Privacy

CITI PRIVACY POLICY

This Privacy Policy explains how Citibank, N.A., Bangkok Branch, Citicorp Securities (Thailand Limited), Citicorp Leasing (Thailand Limited), Citi Consumer Products (Thailand) Limited, and affiliates within Citigroup in Thailand (collectively “Citi”) collect, use and disclose (collectively “Process”) your Personal Data.

1. When does this Privacy Policy apply to you?

This Privacy Policy applies to you if you are an individual customer, or a person associated with a corporate client (including the authorized director(s), authorized representative(s) and/or the contact person(s) of a corporate client) (“associated person”) having an account, credit card, debit card, personal loan, or financial product with Citi (“Products”), and it also applies to you as our prospective customer who is interested in applying for our Products.

2. What types of Personal Data does Citi collect from you?

(a) For a prospective customer or an associated person, Citi collects various types of your data, which can be used to identify you as an individual, whether directly or indirectly (“Personal Data”), such as your full name, date of birth, home address, work address, contact numbers, email addresses, marital status, place of work, employment status, occupation, income, source of wealth, social media ID, photograph, video, data contained in your identification document (e.g. identification card, passport or driving license), voice, signature, financial information, investment details, contact details, geolocation, banking transactions, web browsing data, digital banking usage, Cookies ID, IP addresses, and motions captured by CCTV

(b) For a customer, Citi collects, in addition to the Personal Data described in (a) above, your CIF, account number, credit card number, and transactions, and for a corporate customer, Citi may collect the Personal Data of the authorized persons and shareholders, as shown in its registration documents, and its contact person(s).

(c) Citi also collects the Personal Data of its prospective customers and its customers’ related persons, including parents, children, business referees, emergency contact referees, guarantors and beneficiaries. Before providing their Personal Data to us, you shall ensure that such persons are duly notified about such collection, and that they have consented to the disclosure of their Personal Data to Citi.

(d) Citi may also collect sensitive personal data of customers, which is personal data that is specially categorized by law and which will be collected, used, and/or disclosed by Citi only when Citi has obtained explicit consent from you, or where necessary for Citi as permissible under law, which may include data that is contained in the copy of their Thai identification card (i.e. religion and/or blood type), biometric data, information on sanction lists, screening checks, and health-related data.

3. Why does Citi collect and process your Personal Data?

Citi collects and processes your Personal Data for different purposes, as set out below:

(a) Where the collection or processing is necessary for Citi to perform a contract with you, or to proceed with your request, prior to entering into a contract:

1. To proceed with your request to apply for Citi’s financial related services and/or Products, whereby your Personal Data will be collected and processed in order to assess your needs, financial status, investment experience, credibility, and eligibility in relation to Citi’s specific services or Products, and also to determine the approval decision, level of advice, asset management, credit line, loan amount, and the support that you need.
2. To provide financial related services and Products to you where you have a contract with us, and to operate, maintain, manage and renew your account(s) pursuant to that contract, including debt collection. This includes processing your instructions, and generation of confirmations, advice, and statements, and the carrying out of such instructions.
3. To provide information to you in relation to your account with us, including, but not limited to, bank statements, credit card statements, credit advice, notifications, transaction alerts, payment reminders, fraud alerts, receipts, and bills, via the contact details which you provided to Citi.
4. To allow third party vendors to access your Personal Data and transactional data, and/or initiate payment transactions, as described in your account terms and conditions.
5. To submit your information to the authorities, according to your instructions and/or agreement with Citi.

