The ICG legal entity which provides the accounts, products and services you are using or accessing on behalf of Your Organization, is in most cases responsible for determining what Personal Information will be collected, the purposes the information will be collected for, and how it will be processed. That entity is the Data Controller, or Data User under the laws of certain other jurisdictions.

We may act as a Data Processor when we process card payment transactions on behalf of merchants, other banks or card issuers, or when we act as a transfer, payment or security agent. If we act as a Data Processor on behalf of other Data Controllers, we will only collect and use information as described in our contracts, not under this Privacy Notice.

Data Controllers

Please refer to country-Supplements in Section 12 for information on data controllers in each country or region. A global list of Citi entities is available here

We may obtain information directly from you, from Your Organization or from other third parties, for example: financial institutions, government records, credit bureaux, or companies specialised in gathering publicly available information.

We obtain information about you from various sources:

• Account activities (e.g. bill payments, deposits, withdrawals, investments, other transactions)
• Applications and forms (e.g. product variation, credit lines and limit increase, signatory names and signature sample forms or , electronic instructions)
• Written and verbal communications with you, your representatives or our institutional clients (e.g. phone calls to our trading or client service desks, text messages, emails or other communications received direct from you, your employer, institutions you work for or with, or other third parties) for the purposes of obtaining instructions from you, authentication, security and quality assurance.
• Citi Digital Platforms . Data is not shared or combined between platforms. Please refer to the Digital Platforms Supplemental Provisions for more information
• We obtain some personal data about you from international sanctions lists, publicly available websites, financial market infrastructures (including settlement service providers, central securities depositories, exchanges, central clearing counterparties and other similar entities) databases and other public data sources
• Conduct background checks and monitor publicly available information through specialised service providers.

As required and/or permitted by law, we also may monitor and record your telephone, email, instant messaging, and other online communications with us in connection with any banking operation or instruction that results or may result in a banking, financial or corporate transaction.

Personal Information

Citi ICG collects personal information about you, for specified purposes indicated in this Privacy Notice and its Supplemental Provisions.

Types of personal information we process, include:

• Your identity: name, company, title, job description in relation to Your Organization
• Your business contact details such as email address, telephone number, business address.
• Information about your employment and signature authorisations issued by Your Organization, and your current and prior relationships within Your Organization.
• Information about your relationship with us, preferred methods of services communications, and your marketing preferences
• Information relating to your personal assets as part of our Know Your Client (KYC) legal and  regulatory obligations, including background and credit checks, and identifying the ultimate beneficial ownership structure of Your Organization and a corporate entity you are associated with.
• Information relating to your financial and personal background, and residential address, as part of any reference and identity verification checks, in order to open and maintain accounts, products, and services for Your Organization.
• Information required for other legal or regulatory purposes including AML and/or sanctions and investor screening processes (e.g., copies of your passport or a specimen of your signature) or for transaction management purposes
• Other details of agreements or arrangements Your Organization made with us.

Where required by law, we will process Social Security, national ID and other protected information. We have systems that compartmentalize such protected personal information, and operational, technical and governance measures, including strict access controls to protect the confidentiality and security of our data.

Sensitive Personal Information

Sensitive personal information is defined differently under the laws of different jurisdictions. We will only collect and process personal information which is necessary for us to provide our products and services and as required for other business, legal, and regulatory purposes. We will always provide you with additional explanatory information and disclosures if we collect or otherwise process sensitive personal data  such as Biometric and behavioural data that we learn from your interactions with our systems and applications, for example your mouse speed and movements, your keyboard usage, voice authentication using telephone banking and by using the built-in biometric authentication technology in your mobile device. When we use device authentication, we will not have access to your biometric data, which remains stored in your mobile device.

Digital Personal Information

Information for Citi ICG public Websites *

(*for banking online and mobile applications please read our Digital Platforms Supplement in  Section 12.b)

Device and Usage Information: We collect technical information about how you access our websites, including data about the device and network you use, such as your hardware model, operating system version, mobile network, IP address (digital identifiers), browser type, and app version. We also collect information about your activity on our Services, such as access times, pages viewed, links clicked, and the page you visited before navigating to our Services, to prevent  fraud and other criminal activities.

