CITIBANK NIGERIA LIMITED IS LICENCED BY THE CENTRAL BANK OF NIGERIA
Supplemental Provision — Nigeria
Updated July 24, 2025
This Supplemental Provision for the Federal Republic of Nigeria complements the Citi Authenticator Global Privacy Notice (the "Global Privacy Notice") in relation to individuals who have rights under the Nigeria Data Protection Act 2023 (NDPA 2023) and/or the General Application and Implementation Directive 2025 (GAID) and statutory instruments and regulatory guidance issued thereunder.
Other than for expressions defined in the Global Privacy Notice, all terms used herein will have the same meanings given to them in the NDPA or GAID.
All provisions in this Supplemental Provision for Nigeria take precedence over the Global Privacy Notice.
Data Controller
The Data Controller in Nigeria is Citibank Nigeria Limited (CNL). CNL is a commercial bank licensed by the Central Bank of Nigeria, with registered address at 27 Kofo Abayomi Street, Victoria Island, Lagos, Nigeria.
CNL’s Data Protection Officer’s E-mail address is: dponigeria@citi.com
CNL is the data controller responsible for the lawful collection, use, processing and disposal of personal data in Nigeria and its lawful transfer across international borders. CNL has ensured that it has appropriate contractual, technical and operational measures in place with its sub-processor and service providers to protect its and their processing of personal data.
You can request or enforce personal data rights by E-mailing or writing to CNL’s Data Protection Officer to the contact details provided in this document.
Legal Bases for processing and exporting personal information
CNL relies on various lawful bases as permissible by law, for the collection and processing of personal data, as further detailed in the table below.
CNL will rely on consents, gathered indirectly from workforce members for international transfers of personal information. This includes personal data from other workforce members and service recipients, where appropriate. These consents are collected through our account operations or in a transactional basis, for example, each time we receive instructions from workforce members.
In certain cases, CNL collects consents directly:
(1) From persons related to workforce members who have access to Citibank’s digital platforms, for example CitiDirect and CitiVelocity, gathered during user onboarding, and further requested (or ‘refreshed’) where changes to the digital platforms merit a fresh consent.
(2) From persons that receive banking services from CNL, such as limited payment accounts and payment beneficiaries (including staff salaries)
Where available, we rely on other lawful basis for processing including for compliance with applicable law or in the public interest recognized in a statute, or where it is necessary for the establishment, exercise or defense of legal claims.
Silence
Your silence will never be considered as consent to the processing of your Personal Information.
Withdrawal of Consent
You may withdraw or revoke your consent for processing at any time, but if you do so, we will be unable to continue providing financial services to you or your organization through you. The legality of personal data that we collected and processed prior to your withdrawal or revocation will not be affected, and we will continue to store your personal data for a reasonable time period, in compliance with our retention requirements as a financial institution, and your personal data will not be used other than for compliance with CNL’s legal obligations
Legitimate Interest- Request to Cease Processing
Citi shall discontinue the processing of your Personal Information on your request, unless Citi demonstrates a public interest or other legitimate grounds, which overrides your fundamental rights and freedoms and interests.
Categories of Personal Data:
We collect Personal Information through the App, which means information that:
By itself, or in combination with other information available to Citi relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with you;
Identifies or can be used to identify you as a single living individual; or
Can be used to authenticate you to provide access to Citi’s IT network and services and is of a personal and confidential nature.
Citi processes certain Personal Information that you provide to us and Personal Information, including technical information that can identify your device, that we collect automatically when you use or interact with the App.
Information that you provide to us.
We collect Personal Information that you provide to us when you use or interact with the App. This includes identifiers and any other information you provide when you register for, install and use the App, such as your Citi issued identification number, PIN, password, including, but not limited to, information, codes or identifiers provided to you by or on behalf of Citi for you to use in downloading, installing and using the App as an authorized User.
Information that we collect automatically
We automatically collect information about your use of the App (such as time of use) and about the device(s) you use to access the App, including information about your internet use, such as your IP address, device ID, IMEI, MAC address or device serial number, geo-location, operating system, mobile provider and brand and model of your device. (Please note: your IP address will indicate your device location, or the location of your VPN.)