(b) Where the collection and processing are required by applicable laws:

1. To conduct credit analysis and determine the issuance of credit cards, loans, financial products, credit reviews, credit agreement extensions, account renewals, risk management and prevention, pursuant to the Bank of Thailand’s (“BOT”) stipulations, and to develop a risk scoring model in accordance with the laws on credit information business operations;
2. To disclose your Personal Data to governmental agencies or regulatory authorities, financial markets, brokers, or other intermediaries or counter parties, or to the courts of other parties.
3. To conduct compliance activities such as audit and reporting, assessing and managing risks, maintenance of accounting and tax records, prevention and prosecution for fraud, anti-money laundering (AML), and other forms of crime, debt recovery, prevention and measures relating to sanctions, anti-terrorism laws and regulations, and to report transactions to the regulators.
4. To conduct know your customer (KYC) screening and customer due diligence (CDD) related activities, which involves identity checks and verification of address and contact details.
5. To conduct sanctions screening, which involves the screening of your details against published sanctions lists, and in such case, Citi may also need to verify information from you and/or your spouse or partner.
6. To comply with the obligations and duties under the Thai revenue code, tax legislation and applicable laws, including the Foreign Account Tax Compliance and the Common Reporting Standard of the United States of America.
7. To record telephone conversations and electronic communications with you, as required by the BOT, the Securities and Exchange Commission (“SEC”), the Stock Exchange of Thailand (“SET”), or any other competent authority, as required by applicable law.
8. To process and disclose your Personal Data to the Office of Insurance Commission (OIC), which is the regulator governing the insurance business in Thailand, in order for the OIC to regulate and promote the insurance business according to the OIC laws, life insurance laws and non-life insurance laws. The processing of the Personal Data conducted by the OIC will be in accordance with the OIC’s privacy policy, which would be published in the OIC’s website at https://www.oic.or.th.
9. To conduct the insurance fraud risks related obligations, as well as any other obligations in relation to the insurance business of Citi, in accordance with the laws, regulations, and notifications issued by the OIC.
10. To sell or to buy assets, business or customers’ portfolios to or from third parties, as well as to transfer your Personal Data as part of a merger, acquisition, or business reorganization transactions.

(c) Where necessary for Citi’s or a third party’s legitimate interests:

1. To detect, prevent, investigate and prosecute fraud and other criminal activity, and to share your Personal Data with Citi’s legal, compliance, risk and managerial staff, or relevant parties in order to assess suspicious activities.
2. To protect Citi’s rights, property, personnel, safety, business operations, and customers, Citi may record your voice during your communications with Citi’s personnel. In addition, Citi also records your images and motions via our installed CCTV when you enter our premises, or Citi may request for footage from other third parties, which may include your images and/or motions, if this is required to protect our lawful interests.
3. To manage Citi’s information technology systems, and to ensure the adequacy of the security relating to such systems.
4. To monitor and analyze the use of Citi’s services and Products for purposes of risk assessment and control, statistical and trend analysis, for compliance with policies, system administration, operation, customer experience improvement, transactions and services fulfillment, testing and support, and to operate control and management information systems.
5. To record and retain telephone discussions/conversation for the purpose of, but not limited to, quality monitoring, authentication purposes, and transaction fulfillment, monitoring, and review purposes.
6. To investigate and respond to any complaints, disputes, or inquiries raised by you in relation to Citi’s business operations, services and Products, and to help maintain service quality and train staff to deal with complaints, disputes, and inquiries efficiently and appropriately.
7. To make a payment from an account to a third party’s account as per your, or our customer’s, instructions, in order to enable a third party to perform payment reconciliation, and to allow Citi to keep a record of your transactions.
8. To communicate with you about Citi’s existing or new Products and related services, where permitted by law, and where you have not opted-out, including personalizing communication and messages that could be relevant or of interest to you.
9. To manage and administer Citi’s business and to manage and improve relationships with you, and assist with customer management for marketing and business development activities and analysis for product or service development.