Cookies and Similar Tracking Technologies: We collect information about your use of our digital services through technologies such as cookies web beacons and trackers. This includes information such as:

• Information about your use of the services and about the device you use to access the services
• The pages you request and visit and any posts you submit
• Information on your interaction with other pages
• Information obtained in the course of maintaining or supporting the Services
• Information about your device, such as MAC  and IMEI numbers, your IP address, and the URLs of sites from which you arrive or leave the Services
• Your type of browser, your operating system, your mobile or internet service provider, and the make and size of your device (such as for page displays and interoperability)

Cookies are small data files stored on your hard drive or device memory that help us, among other purposes to:

• Improve our Services and your experience
• See which areas and features of our Services are popular
• Count visits

Web beacons are electronic images that may be used in our Services or emails and help among other purposes to:

• Deliver cookies
• Count visits
• Understand usage and campaign effectiveness

Each site has page-specific  Cookie Notices and options.

We use your Personal Information for the following purposes:

• Communicate with you in relation to banking and financial services provided to Your Organization including:
  • • To verify your identity and communicate with you
    • To improve relationships with you and Your Organization
    • To inform you about products and services Your Organization has,  and to offer other services that may be of interest for Your Organization (subject to your marketing preferences).
• Deliver our services, including:
  • To provide our products and services, including opening and maintaining accounts for your Organization
  • To manage and administer our business
  • For system administration, operation, testing and support of our Digital Platforms
  • To enable third parties to deliver products or services on our behalf, including payment services
  • In communicating with credit reference and information agencies
  • To meet our obligations to and cooperate with stock exchanges, alternative trading systems, clearing and settlement agencies, brokers and similar entities
• Manage our business, including:
  • For business development activities, analysis and planning purposes
  • To investigate and respond to client issues and complaints
  • To establish, exercise, or defend our, and any third party’s legal claims, including adherence to applicable terms of use
  • For research and other statistical and trend analysis (de-identifying and aggregating or anonymizing source data with that of other clients and institutions in such way that it is not possible to reverse-engineer and re-identify you)
  • To protect and enforce the rights, property or safety of us, our business, any Citi company, Your Organization or others including security and fraud prevention for identification / authentication purposes
• For our and other financial institutions’ legitimate interests (provided  these are not overridden by yours) and to comply with applicable laws, including:
  • For fraud prevention and investigation and dealing with other criminal activity
  • For internal risk assessment and control, e.g. detect or resolve cyber incidents or fraud
  • To comply with judicial requirements, including to exercise our rights in judicial, administrative or arbitration litigation
  • Some laws will require you to provide us with certain tax information, or complete tax declarations
  • For regulatory reporting requirements, e.g. regulatory reporting, Central Bank reporting

Use and Disclosure Rights

Certain countries and territories require Citi to offer to individuals the options and means to limit their use or disclosure of personal information to third parties. Please refer to the appended Special Provisions for your country or territory for information on these additional rights and how to exercise them.

Citi ICG does not sell nor share your Personal information with third parties for their advertising or other commercial purposes. We also do not sell, share, or use your personal information for third party online targeted advertising,  nor disclose the Personal Information of persons under the age of 16 (see ‘Children’ further below) .

Automated Decision-Making and Profiling

ICG does not make automated decisions based on personal information or sensitive personal information, and does not conduct profiling for commercial purposes based on your personal information or sensitive personal information. You should be aware that we  automatically monitor transaction data for fraud and Anti Money Laundering purposes. All decisions involving personal data are conducted by or checked by our staff. Where we process data automatically (for example in algorithmic investment strategies) all information is de-personalised.

