Effective Date: 11 November 2022.
Scope and Applicability
This Global Privacy Notice applies to personal information processed in our global financial hubs, and to any documentation that refers or links to it.
Our global financial hubs are located in the United States, the European Economic Area, the United Kingdom, Hong Kong and Singapore. We also have Supplemental Provisions that set out protections for cross border products. Please refer to the link relevant to your country of residence.
Country-level privacy notices for on-shored or in-country (domestic) operations, are listed in the Annex, in Section 13. They do not form part of this Global Privacy Notice.
The Institutional Clients Group (ICG), operates banking and market services provided to corporations, financial institutions, public sector organizations, and investment managers. It comprises the following business areas:
ICG Markets business comprises all broker/dealer exchange and traded products, including Commodities, Derivatives, Equities, Futures, FX, OTC operations, securities clearing and similar.
Security Services comprise agency securities, lending and directed agent investment services, direct custody and clearing, global custody, global fund services; and corporate, compliance and investment monitoring and similar services.
BCMA includes investment and corporate banking, and advisory services in relation to mergers, divestitures and acquisitions. It organises and provides lending within corporate loan portfolio and corporate brokerage services; and provides capital (debt and equity) markets origination and ancillary services.
Issuer services provide payment and security agency, trust, and depositary receipts.
Our global commercial bank provides accounts, products, securities, loans and guarantees and similar core banking services to corporate clients.
TTS provide commercial payment and receivables solutions, digital cash management and trade data, liquidity management services and similar services.
We provide our products and services through offices in 95 countries and territories.
This is a comprehensive document that sets out the principles under which we process personal information in global financial hubs: It does not override your contractual documentation, or any legal rights under the law applicable to you or our product.
This document does not apply to, or modify, on shored or in-country (domestic) operations in any ICG business areas.
Please read:
Please Note: The TTS Commercial Cards program operating outside of the United States is not included in this Global Privacy Notice. You may access Non-US commercial cards privacy statements here.
Key Definitions
You and Your Organization
In this global Privacy Notice “You” means any individual person with whom we come into contact in the course of our dealings with “Your Organization”. Your Organization is our corporate client, other institution or business counterparty you are associated with.
Personal Information
“Personal Information” is any information:
US residents: Please note that we will not process Personal Information from other members of your household.
“Sensitive Personal Information” or “Special Categories of Personal Information” refers to Personal Information that requires special handling under applicable law and may include information such as racial and ethnic origin, religion, medical information, , biometric information and in some countries and territories also financial account information. Aggregated and anonymised data is not considered Personal Information for purposes of this Privacy Notice.
We will only process Sensitive Personal Information after obtaining your consent unless permitted under another basis by the laws of the country where it is collected. In order to prevent its accidental processing please do not include in any communications with Citi any type of Sensitive Personal Information about yourself or anyone else. If we receive such information by accident or happenstance we will let you know and immediately take measures to dispose of sensitive personal data.
Changes to this Privacy Notice
We may change this Privacy Notice to adapt it to our products and services as they change from time to time. If we make any changes, we will post a new version on this page. We may also provide you with an additional notification, in the manner set out in your product documentation.
The ICG legal entity which provides the accounts, products and services you are using or accessing on behalf of Your Organization, is in most cases responsible for determining what Personal Information will be collected, the purposes the information will be collected for, and how it will be processed. That entity is the Data Controller, or Data User under the laws of certain other jurisdictions.
We may act as a Data Processor when we process card payment transactions on behalf of merchants, other banks or card issuers, or when we act as a transfer, payment or security agent. If we act as a Data Processor on behalf of other Data Controllers, we will only collect and use information as described in our contracts, not under this Privacy Notice.
Data Controllers
Please refer to country-Supplements in Section 12 for information on data controllers in each country or region. A global list of Citi entities is available here
We may obtain information directly from you, from Your Organization or from other third parties, for example: financial institutions, government records, credit bureaux, or companies specialised in gathering publicly available information.
We obtain information about you from various sources:
As required and/or permitted by law, we also may monitor and record your telephone, email, instant messaging, and other online communications with us in connection with any banking operation or instruction that results or may result in a banking, financial or corporate transaction.
Personal Information
Citi ICG collects personal information about you, for specified purposes indicated in this Privacy Notice and its Supplemental Provisions.
Types of personal information we process, include:
Where required by law, we will process Social Security, national ID and other protected information. We have systems that compartmentalize such protected personal information, and operational, technical and governance measures, including strict access controls to protect the confidentiality and security of our data.
Sensitive Personal Information
Sensitive personal information is defined differently under the laws of different jurisdictions. We will only collect and process personal information which is necessary for us to provide our products and services and as required for other business, legal, and regulatory purposes. We will always provide you with additional explanatory information and disclosures if we collect or otherwise process sensitive personal data such as Biometric and behavioural data that we learn from your interactions with our systems and applications, for example your mouse speed and movements, your keyboard usage, voice authentication using telephone banking and by using the built-in biometric authentication technology in your mobile device. When we use device authentication, we will not have access to your biometric data, which remains stored in your mobile device.
Digital Personal Information
Information for Citi ICG public Websites *
(*for banking online and mobile applications please read our Digital Platforms Supplement in Section 12.b)
Device and Usage Information: We collect technical information about how you access our websites, including data about the device and network you use, such as your hardware model, operating system version, mobile network, IP address (digital identifiers), browser type, and app version. We also collect information about your activity on our Services, such as access times, pages viewed, links clicked, and the page you visited before navigating to our Services, to prevent fraud and other criminal activities.
