevant data controllers of your personal data in relation to Citi's Banking, Capital Markets and Advisory businesses and Citi’s Issuer Services businesses are as follows.

Banking, Capital Markets and Advisory businesses: one or more of the following entities:

Head Office


Citibank Europe plc
1 North Wall Quay
Dublin, 1

Citibank Europe plc, UK Branch
Citibank Europe plc, Belgium Branch
Citibank Europe plc, organizacni slozka
Citibank Europe plc, Finland Branch
Citibank Europe plc, Greece Branch
Citigroup Europe plc, Austria Branch
Citibank Europe plc, Bulgaria Branch
Citibank Europe plc, Denmark Branch
Citibank Europe plc, France Branch
Citibank Europe plc, Netherlands Branch
Citibank Europe plc, Norway Branch
Citibank Europe plc, Dublin - Romania Branch
Citibank Europe plc, pobocka zahranicnej banky
Citibank Europe plc, Sucursal en España
Citibank Europe plc, Sucursal em Portugal
Citibank Europe plc, Sweden Branch
Citibank Europe plc, Hungarian Branch Office

Citigroup Global Markets Limited
Citigroup Centre
Canada Square, Canary Wharf
London E14 5LB
United Kingdom


Citibank, N.A., London Branch
Citigroup Centre
Canada Square, Canary Wharf
London E14 5LB
United Kingdom


Citibank, N.A., Milan Branch
Via dei Mercanti, 12
20121 Milan


Citigroup Global Markets Europe AG
5th Floor Reuterweg 16
60323 Frankfurt


Bank Handlowy w Warszawie S.A.
ul. Senatorska 16
00-923 Warsaw


Citigroup España SA
José Ortega y Gasset, 29
28006 Madrid


Dom Maklerski Banku Handlowego S.A.
ul. Senatorska 16
Warsaw, 00-923


Issuer Services business: one or more of the following entities:

Head Office


Citibank, N.A., London Branch
Citigroup Centre
Canada Square, Canary Wharf
London E14 5LB
United Kingdom


Citigroup Global Markets Europe AG
5th Floor Reuterweg 16
60323 Frankfurt


Citicorp Trustee Company Limited
Citigroup Centre
Canada Square, Canary Wharf
London E14 5LB
United Kingdom