The lawful basis that we rely on, vary depending on the applicable law in the country where we collect data, include:

• Consent: We will use consent as a lawful basis, subject to conditions applicable in the country where consent is collected, only where
  • We are required by law to obtain consent or
  • Where consent can be assumed or inferred from your conduct
• Performance or Delivery of a contract
  • We will rely on this lawful basis for processing if:
    • We have a contract with you and need to process your personal information in order to deliver the products and services outlined in that contract. For example, to set up and manage your account with us, or to process your payments.
    • You have asked us to take steps in order to enter into a contract with us. For example, to provide you with a quote or to process your account application.
• Legitimate interests
  • We will rely on this lawful basis for processing if:
    • We have a legitimate business purpose for processing your personal information; and
    • Processing your personal information is necessary to achieve this purpose; and
    • Our legitimate business interest is not overridden by your individual interests, rights and freedoms
• Legal obligations
  • We will rely on this lawful basis for processing if we need to process your personal information to comply with a common law or statutory obligation. This may include, but will not be limited to:
    • Providing information on request to government entities / regulatory authorities / markets / brokers / other intermediaries or counterparties
    • Conducting compliance activities such as: audit and reporting / maintenance of accounting and tax records / anti money laundering / sanctions and anti-terrorism laws and regulations / fighting crime / know your customer screening / politically exposed persons screening / sanctions screening / security and fraud prevention

When we collect and process sensitive personal information we will usually do so by obtaining your explicit consent. There are some instances where we may rely on legal exceptions  to such consent to process sensitive personal information. For example:

• If the need to process data is clearly in your interest, and consent for the collection, use or disclosure cannot be obtained in a timely manner, or where you would not be reasonably expected to withhold consent

If it is for a substantial public interest or in the legitimate interest of another person (including us) provided that processing must not extend to what is reasonable to provide a legitimate outcome and the protected interest outweighs any adverse effects of the processing your personal information.

Your rights over your personal information are protected by applicable law in many countries. Most countries grant 4 basic rights: Access, Rectification, Cancellation and Objection (by their initials, the so-called ARCO rights), Citi extend these and GDPR rights globally to all ICG clients  beyond the requirements of their national law :  

Right to be informed

• • You have the to be informed of sub-processors that receive your data and of certain operational and technical measures we put in place to protect your data. 
• Right to access your information:
  • You can contact us to request a copy of the personal information we hold about you  This is often known as a ‘subject access request’
• Right to rectify your information
  • You can contact us to ask us to correct personal information that you believe we hold which may be inaccurate or incomplete
• Right to erase your information
  • You can contact us to ask us to erase personal information that we hold about you
  • There may be some instances where we are not able to erase your personal information. For example, where it is a legal requirement for us to continue to process your information. If this is the case, we will clearly explain the reason we are unable to stop processing your personal information.
• Right to transfer your information to another organisation
  • You can contact us to ask us to transfer your personal information to other organisations. This is often known as the ‘right to data portability’
  • There may be some instances where we are not able to transfer your information. For example, if we are relying on a lawful basis other than ‘consent’ or ‘contract’ to process your personal information
• Right to restrict processing of your personal information
  • You can contact us to ask us to restrict processing of your personal information
  • There may be some instances where we are not able to restrict processing of your personal information. For example, if you do not provide us with a particular reason for wanting the restriction.
• Right to object to processing
  • You can contact us to object to us processing your information
  • We may not always be able to accept your objection. For example, if we need to continue to process your information for our business, legal and regulatory and other purposes
• Right to object to the grounds of legitimate interests for processing
  • Where we rely on legitimate interests as the lawful basis for processing your personal information, you can contact us to object to us processing your information on these grounds
  • We will always consider your reasons for objecting to us processing personal information on these grounds, and balance your interests, rights and freedoms with our legitimate business interests
• Right to withdraw your consent for processing your personal information
  • You can contact us to withdraw your consent for processing your personal information
  • If you withdraw your consent for processing of your personal information and it is necessary for us to process that information for one of our business, legal and regulatory and other purposes, then we may not be able to provide you with the relevant products and / or services
  • There may be situations where we are unable to stop processing your personal information, for example, where it is a legal requirement for us to continue using the information. If this is the case, we will clearly explain the reason we are unable to stop using (and storing) your personal information.

We may not always be able to grant your privacy rights request.

We will always respond to your request within the timeframes provided under applicable law.

