Important Links

From the 30th August 2019 Canada Square Operations are no longer able to accept any new PPI complaints or PPI Checker requests.

If you wish to contact us you can do so by writing to us at the below address:
Canada Square Operations Limited
P O Box 4903
Worthing
BN99 3AR

Our commitment to you

At Citi our aim is to ensure all of our customers have equal access to our services regardless of their personal circumstances. We are committed to providing customers with various options to help access and easily navigate our website. We offer a range of services for those who have disabilities including sight loss or visual impairment, difficulty with numbers or reading and difficulty with hearing or speech. You can find details of the services available at Help with this site section below.

3. Categories of Personal Information

The categories of Personal Data about you that we Process, subject to applicable law, are as follows:

  • Personal Identifiers: your name, gender; date of birth, marital status; Passport or National ID number; (tax identification number(s), nationality; images of passports; a sample of your signature; online authentication information (passwords, mother’s maiden name, challenge/response questions and answers, PINs, facial and voice recognition data); photographs; visual images; and personal appearance and behaviour.
  • Family details: names and contact details of family members and dependents or beneficiaries of trusts.
  • Business and personal contact details: address; telephone number; email address; and social media profile details.
  • Former employment: industry; role; business activities; names of current and former employers; work address; telephone number; work email address; and work-related social media profile details.
  • Financial details: billing address; bank account numbers; credit card numbers; cardholder or accountholder name and details; instruction records; transaction details; and counterparty details.


Sensitive Personal Data: We do not archive nor collect protected categories of data. Please note that if you are a US Person we will store your Social Security Number, Drivers License and Passport. In some US jurisdictions these documents are considered sensitive.

4. Why does Citi process your personal information?

Our UK Citi entities, branches, subsidiaries or affiliates, may process your personal information for the reasons set out below.

(a) Where the processing is necessary in relation to a surviving provision of a contract a Divested Business had with you
  1. To allow a continuing third party to whom your account or product was transferred, to access your personal and transactional data records, and
  2. To comply with instructions that we may receive from you through those third parties.
(b) Where we are required by applicable law
  1. To disclose information to governmental entities or regulatory authorities, courts or other parties, relating to past transactions or relating to a continuing transaction (such as a bond) intermediaries and counterparties.
  2. For compliance activities such as audit and reporting, assessing and managing risk, maintenance of accounting and tax records. or instructions from financial regulators, for the prevention and prosecution of fraud, anti-money laundering (AML) and other forms of crime, for debt recovery, prevention and measures relating to international sanctions and combating terrorism. This includes know-your-customer screening (such as identity, address and contact details); investigating historical allegations of bribery and impropriety which involves screening client records against internal and external databases to establish connections to politically exposed persons or ‘PEPs’);; and with any entity to maintain a trust. We may for these purposes process information from you. and/or your current or former spouse or partner, and other persons living in your household.
  3. For compliance with duties under tax legislation and similar laws, in respect of US persons, under the U.S. Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard.
  4. To retain telephone conversations and electronic communications with you that resulted in transactions, and to keep samples of your signature likeness and handwriting.
  5. To process any historical claims in relation to the United Kingdom PPI (Payment Protection Insurance) class action.
(c) Where necessary for Citi or an identified third party’s legitimate interests (as listed here)
  1. To comply with fiduciary obligations with the bank or financial institution that is the continuing party of your account or product and to whom Citi owes a duty.
  2. To analyse the former use of Citi services, for risk assessment and control, for statistical and trend analysis, for compliance with IT policies and system administration, operation, testing and support, and to operate information storage systems, minimising and aggregating your information as necessary to achieve this objective.
  3. To help detect, investigate and prosecute fraud and other criminal activity, and share this data with Divested Entities (and to the extent permitted by law with other financial entities) and to assess past and current suspicious transactions and financial activities.
  4. To manage our information technology and to ensure the security of our and third party storage systems.
  5. To disclose information to and comply with instructions of third country governmental, tax or regulatory bodies, and financial markets, brokers or other intermediaries, counterparty, court, auditors or other third parties and to conduct compliance activities, in our, or someone else's interests, in connection with any transaction or instruction anywhere in the world (and specifically outside the territories in 1.1) and to make such disclosures (even to the detriment of the client or its beneficiaries) to prudential regulators in respect of US persons, including under the Foreign Account Tax Compliance Act and the Common Reporting Standard.
  6. To make applications for protective orders or directions to courts supervising Citi as Trustee or to establish, exercise or defend legal claims and in order to protect and enforce Citi’s rights, property, or safety, or to assist our clients or others to do this.
  7. To investigate and respond to past complaints about us or our business, or any incidents relating to us or our business (including the Payment Protection Insurance (PPI) class action in the United Kingdom) and to help maintain service quality and train staff, to deal with complaints and disputes.
(d) Where you consent and instruct us to perform certain operations
  1. Under your direction, to establish a relationship with a financial institution other than Citi, in which we may release all necessary historical personal data and execute all secrecy waivers and consents for disclosure and data processing required by that other financial institution.
  2. Prior to making a distribution of funds from the issuer of a closed (but still active) investment, Citi may require that an interest holder provide authorisation and consent.
  3. For the executing repayments of historical debts into your accounts.

