Citi Authenticator Global Privacy Notice
para tradução em português clique aqui
para traducción en español, haga clic aqui
Last Revised: March 23, 2024
Effective: March 23, 2024
The Citi Authenticator App (“App”) provides a means for authorized Citi Global Workforce Members to authenticate their identity to access the Citi IT network and services. This App is not intended for downloading by or use by individuals who are not authorized Citi Global Workforce Members. This Global Privacy Notice ("Privacy Notice") explains how Citigroup, Inc. and its subsidiaries and affiliated companies (collectively, "Citi," "us," or "we") collect and process Personal Information (also referred to here as Personal Data) from and about users of the App. If you are a user of the App, we refer to you here as "you, "your," or "User." We advise you to read this Privacy Notice in its entirety, including the jurisdiction-specific supplemental provisions at the end of this Notice, which apply to Users in certain jurisdictions
If you are a California resident, the California Privacy Rights Act may give you certain rights related to your Personal Information, which are in addition to any rights set forth in this Privacy Notice. Please read the California Supplemental Provision for additional information.
This Privacy Notice is specific to the Citi Authenticator App and does not replace or amend any other privacy notice, including those applicable to Citi Global Workforce Members or to personal Information collected or used by Citi through any other Citi apps, digital platforms, systems or technologies. This Privacy Notice also does not replace or amend any privacy notice that may be applicable to Personal Information collected or used by Citi through a customer or client relationship with Citi.
Contents- Who Is Responsible for Your Personal Information?
- Personal Information We Collect and Process and Their Sources
- Lawful Basis and Purposes of Use
- Disclosure of Personal Information
- Transfers of Personal Information
- Retention of Personal Information
- Children
- Security of Personal Information
- Your Data Privacy Rights
- Contact Us
- Supplemental Provisions for Countries and Territories
1. Who Is Responsible for Your Personal Information?
The data controller of a Users’ Personal Information is the Citi legal entity for which they work or to which they provide services. The list of Citi entities that are data controllers in the jurisdiction where they are registered and their addresses is available on https://www.citigroup.com/citi/about/countries-and-jurisdictions/
Citibank, N.A. is a service provider and acts as a data processor.
2. Personal Information We Collect and Process and Their Sources
We collect Personal Information through the App, which means information that:
By itself, or in combination with other information available to Citi relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with you;
Identifies or can be used to identify you as a single living individual; or
Can be used to authenticate you to provide access to Citi’s IT network and services and is of a personal and confidential nature.
Citi processes certain Personal Information that you provide to us and Personal Information, including technical information that can identify your device, that we collect automatically when you use or interact with the App.
Processing means any activity in the data life cycle including collecting, organizing, accessing, modifying, transferring, updating, and making available or disposing.
Information that you provide to us
We collect Personal Information that you provide to us when you use or interact with the App. This includes identifiers and any other information you provide when you register for, install and use the App, such as your Citi issued identification number, PIN, password, including, but not limited to, information, codes or identifiers provided to you by or on behalf of Citi for you to use in downloading, installing and using the App as an authorized User.
Information that we collect automatically
We automatically collect information about your use of the App (such as time of use) and about the device(s) you use to access the App, including information about your internet use, such as your IP address, device ID, IMEI, MAC address or device serial number, geo-location, operating system, mobile provider and brand and model of your device. (Please note: your IP address will indicate your device location, or the location of your VPN.)
Personal Information we derive
We may derive or draw inferences about you based on the information we collect. For example, we may make inferences about your location when using the App based on your device IP address.
Personal Information that is Maintained on Your Device
You can use your credentials (username and password for the App) to verify your identity to log-on to and use the App. Alternatively, at your option and where available, you can use the finger scan and facial recognition features of your device’s operating system to verify your identity to log-on to and use the App. These device and operating system features may be used only if you provide your express consent in the App.
If you choose to use your device’s and operating system’s finger scan or facial image recognition features, your biometric information, identifiers or data will be maintained under your custody on your device in accordance with your device’s and your operating system’s features, and Citi will not collect, capture, purchase, receive through trade, otherwise process, obtain, or have access to them. When you use these features, Citi only receives a yes/no reply for authentication from your device. For information about the privacy and security practices and terms of use of these features on your device, please consult the documentation available from your device manufacturer and/or operating system. Citi is not responsible for those third-parties’ practices.
If some or all of the Personal Information is not collected (either actively provided or collected automatically) and processed, then you will not be able to use the App and you will need to Contact Us to arrange for an alternative method of authentication.