(d) Where the following activities cannot be done by on the basis or the purpose provided in (a) – (c) above, and you consent to the processing of your Personal Data:

1. To conduct direct marketing by sending you messages, materials, and promotions relating to Citi’s services and Products, subject to your marketing and contact preferences.
2. In certain circumstances, to collect your Sensitive Personal Data for the purposes prescribed herein. Citi may also collect your health-related data, or request a medical certificate, in order to assess and determine whether your request should be proceeded, such as a request for a compromise settlement. Moreover, Citi may collect your biometric data to authenticate you when performing transactions with Citi.
3. To disclose your Personal Data to insurance companies and brokers, for the purpose of offering and selling their insurance products to you.
4. To disclose your Personal Data to Citi’s business partners or third parties for the purpose of performing marketing activities, and offering their financial or non-financial related products.
5. To disclose your Personal Data to Citi’s business partners, or third party vendors, for the purpose of offering privileges and benefits to you.

You may withdraw your consent in this section at any time, subject to the conditions under the applicable laws. Furthermore, if we need your consent to process or provide you with our services or Products, or to carry out certain activities, we might not be able to do so. Withdrawal of your consent will not affect any processing of your Personal Data for which you have already provided consent, and which has already taken place prior to such withdrawal.

(e) Where necessary for the establishment, compliance, exercising, or defense of Citi’s legal claims.

4. Where does Citi collect your Personal Data?

4.1 Directly from you: Citi collects and processes Personal Data that you provide to us directly, including the Personal Data which is provided to us via the application form(s) for our services or products, and in supporting documents. Citi also collects your Personal Data which is available to Citi through your use of Citi products and/or services, contact details, visits, social media, online or digital platforms, branches, website, call center, or via other means.

4.2 Our customers, third parties or business partners: Citi may collect your Personal Data from our existing customers or prospective customers through the referral program, or the Member Get Member program, or Citi may collect your Personal Data from our third parties when Citi is instructed to make payments for your utility bills, or other bills, from our customers’ account, or Citi may collect your Personal Data from business partners for the co-promotion of marketing campaigns or activities.

Citi may collect the Personal Data of a minor, whose is below 20 years of age, in the case of a joint bank account, a supplement credit card, or the payment of a utility bill, or as a beneficiary. In the event that consent is required, you shall ensure that valid parental consent has been duly obtained, and that Citi may, at any time, request for documentary evidence relating to such parental consent, as deemed appropriate.

4.3 Other sources: Citi may collect your Personal Data from other sources, including, without limitation, international sanction lists, publicly available databases or data sources, online public sources, social media, media platforms, advertising agencies, other financial institutions, third party vendors who provide background checking services, court judgments, National Credit Bureau, Anti-Money Laundering Office, Revenue Department, Department of Business Development, Bank of Thailand, and any other governmental agency or entity.

5. To whom does Citi disclose your Personal Data?

Citi discloses your Personal Data to others, as follows:

(a) To any of Citi’s affiliates or group companies, both within and outside Thailand, for the purpose of managing your relationship with us, to provide you with our services and/or Products, to perform our contractual obligations, and for other purposes as identified in this Privacy Policy;

(b) to third party vendors who provide services to Citi, and/or to provide additional contracted benefits or services to you;

(c) to our insurers, sub-contractors and persons acting as our agents, who have agreed to keep your Personal Data confidential and comply with the obligations and requirements as stipulated under the applicable personal data protection laws;

(d) to counterparty banks, payment infrastructure providers, custodians, sub-custodians, fund houses, fund administrators, issuers of securities in relation to any payment or investment or business process, and to service your account and investment;

(e) to external legal counsels in the case of debt collection, legal proceedings and legal execution, as well as to protect Citi’s rights, property, personnel, safety, business operations, and customers;

(f) to both Citi’s internal and external auditors;

(g) to any competent regulatory, prosecuting, tax or governmental agencies, courts or other tribunals in any jurisdiction, including the BOT, the Anti-Money Laundering Office, the Revenue Department, the SEC, the SET, and the Ministry of Commerce – Department of Business Development

(h) to the association or entity in which Citi is a member, including for example, the National Credit Bureau Company Limited, ITMX, PromptPay, NDID, and the Thai Bankers’ Association;

(i) to Citi’s business partners, insurance companies, advertising agencies, social media or media platforms for the purpose of marketing and/or offering products to you, as prescribed in this Privacy Policy;

(j) to third parties in connection with a change of ownership in Citi, or any of its assets or properties; and

(k) to any other persons or entities to whom Citi is required to make disclosure by applicable law.