We will need to verify your identify before we share any details relating to personal information. If you are making a request on behalf of someone else (e.g., as an attorney or a friend or relative) we may require further information to ensure that you are duly authorised to make the request. In our reply, we will explain clearly whether we accept your request, the rationale for our decision, and what will happen next.

From time to time, we will disclose your personal information to trusted third parties (including Citi legal entities different from the one You or Your Organization have your relationship with). We may disclose your personal information to the following recipients:

• to Your Organization in connection to the services we provide to them
• Our affiliates or other ICG business groups, which may receive or have access to personal information about you if you access, request, or otherwise use other ICG  services in connection with your use of our services, including our online portals and apps, and as permissible under applicable law;
• Our affiliates’ service providers, for services such as application processing, fraud monitoring, call centre and client services, meeting hosting, data analysis, or otherwise assist in the management and execution of business functions;
• Stock and security exchanges, alternative trading systems, clearing and settlement agencies, brokers, facilities and similar entities, payment infrastructure providers, counterparty banks, and any persons we receive payments or make payment on your behalf;
• To brokers, custodians, sub-custodians, fund administrators, fund houses, depositaries, trustees, financial market infrastructure service providers (including settlement service providers, central securities depositaries, and
• To our professional services providers including legal, tax, insurance and audit advisors, and to competent regulatory, tax, governmental or investigation agencies authorities, to central banks and financial regulators and to the courts of any jurisdiction, domestic or foreign

We will only share your information for the purposes outlined in the section Purposes and Use of Personal Information

Where required by domestic law, we shall add to our client documentation details on third parties we share information with, the locations of third parties, and the categories of information that we share.

ICG serves global customers and has offices in 95 countries. Your personal information is stored and processed in the country where Your Organization opens a product ; and in our regional main offices and ‘global service clusters’ for operational, regulatory and management purposes.

ICG and its service providers may transfer your personal information to, or store or access it in, jurisdictions that may not provide the same levels of data protection to those offered in your home jurisdiction. We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it by using contractual and technical security measures, including (for the EEA and other territories) standard contractual clauses. We will inform you of the transfer of data or obtain consent where required by applicable law.

We retain personal information only for the length of time necessary to carry out the Purposes for which personal data was collected and keep that data during such time Your Organization’s accounts and products are open, or a transaction is active, and for a certain time after their closure in accordance with a country-specific records retention schedule, set in compliance with local law. When the retention of your personal data is no longer necessary, we will securely dispose of it by destroying the data, or we will irreversibly anonymize it, so that it is no longer personal data.

This Privacy Notice is not intended for or directed at persons under the age of 18. In addition, ICG Services are not designed for children and we do not knowingly collect personal information from children under the age of 16. We do not sell, share, use for information society services or targeted advertising personal information of children. We may process information relating to minors with consent from their parents or guardians, where they are named beneficiaries of trusts, wills or insurance policies, and similar uses permitted by law. If you have reason to believe that information about a child has been provided to us in error, please contact us, and we will take appropriate action.

Please use the links provided under Your Rights or refer to the Supplemental Provisions to contact us or our data protection officers and authorities.

Our global privacy notice and its Supplemental Provisions apply to products in our global financial hubs, and to cross-border operations with global entities, and any documents that explicitly refer to these terms.

Our global financial hubs are located in the United States, the European Economic Area, the United Kingdom, Hong Kong and Singapore. We also have Country Supplements that set out protections for cross border products. Please refer to the link relevant to your country of residence.

In the event of conflict,  the terms in the Supplemental Provisions shall govern and take precedence over the terms of the Global Privacy Notice

If you have an on-shored or in-country (domestic) product please refer to your country documentation, including the country-level privacy notice, A list of online privacy notices is available in Section 13 below. Please note that your country privacy notice may only be available in paper format.

Please click here to access out Digital Platforms supplement, which apples to online banking and trading portals and mobile Apps.

 Citi Research activities are covered by a separate document, accessible here.

COUNTRY-LEVEL PRIVACY NOTICES

For private bank operations please refer to the following link:

For on-shored or in-country (domestic) operations please refer to the following notices:

Please click here to print the document.