Cookies and Similar Tracking Technologies: We collect information about your use of our digital services through technologies such as cookies web beacons and trackers. This includes information such as:
Cookies are small data files stored on your hard drive or device memory that help us, among other purposes to:
Web beacons are electronic images that may be used in our Services or emails and help among other purposes to:
Each site has page-specific Cookie Notices and options.
We use your Personal Information for the following purposes:
Use and Disclosure Rights
Certain countries and territories require Citi to offer to individuals the options and means to limit their use or disclosure of personal information to third parties. Please refer to the appended Special Provisions for your country or territory for information on these additional rights and how to exercise them.
Citi ICG does not sell nor share your Personal information with third parties for their advertising or other commercial purposes. We also do not sell, share, or use your personal information for third party online targeted advertising, nor disclose the Personal Information of persons under the age of 16 (see ‘Children’ further below) .
Automated Decision-Making and Profiling
ICG does not make automated decisions based on personal information or sensitive personal information, and does not conduct profiling for commercial purposes based on your personal information or sensitive personal information. You should be aware that we automatically monitor transaction data for fraud and Anti Money Laundering purposes. All decisions involving personal data are conducted by or checked by our staff. Where we process data automatically (for example in algorithmic investment strategies) all information is de-personalised.
The lawful basis that we rely on, vary depending on the applicable law in the country where we collect data, include:
When we collect and process sensitive personal information we will usually do so by obtaining your explicit consent. There are some instances where we may rely on legal exceptions to such consent to process sensitive personal information. For example:
If it is for a substantial public interest or in the legitimate interest of another person (including us) provided that processing must not extend to what is reasonable to provide a legitimate outcome and the protected interest outweighs any adverse effects of the processing your personal information.
Your rights over your personal information are protected by applicable law in many countries. Most countries grant 4 basic rights: Access, Rectification, Cancellation and Objection (by their initials, the so-called ARCO rights), Citi extend these and GDPR rights globally to all ICG clients beyond the requirements of their national law :
Right to be informed
We may not always be able to grant your privacy rights request.
We will always respond to your request within the timeframes provided under applicable law.
We will need to verify your identify before we share any details relating to personal information. If you are making a request on behalf of someone else (e.g., as an attorney or a friend or relative) we may require further information to ensure that you are duly authorised to make the request. In our reply, we will explain clearly whether we accept your request, the rationale for our decision, and what will happen next.
From time to time, we will disclose your personal information to trusted third parties (including Citi legal entities different from the one You or Your Organization have your relationship with). We may disclose your personal information to the following recipients:
We will only share your information for the purposes outlined in the section Purposes and Use of Personal Information
Where required by domestic law, we shall add to our client documentation details on third parties we share information with, the locations of third parties, and the categories of information that we share.
ICG serves global customers and has offices in 95 countries. Your personal information is stored and processed in the country where Your Organization opens a product ; and in our regional main offices and ‘global service clusters’ for operational, regulatory and management purposes.
ICG and its service providers may transfer your personal information to, or store or access it in, jurisdictions that may not provide the same levels of data protection to those offered in your home jurisdiction. We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it by using contractual and technical security measures, including (for the EEA and other territories) standard contractual clauses. We will inform you of the transfer of data or obtain consent where required by applicable law.
We retain personal information only for the length of time necessary to carry out the Purposes for which personal data was collected and keep that data during such time Your Organization’s accounts and products are open, or a transaction is active, and for a certain time after their closure in accordance with a country-specific records retention schedule, set in compliance with local law. When the retention of your personal data is no longer necessary, we will securely dispose of it by destroying the data, or we will irreversibly anonymize it, so that it is no longer personal data.
This Privacy Notice is not intended for or directed at persons under the age of 18. In addition, ICG Services are not designed for children and we do not knowingly collect personal information from children under the age of 16. We do not sell, share, use for information society services or targeted advertising personal information of children. We may process information relating to minors with consent from their parents or guardians, where they are named beneficiaries of trusts, wills or insurance policies, and similar uses permitted by law. If you have reason to believe that information about a child has been provided to us in error, please contact us, and we will take appropriate action.
Please use the links provided under Your Rights or refer to the Supplemental Provisions to contact us or our data protection officers and authorities.
Our global privacy notice and its Supplemental Provisions apply to products in our global financial hubs, and to cross-border operations with global entities, and any documents that explicitly refer to these terms.
Our global financial hubs are located in the United States, the European Economic Area, the United Kingdom, Hong Kong and Singapore. We also have Country Supplements that set out protections for cross border products. Please refer to the link relevant to your country of residence.
In the event of conflict, the terms in the Supplemental Provisions shall govern and take precedence over the terms of the Global Privacy Notice
If you have an on-shored or in-country (domestic) product please refer to your country documentation, including the country-level privacy notice, A list of online privacy notices is available in Section 13 below. Please note that your country privacy notice may only be available in paper format.
LATAM |
Argentina |
Brazil |
Uruguay |
NAM |
Canada |
MEXICO |
Mexico |
APAC |
Australia |
China, PRC |
Malaysia |
New Zealand |
Philippines |
South Korea |
JAPAN |
Japan |
EMEA |
Austria |
Indonesia |
Israel |
Jersey |
Jordan |
Kenya |
Lebanon |
South Africa (RSA) |
Uganda |
United Arab Emirates
|
Turkey |
Please click here to access out Digital Platforms supplement, which apples to online banking and trading portals and mobile Apps.
Citi Research activities are covered by a separate document, accessible here.
COUNTRY-LEVEL PRIVACY NOTICES
For private bank operations please refer to the following link:
For on-shored or in-country (domestic) operations please refer to the following notices:
Please click here to print the document.
If you are a resident of California you may also contact us by visiting our California Privacy Hub