6. Where does Citi transfer your Personal Data?

Citi regularly transfers your Personal Data to its affiliates and group companies, and in certain circumstances, to third parties (e.g. service providers), located outside Thailand, which may have different data protection standards to those prescribed by the data protection authority in Thailand. In addition, most of our servers, which we use to process and store your Personal Data for the purposes prescribed herein this Privacy Policy, are located outside Thailand. Notwithstanding that, Citi ensures that it will protect your Personal Data by implementing adequate personal data protection standards for the transfer of your Personal Data outside Thailand. Citi shall also ensure that any third parties to whom your Personal Data will be disclosed, shall implement adequate personal data protection standards, and where your Personal Data will be transferred within Citi’s affiliates or group companies, Citi shall use data transfer mechanisms, i.e. binding corporate rules.

In certain circumstances, your Personal Data will also be transferred outside Thailand for contractual obligation purposes, i.e. to provide you with our services and/or Products.

7. For how long does Citi retain your Personal Data?

Citi retains your Personal Data for as long as is required in order to fulfil our contractual obligations, or the performance of our services to you or our customers, and for 10 (ten) years after the cessation of our contractual relationship, or the last performance of our services, unless otherwise required or permitted by applicable law.

Where Citi processes your Personal Data in connection with a legal obligation, your Personal Data will be retained for the duration of the prescribed legal retention period, as stipulated under the applicable law.

Where Citi processes your Personal Data solely with your consent, your Personal Data will be deleted, destroyed, or de-identified, subject to the requirements and conditions prescribed by the applicable law.

8. What are your rights in relation to your Personal Data?

8.1 Subject to the applicable law, you are entitled to: (a) request to have access to and obtain a copy of your Personal Data, and to request the disclosure of the source of the Personal Data, in the event that your Personal Data was collected without your consent; (b) receive your Personal Data in a commonly used and machine-readable format, and to have your Personal Data in said format transmitted to another Data Controller; (c) request that your Personal Data be deleted, destroyed or de-identified; (d) object to the collection, use and disclosure of your Personal Data in certain circumstances, including where such Processing is for direct marketing purposes, the Processing is based on, public tasks, or legitimate interest, and the Processing is for scientific or historical research, or statistical purposes; (e) request that the processing of your Personal Data be suspended; (f) request that your Personal Data be corrected, updated, or completed; (g) withdraw your consent at any time, provided that there is no other legal ground for Citi to continue with the processing of your Personal Data; and (h) lodge complaints to the competent authority. The exercise of your rights is subject to the limitations prescribed by law.

Citi will process your request according to its obligations under the law. Please note that in certain circumstances, where permitted by law, we may not be able to fulfil your request. You will be notified accordingly.

8.2 For Citibank customers, you can change your marketing preferences at any time by submitting your request via Citibank Online (www.citibank.co.th) with the following steps: Services > My Profile > My Message > Compose. For Citicorp Leasing customers, you can contact the call center at 0-2232-4224 during the operating hours.

9. How can you contact Citi?

If you have any inquiries in relation to your Personal Data, or you would like to exercise any of your Data Subject Rights, you may contact us at:

Citi
Interchange 21 Building, 399 Sukhumvit Road,
Klongtoey Nua Sub-district, Wattana District,
Bangkok, Thailand

Email Address: dpo.officethailand@citi.com

Remarks: The above email address is reserved for the contact related to the exercise of your Data Subject Rights only.

10. Changes to this Privacy Policy

Citi may amend, change, or update this Privacy Policy from time to time, whereby Citi will update the changes on Citi’s website. In the event that the amendment, change, or update will affect the purposes for which your Personal Data has originally been collected, Citi will notify you about such changes, and obtain your consent (if required by law), prior to such changes becoming effective.

This Privacy Policy shall take effect from June 1, 2022 onwards.