Please note that access to and use of this App by authorized Users is entirely optional and voluntary, and is not mandatory or critical to any Authorized User’s relationship with Citi. You may discontinue your access to and use of the App for any reason at any time and use an alternate method of authentication as noted above.
3. Lawful Basis and Purposes of Use
In certain countries we process Personal Information in connection with the App primarily on the basis of consent if required by law, for all purposes in this section. Please note that, in some jurisdictions, consent to data processing may be implied by your use or continued use of the App. As permitted, we also process your Personal Information on other legal bases and for the purposes set forth below.
| Contract Performance |
We will rely on this basis for processing where we have a contract with you or your employer and need to process your Personal Information for the specific purposes set out below: |
| Purposes related to Contract Performance |
- to authenticate you in order to provide you with access if you are authorized by Citi, to the Citi IT network and services in performance of your duties for or on behalf of Citi, and to operate our business as more fully described below; - to secure, maintain and improve our authentication services; - to send you service and security alerts and communications, and to respond to your communications, concerning the App, Citi IT network access, and authentication services; - to monitor and analyze trends, usage, and activities in connection with the App; - to develop new functionalities and enhance current authentication services; - to detect, investigate and prevent fraudulent or unauthorized attempts to access or use Citi’s IT network and services and other illegal or unpermitted activities, and protect the rights and property of Citi; and - to monitor your compliance with our policies and standards and protect our IT network, services and systems against fraud, crime, illegal activity, money laundering, or terrorism, and for risk management. |
| Legitimate Interests |
- Where we have a legitimate business purpose for processing your Personal Information, and our legitimate business interests are not overridden by your individual interests, rights or freedoms, and if we do not have a written agreement, we will process your Personal Information as necessary to achieve the purposes below: |
| Purposes related to Legitimate Interest |
- to authenticate you in order to provide you with access, if you are authorized by Citi, to the Citi IT network and services in performance of your duties for or on behalf of Citi; - to secure, maintain and improve our authentication services; - to send you service and security alerts and communications, and to respond to your communications, concerning the App, Citi IT network access, and authentication services; - to monitor and analyze trends, usage, and activities in connection with the App - to develop new functionalities and enhance current authentication services; - to detect, investigate and prevent fraudulent or unauthorized attempts to access or use Citi’s IT network and services and other illegal or unpermitted activities, and to protect the rights and property of Citi; and - to monitor your compliance with our policies and standards and protect our IT network, services and systems against fraud, crime, illegal activity, money laundering, or terrorism, and for risk management. |
| Legal Obligations |
Where processing is necessary to comply with our obligations under applicable Law. |
4. Disclosure of Personal Information
We disclose Personal Information collected and processed through the App in the limited circumstances described below:
To service providers who provide services to us and are required to keep Personal Information confidential;
If reasonably necessary to comply with applicable laws, rules, or regulations ("Law"), or compulsory process (e.g., to respond to a subpoena);
To determine if, and in the event we conclude that, your actions violate applicable Citi agreements, policies or standards;
To protect the rights, property or safety of Citi, Citi Workforce Members, your colleagues, or others; and
In connection with a merger, sale of company assets, financing or acquisition of all or a portion of our business, provided that the receiving party agrees to protect the information in accordance with this Privacy Notice and applicable Law.
5. Transfers of Personal Information
Your Personal Information may be stored and processed in any country where we have a service centre, remote infrastructure, or have engaged cloud service, network connectivity or security providers. This currently includes the United States, Ireland, Hungary, Netherlands, Singapore, Israel, India and Iceland.
The Citi global data centre currently supporting the App is located in the United States.
Citibank, N.A. is not an electronic telecommunications network provider. However, we engage Google Cloud services provided by Google LLC. Google is subject to US ‛signals intelligence legislation’ including the Federal Intelligence and Surveillance Act (FISA), the CLOUD Act and Executive Order 12333 (as amended). Under certain circumstances and subject to strict legal controls, Google LLC may be required to share personal information in their purview with federal law enforcement and intelligence agencies. If you do not wish your data to be processed in this way, please contact us for an alternative to Authenticator for authentication services, if available.