You can withdraw or revoke consents in this section at any time. However, if we need your consent to process to carry out an operation, we will not be able to perform that operation or provide certain services and we will cease using your data for that purpose, but may continue to process your data for other purposes under lawful grounds such as where we are legally required to keep records of transactions. Withdrawing or revoking your consent will not affect any processing of your information in relation to any operation that has already taken place.

5. Where does Citi obtain information about you?

We safeguard and store information that you provided us directly, and information we learnt about you from our communications and dealings with you. We may have also obtained information about you from others, as set out below.

(a) Our clients The individual, corporate or institutional client you were associated with (if relevant) in the UK, EU/EEA or outside the EU/EEA. We will have collected your name, company, title and job description and contact details such as email address and telephone number or business address.
(b) Public sources Sources both inside and outside the UK and EU/EEA, such as credit reference agencies, fraud prevention agencies, professional background checking entities, international sanctions lists, and publicly available databases or data sources. The information we obtain from credit reference agencies will have included public information such as county court judgments and information from the electoral register. Data we obtain may be shared with Citi Companies and include your name, gender (including any former gender), company, title and job description and contact details such as email address, telephone number and business address, details about your personal or business interests or activities.
(c) Other sources Any research agencies that may have carried out research on our behalf both inside the UK and the EU/EEA and outside these territories .
6. Data Collected under Consent and consequences of not providing it

We do not collect historical information under the legal basis of consent. Please refer to the table in Section 3 for the consequences of not providing consent where it is needed for processing.

7. To whom does Citi disclose your personal information?

We disclose your personal information, as applicable:

  1. to the bank or financial institution that acquired the divested consumer finance business portfolio and, subject to legal restrictions, to in-country Citi affiliates, for the purpose of winding down a business line and other purposes identified in this Privacy Statement;
  2. in case of threatened or filed litigation, to our counsel and external advisors;
  3. in case of substantial business risks and as permitted by applicable law, to our parent and group companies, who may process and exchange personal data with the responsible Citigroup chief trust officer, senior risk officer, compliance officer, tax officer, anti-money laundering officer, fraud officer, audit officer, data protection officer, control officer, Citi leadership team, and Citi managers;
  4. at the request of any financial institution, payment infrastructure provider, custodian, sub-custodian, fund houses, fund administrators or issuers of securities, in relation to any maturing payment or repayment of a closed (but still active) trust, loan or investment;
  5. as required in order to establish, exercise or defend or to protect legal proceedings, including in relation to contracts with our clients and in order to protect the rights, property, or safety of us, our business, any Citi entities, our clients or others including to legal, tax or other professional advisors, government and law enforcement authorities, and with other parties involved in, or contemplating, legal proceedings;
  6. with authorities in any jurisdiction including any government, judicial, or regulatory body of which your Data Controller entity is subject to, in the following cases: (i) if false or inaccurate information was gathered, in case of a criminal or money laundering investigation, (ii) for or in connection with an examination of us by our parent bank or other examiners; (iii) pursuant to subpoena or other legal process; (iv) at the express direction of any other authorised government agency; (v) to our internal or external attorneys or auditors; (vi) to others to whom the Data Controllers are required to make such disclosure by applicable law, including attorneys nominated to represent you under a Lasting Power of Attorney or by the Court of Protection under the Mental Capacity Act 2005.
  7. we will also disclose your information:
    1. Without divulging or giving access to your banking or transaction details, to our sub-contractors who we have engaged for storage of your information under strict confidentiality undertakings;
    2. to any bank, financial institution, law firm or company that processes claims (including class actions) on your behalf, whether contractual or not, arising out of a closed relationship, and to the Credit Management Companies you have given authority to; and
    3. to third parties providing data services to us, in respect of any claims or queries arising out of, or in relation with, any agreement that existed between you and us, including specifically our processors (a) Equiniti (in the UK) and (b) Tata Consulting Services (TCS) in Singapore and other countries.
    Where we transfer data for storage, or grant access for processing to entities outside the UK or the EU/EEA, in countries that have not attained a formal Adequacy decision by the European Commission, or the UK government we put in place standard contractual clauses (SCCs) as set out in the European Commission Implementing Decision (EU)2021/914 with UK Addendum, or rely on other valid data transfer mechanisms. We also conduct data transfer impact assessments and set up specific measures to cover any gaps the impact assessment may highlight.
8. Where does Citi store your personal information?

We archive your personal and financial data within our European IT network, or when authorised by local regulators, within secured IT virtual servers or private cloud networks and deep archive solutions subcontracted by Citi for electronic and paper records. Please note that only us, and the bank or financial institution that acquired our consumer finance business, and our and their financial and prudential regulators, have legal right to access and audit your personal or financial data.

Due to the nature of electronic communications, data processors store transient copies that are subsequently deleted after the customer data is processed, and there is no mandate to retain it under applicable law.

9. Duration of Processing: For how long does Citi store your personal information?

Personal data processed in connection with a divested consumer finance business is stored during the term in which that account or product (and any transaction under it) remained open or ‘active’. This is followed by a retention period, the length of which is reasonably determined by Citi, taking into account the statute of limitations (the Limitations Act 1980) which establishes timescales for civil liability after contract termination. In most cases, your information is deleted after 7 years from the closure of your account or product at Citi. In document that were witnessed or executed as Deeds, that term is between 10 and 12 years. We will retain voice recordings or electronic communications for shorter periods (instructions for 5 years and transient records are deleted at the end of each calendar year). We dispose of our records, and any personal data that is contained in them, at the end of their corresponding retention period. We may hold on to contractual and personal data if under applicable law, financial or data regulators or a court of law instruct us to save certain data during ongoing investigations or during litigation.

10. What automated decision-making does Citi carry out?

There is no automated decision-making or profiling that can result in legal, or other substantially similar effects, that is undertaken by Citi in connection with retained data from divested consumer business operations.

11. What are your rights in relation to personal information?

11.1 You can ask us to: (a) provide a copy of your personal information; (b) correct errors or mistakes in your personal information; (c) erase your personal information after the statutory limitation period has expired (if we have not already disposed of your data); (d) transfer your personal information to other organisations; and (e) restrict processing of your personal information. These rights are limited by law, in particular as this privacy notice relates to the processing of historical data stored in ‘vaults’, certain rights relating deletion or transfer to a designated person may be impossible or involve a disproportionate effort. Citi does not use or share any data relating to divested consumer finance businesses for marketing purposes.

11.2 If you wish to exercise your data rights, or if you have any queries about your personal information, please contact Canada Square Operations Limited using the contact details provided in Section 2.1 of this Privacy Statement. If you have any unresolved concerns, you can reach out to our UK Data Protection Office. You also have the right to complain to the Information Commissioner’s Office and/or the Jersey Office of the Information Commissioner, as detailed in Section 2.

12. Cookies and Online Identifiers

For information on Cookies and Online Identifiers, including Mobile App trackers please refer to the Cookies section on Citi websites.

13. Changes to this Privacy Statement

If we modify this Privacy Statement at any time we will place the modified versions on this website. We encourage you to regularly review this Privacy Statement to ensure that you are always aware of what personal information we collect and how we use, store and disclose.