Personal Information we derive
We may derive or draw inferences about you based on the information we collect. For example, we may make inferences about your location when using the App based on your device IP address.
Personal Information that is Maintained on Your Device
You can use your credentials (username and password for the App) to verify your identity to log-on to and use the App. Alternatively, at your option and where available, you can use the finger scan and facial recognition features of your device’s operating system to verify your identity to log-on to and use the App. These device and operating system features may be used only if you provide your express consent in the App.
If you choose to use your device’s and operating system’s finger scan or facial image recognition features, your biometric information, identifiers or data will be maintained under your custody on your device in accordance with your device’s and your operating system’s features, and Citi will not collect, capture, purchase, receive through trade, otherwise process, obtain, or have access to them. When you use these features, Citi only receives a yes/no reply for authentication from your device. For information about the privacy and security practices and terms of use of these features on your device, please consult the documentation available from your device manufacturer and/or operating system. Citi is not responsible for those third-parties’ practices.
If some or all of the Personal Information is not collected (either actively provided or collected automatically) and processed, then you will not be able to use the App and you will need to Contact Us to arrange for an alternative method of authentication.
Please note that access to and use of this App by authorized Users is entirely optional and voluntary, and is not mandatory or critical to any Authorized User’s relationship with Citi. You may discontinue your access to and use of the App for any reason at any time and use an alternate method of authentication as noted above.
Subject to legal obligations and any consents required, we may also collect sensitive or protected information. If we do so, we will process such data in systems that compartmentalize it, with specific operational, technical and governance measures.
Further Protections for the processing of Sensitive Personal Data
Without prejudice to the principles set out in the NDPA 2023, Citi shall not process your sensitive personal data, unless:
(a) you have given and not withdrawn consent to the processing for the specific purpose or purposes for which it will be processed;
(b) processing is necessary for the purposes of performing the obligations of Citi or exercising your rights under employment or any other similar laws;
(c) processing is necessary to protect your vital interests or of another person, where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities, with appropriate safeguards, by a foundation, association, or such other non-profit organisation with charitable, educational, literary, artistic, philosophical, religious, or trade union purposes, and the —
(i) processing relates solely to the members or former members of the entity, or to persons, who have regular contact with it in connection with its purposes, and
(ii) sensitive personal data is not disclosed outside of the entity without the explicit consent of the data subject;
(e) processing is necessary for the establishment, exercise, or defence of a legal claim, obtaining legal advice, or conduct of a legal proceeding;
(f) processing is necessary for reasons of substantial public interest, since a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights, freedoms and interests of the data subject;
(g) processing is carried out for purposes of medical care or community welfare, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality;
(h) processing is necessary for reasons of public health and provides for suitable and specific measures to safeguard the fundamental rights, freedoms and interests of the data subject; or
(i) processing is necessary for archiving purposes in the public interest, or historical, statistical, or scientific research, in each case since a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights and freedoms and the interests of the data subject.
Purposes of Processing, Categories of Personal Data and Legal Bases
| Purposes of Processing | Categories of Data | Legal Bases |
|---|---|---|
|
- Purposes related to Contract Performance - to authenticate you in order to provide you with access if you are authorized by Citi, to the Citi IT network and services in performance of your duties for or on behalf of Citi, and to operate our business as more fully described below; - to secure, maintain and improve our authentication services; - to send you service and security alerts and communications, and to respond to your communications, concerning the App, Citi IT network access, and authentication services; - to monitor and analyze trends, usage, and activities in connection with the App; - to develop new functionalities and enhance current authentication services; - to detect, investigate and prevent fraudulent or unauthorized attempts to access or use Citi’s IT network and services and other illegal or unpermitted activities, and protect the rights and property of Citi; and - to monitor your compliance with our policies and standards and protect our IT network, services and systems against fraud, crime, illegal activity, money laundering, or terrorism, and for risk management. or transaction, including to make a payment; |
(a) Where the processing is necessary for us to perform a contract with you or for requested pre-contractual steps; (b) For international data transfers: consent. |
|
|
- Purposes related to Legitimate Interest to authenticate you in order to provide you with access, if you are authorized by Citi, to the Citi IT network and services in performance of your duties for or on behalf of Citi; - to secure, maintain and improve our authentication services; - to send you service and security alerts and communications, and to respond to your communications, concerning the App, Citi IT network access, and authentication services; - to monitor and analyze trends, usage, and activities in connection with the App - to develop new functionalities and enhance current authentication services; - to detect, investigate and prevent fraudulent or unauthorized attempts to access or use Citi’s IT network and services and other illegal or unpermitted activities, and to protect the rights and property of Citi; and - to monitor your compliance with our policies and standards and protect our IT network, services and systems against fraud, crime, illegal activity, money laundering, or terrorism, and for risk management. |
||
Information required for legal or regulatory purposes |
(c) Where we are required by law |
|
|
Identity Data Contact Details Organizational Information Communication and Marketing Information Information relating to your personal assets Financial background checks |
(d) Where necessary for our, or for a third party’s legitimate interests, if your interests and fundamental rights do not override these interests. We will perform a balancing test of those interests prior to relying on this basis. |
|
In certain cases, the legal basis for processing is the performance of a task carried out in the public interest. This interest must be substantial and expressly recognised in legal statutes |
Identity Data Contact Details Organizational Information Communication and Marketing Information Information relating to your personal assets Financial background checks |
(e) Substantial Public Interest |
International Transfers of Personal Data
We limit international transfers of personal data from CNL to the operations that are required to perform banking and financial services; for example where we need to send account details of the payer or beneficiary to a foreign corresponding bank.
We ensure your personal information is transferred to countries that have an equivalent or ‘adequate’ level of data protection. Where we transfer personal information to other countries, we will do so in limited circumstances, such as under client instructions, where the transfer is necessary to perform a cross-border operation or transaction. We transfer your personal data using safeguards to appropriately address any risk in data transfers.
We also transfer de-personalised and aggregated (or otherwise anonymized) data, such as it ceases to be personal data, to our head office and subsidiaries for our own accounting, security and management purposes.
Minors (Children):
Section 7 of the Global Privacy Statement is replaced as follows:
Our products and financial services are designed for corporate, government and institutional clients of a commercial bank, and are not designed for underage persons, who are unable to represent corporate entities or enter into business transactions in their own name.
We do not knowingly collect personally identifiable information from anyone under the age of 18 except where the age of the individual cannot be determined (for instance, where a person is the beneficiary of a payment). If you are a parent or guardian, please read this Privacy Notice and any applicable Supplements to thoroughly understand how personal information is handled and contact us if you have any concerns. If we become aware of personal information collected without parental consent, we will take steps to obtain such consent or remove it from our records.
Retention of Personal Information:
Citi Data Controllers shall erase your Personal Information without undue delay where such Personal Information is no longer needed in relation to the purposes for which it was requested, and in the absence of another lawful basis to retain it.
Notification of Security Incidents and Breaches of Personal Information
The safety, security and integrity of your personal information are paramount to banking operations. We will promptly notify the Nigeria Data Protection Commissioner and in any case within 72 upon becoming aware of any accidental or intentional damage, alteration, destruction, unauthorized disclosure, loss, misuse, inability to access, extraction or theft of personal information that is stored or processed by Citi, where there is a risk to your rights or freedoms. If the risks are significant, we will also communicate directly with you, providing details of the data exposed to risk, with advice and measures we take to mitigate any adverse effects.
Right to File Claims before the Nigeria Data Protection Commission
In the event that the protection of your Personal Information is compromised or interfered with, you may lodge a complaint with the Nigeria Data Protection Commission No.12 Clement Isong Street, Asokoro, Abuja or info@ndpc.gov.ng.
You may communicate with Citi through the following means:
Through Citi’s Data Protection Officer at Citibank Nigeria Limited, 27, Kofo Abayomi Street, Victoria Island, Lagos, Nigeria or dponigeria@citi.com or, citiauthenticatorsupport@citi.com.
Right to monitor
We may monitor, and analyze trends, usage, and activities in connection with the App. We may also monitor your compliance with our policies and standards and protect our IT network, services, and systems against fraud, crime, illegal activity, money laundering, or terrorism, and for risk management.
Effective Date and Notice of changes
This Supplemental Provision is effective from 24 July 2025.