Certain countries are recognized by the European Commission or other relevant data protection authorities as providing an "Adequate" level of data protection equivalent to that under the GDPR or the respective applicable laws of other countries. If we process data gathered in Europe by the App in, or transfer to a location without a declaration of Adequacy, for example, if you use the Authenticator while travelling, we ensure that such transfers are made pursuant to valid mechanisms under Art 46 GDPR. In the case of non-European countries, if we process or transfer data to a location without a declaration of Adequacy, we ensure that such transfers are made pursuant to valid mechanisms under applicable data protection laws.
6. Retention of Personal Information
We retain Personal Information in connection with the App only for the length of time that is necessary to carry out the purposes for which the Personal Information was gathered, including the length of time in which you are engaged under a contract of employment or services with Citi. In most countries our data retention schedule for employee and service provider data for identification, authentication, and / or access is 3 years following termination of employment or termination of contracted services.
7. Children
This Privacy Notice is not intended for or directed at persons under the age of 16. In addition, the App is not designed for children, children are not authorized to use the App, and we do not knowingly collect personal information from children under the age of 16. We do not sell, share, use for information society services or targeted advertising information of children. If you have reason to believe that information about a child has been provided to us in error, please Contact Us and we will take appropriate action.
8. Security of Personal Information
The security of your Personal Information is a priority. We seek to protect this information by implementing and maintaining reasonable physical, electronic, and procedural security measures and safeguards designed to protect Personal Information within our organization. We provide employee training in the proper handling of Personal Information. Unfortunately, no data transmission over the Internet or wireless network or data storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your Citi Authenticator access has been compromised), please immediately contact us in accordance with the Contact Us section below.
9. Your Data Privacy Rights
Depending on where you reside, you may have rights with respect to the Personal Information which Citi processes about you, including the right to access your Personal Information, the right to rectify, cancel (delete) and oppose (restrict) our processing of your Personal Information. For clarity Citi does not use Citi Authenticator for any marketing activities or purposes nor do we disclose to third parties any of your personal information collected through your use of the App except to the extent set forth in this Privacy Notice.
For your protection and to ensure the security of our IT networks and systems, we respond directly to privacy rights requests that are received from, or are associated with, your Citi business email account. If you leave employment with Citi, or you or the organization with which you are affiliated are no longer engaged to provide services to Citi, or your access to Citi IT networks and services has expired or been restricted or terminated, we may need to verify your identity through means other than your Citi business email account before responding to your request.
To learn more about your data privacy rights, if applicable, and methods for exercising them, please refer to the Contact Us section (Section 10) below and the additional terms or supplemental provisions for the jurisdiction in which you reside at the end of this Privacy Notice.
10. Contact Us
If you have any questions or concerns about this Privacy Notice or this App, please contact us at citiauthenticatorsupport@citi.com.
You may contact us at citiauthenticatorsupport@citi.com to exercise any data rights you have under applicable law in your country of residence.
You also have a right to contact Citi’s data protection officers as well as data protection authorities.
- You can contact Citi’s Data Protection Officers as follows or as otherwise indicted in any country-specific supplemental provisions below:
EU/EEA Data Protection Officer
Citi
1 North Wall Quay
Dublin, Ireland D01 T8Y1
Email: dataprotectionofficer@citi.com
UK Data Protection Officer
Citi
33 Canada Square
London E14 5LB
United Kingdom
Email: dataprotectionofficer@citi.comBR Data Protection Officer
Citi
Sergio Correa
Contact: https://corporateportal.brazil.citibank.com//formularios/lgpd/index.htm
UAE (including DIFC and ADGM) Data Protection Officer
Citi
Office-1, Level 3&7,
Gate Precinct Building 2
Dubai - United Arab Emirates
Email: citiuaedpo@citi.com
For information about other countries please send your queries to dataprotectionofficer@citi.com
- You can contact Data Protection Authorities as follows or as otherwise indicted in any applicable country-specific supplemental provisions included in this Privacy Notice:
If you feel that your data has not been handled correctly by Citi, or you are unhappy with our response or have concerns regarding the use of your data, you have the right to lodge a complaint with a data protection authority in the country where the alleged infringement of data protection law occurred.
Contact details for data protection authorities can be found here:
EU/EEA: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
Switzerland: Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/edoeb/en/home.html
United Kingdom: Information Commissioner’s Office (ICO): www.ico.org.uk
Jersey: Office of the Information Commissioner: https://jerseyoic.org
11. Supplemental Provisions for Countries and Territories
In the event of conflict, the terms in the applicable Supplemental Provisions, if any, shall govern and take precedence over the terms of the global Privacy Notice
Supplemental Provisions for Users in:
