EEA, Switzerland and UK Privacy
PRIVACY NOTICE FOR DATA SUBJECTS IN THE EEA, SWITZERLAND AND UK
Effective Date: September, 2023
Your privacy is important to us. This privacy notice (“Privacy Notice”) applies to every person from the EEA, Switzerland and the UK:
- who visits or registers with https://www.citadel.com/ or any other of our websites where this policy is posted (each a “Site”);
- who uses the products and services that we make available from the Site or who engages with us to use the services that Citadel provides, as described on the Site (our “Services”);
- whose personal data we may process as a result of providing the Services to others;
- who contacts Citadel either in relation to the Site or the Services; or
- who applies to work at Citadel.
1. PURPOSES OF THIS NOTICE
This Privacy Notice explains to data subjects in the EEA, Switzerland and the UK the type of personal data that Citadel Enterprise Americas LLC, Citadel Securities Americas LLC, Citadel Americas LLC and their affiliates (“Citadel”, “we”, or “us”) might collect from you, or which we have obtained about you from a third party, the purposes for which we process your personal data and your rights in respect of our processing of your personal data.
Please note that when using the Site it should be read in conjunction with our Website Terms of Use.
Please also note that this Privacy Notice only applies to the use of your personal data obtained by us, it does not apply to your personal data collected during your communications with third parties.
2. WHO ARE WE AND WHAT DO WE DO?
We are the data controllers responsible for your personal data processed via the Site.
Please note that depending on which Citadel entity you contract with in relation to the Services, or to which Citadel entity you apply for a job, other Citadel group companies or companies managed by Citadel (the “Citadel Group”) may also be data controllers responsible for your personal data processed in relation to the Services.
3. PERSONAL DATA COLLECTION
Our primary goal in collecting personal data from you may be: (i) to verify your identity; (ii) to help us deliver the Services; (iii) to develop new products or Services and conduct analysis to enhance current products and Services; (iv) to review the usage and operations of the Site (and related Citadel digital channels, including Citadel social media channels) and to improve its content; (v) to provide you with customised Site content and Site experience (including on related Citadel digital channels, including Citadel social media channels); (vi) to carry out requests made by you on the Site or in relation to Services; (vii) to investigate or settle inquiries or disputes; (vi) to comply with any applicable law, court order, other judicial process, or the requirements of any relevant regulator; (vii) to enforce our agreements with you; (viii) to protect our rights, property or safety or third parties, including our other clients and users of the Site or Services; (ix) to provide support for the provision of Services; (x) for recruitment, talent management, brand building, company communications, employment and academic trading program administration purposes; and (xi) to use as otherwise required or permitted by law.
To undertake these goals we may process the following personal data:
- Visitors to the Site.
- Contact information, including your name, job title, address, email address, telephone, or mobile number.
- Your interaction with the Site.
- IP address.
- Your geolocation to ensure the correct notices (for instance cookie notices) are shown to you and to personalise the services we provide to you.
- Demographic information such as postcode, preferences and interests (including demographic information provided by third parties which may include amongst other things: location, hardware details for trouble shooting, search engine, social media interactions, interests and/or preferences).
- Other information relevant to provision of Services.
- Any other personal data you provide to us (including but not limited to, specifically for Alpha League platform visitors any information you provide in relation to investment ideas submitted through the Alpha League platform).
- Individual clients or investors to whom we provide or propose to provide Services.
- Contact information, including your name, job title, address, email address, telephone, or mobile number wire transfer instructions.
- Citadel account number.
- Other information relevant to provision of Services.
- Information that you provide to us as part of our providing the Services to you which depends on the nature of your agreement with Citadel.
- Relevant information as required by any regulatory Know Your Client and or Anti Money Laundering regulations (or similar) applicable to Citadel. This may possibly include evidence of source of funds, at the outset of and possibly from time to time throughout our relationship with clients, investors, shareholders and intermediaries, which we may request and/or obtain from third party sources. The sources for such verification may comprise documentation which we request from the prospective client or through the use of online sources or both.
- Voice recordings where we are required to record telephone calls with you for financial regulatory purposes or other proportionate purposes (e.g. to establish the existence of facts relevant to Citadel’s business; to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to Citadel’s business; to ascertain or demonstrate standards that are or ought to be achieved by persons using the system; to prevent or detect crime or to investigate or detect the unauthorised use of the communications system or ensure the effective operation of the system.)
- Marketing and service communications preferences.
- Any other personal data you provide to us.
- Individuals whose personal information may be processed by us as a result of providing the Services to others (including corporate clients, investors or intermediaries).
Primarily Citadel is engaged by corporate clients, investors or intermediaries (i.e. other corporate entities) and as such those clients, investors or intermediaries are not data subjects (except with respect to Switzerland as under Swiss data protection law, not only individuals but also legal entities may be data subjects). However as part of such instructions personal data about other persons may be provided to us, e.g. personal data relating, without limitation, to any workers, employees, partners, members, directors, representatives or similar of our corporate clients, investors or intermediaries or prospective clients, investors or intermediaries).
The following is a non-exhaustive list which is reflective of the varied nature of the personal data processed as part of our business.
For instance, if we are providing Services to a corporate client, investor or intermediary we may be provided with, and then process, personal data about their representatives including but not limited to the representative’s name and contact details and any other information necessary to fulfil the Services (e.g. including, without limitation, any regulatory Know Your Client and/or Anti Money Laundering regulations (or similar) information).
In using the Alpha League platform, we may process personal data provided by such representatives in relation to the User Investment Profile section of the platform.
We might also need to process personal data in relation to a corporate client’s, investor’s or shareholder’s workers who use a Service in the course of their work for such corporate entity.
We may also need to process voice recordings where we are required to record telephone calls for financial regulatory purposes or other proportionate purposes (e.g. to establish the existence of facts relevant to Citadel’s business; to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to Citadel’s business; to ascertain or demonstrate standards that are or ought to be achieved by persons using the system; to prevent or detect crime or to investigate or detect the unauthorised use of the communications system or ensure the effective operation of the system.)
Please note that in this Privacy Notice, when we reference the processing of personal data related to any corporate clients, investors, or intermediaries, we also mean any of their personnel whose personal data may be processed by us in connection with our engagement and provision of the Services.
- Event attendees
- Name and job title.
- Information collected relating to your attendance at an event, including via a registration or feedback form.
- Industry information
- We collect and maintain databases containing industry information for research and statistical analysis for business investment purposes. As part of this, these databases contain information about data subjects in the corporate and investment space collected by us or by our trusted third-party service providers. Such information may include an individual’s name, business contact details, professional interests, and affiliations. These databases are made up of information that is publicly available, and any processing of personal data is wholly incidental to the main purpose of Citadel making investment decisions.
- Potential recruits to any Citadel office in the EEA, Switzerland or the UK.
- Name and job title.
- Contact information including email address.
- Curriculum vitae, your education, employment history and similar matters and similar information that you may provide to us.
- Other information relevant to potential recruitment to Citadel (including background checks, reference checks, immigration status, relevant test scores in relation to any application).
- Information relating to criminal convictions and offences (as relevant and permissible).
- Information about your communications and interactions with Citadel and our Site such as your visits to our Site (please also see the information we collect under Visitors to the Site which we also collect in relation to recruitment), email activity, and attendance at Citadel events.
- Information relevant to diversity and inclusion monitoring and related initiatives. Such information may include special categories of personal data (such as information about your religious beliefs, sexual orientation, etc.) (as permissible).
- Any other information you give to us as part of the application process or that you give to us generally.
- Please note that Citadel may also receive information from third party recruiters, agents and from your references as part of any recruitment process. Such information may also include special categories of personal data (such as information about your health, any medical conditions, your racial or ethnic origin, etc.).
- We also collect information relating to potential recruits from third party recruitment agencies, third party professional networking sites (such as LinkedIn) and from individual potential recruits directly during Citadel recruiting events.
- Suppliers (including trading counterparties, subcontractors and individuals associated with our suppliers and subcontractors).
We collect and process personal data about our suppliers (including trading counterparties) and their representatives in order to manage the relationship, contract, to receive services from our suppliers and, where relevant, to provide the Services to our clients.
We may also need to process voice recordings where we are required to record telephone calls for financial regulatory purposes or other proportionate purposes (e.g. to establish the existence of facts relevant to the business; to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the business; to ascertain or demonstrate standards that are or ought to be achieved by persons using the system; to prevent or detect crime or to investigate or detect the unauthorised use of the communications system or ensure the effective operation of the system).
- Visitors to any Citadel office in the EEA, Switzerland or the UK.
If you attend one of our physical offices or other locations, we may process personal data that you volunteer in connection with your visit and any enquiries you make. For example, you may provide personal data when signing in as a guest. CCTV footage may also be collected for security purposes.
For the purposes of using entrance kiosks that rely on facial recognition technology to permit you access to our premises, we may process your government issued ID card, a RFID card that sets out your access rights (for regular visitors), and biometric data in the form of facial scans to ensure that your face matches that on the government issued ID / RFID card and that access is being granted to the correct individual.
- Applicants and participants in one of our academic trading programs
- Contact information, including your name, address, email address, telephone, or mobile number.
- Employment status and history, directorship status and history, elected official history, current confidentiality and non-disclosure contractual obligations owed to third parties, current or historic membership of scientific advisory boards or possession of non-public material relevant to investment decision making.
- Details of your history of any criminal convictions, direct or indirect violations of law relating to securities, future contracts or regulated entities, or orders of any regulatory authority barring or suspending your right to be associated with a regulated entity (as permissible).
- Any other personal data you provide to us, which may include special categories of personal data (e.g. any medical conditions).
4. PERSONAL INFORMATION USE
We may use your personal data for the following purposes:
- Fulfilment of Services.
We collect and maintain personal data that you voluntarily submit to us during your use of the Site and/or our Services to enable us to perform the Services that we provide to you. Please note also that the terms of the relevant contract will also apply when we provide Services.
These purposes include:
-
- to ensure any investor is aware of the performance of their investment;
- to make necessary regulatory communications with clients, investors or intermediaries;
- general client, investor, or intermediary management to ensure Services are provided correctly; and
- relationship management between Citadel and any client, investor, shareholder or intermediary.What is our legal basis?
It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you or where it is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that we provide the Services in the best way that we can.
- Business management, administration and legal and regulatory compliance.
- We use your personal data for the following business management, administration and legal and regulatory compliance purposes:
- to manage and administer Citadel’s business;
- to manage and administer any investment funds that we manage and in which you may be an investor (please note further information will be provided in the relevant Confidential Offering Memorandum);
- to comply with our applicable legal and regulatory obligations, including but not limited to Know Your Client, Anti-Money Laundering or Anti-Bribery or similar obligations);
- to enforce our legal rights;
- to maintain regulatory records of our business activities including telephone voice recordings (where required by financial regulations);
- telephone call recording for the following proportionate purposes – to establish the existence of facts relevant to Citadel’s business; to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to Citadel’s business; to ascertain or demonstrate standards that are or ought to be achieved by persons using the system; to prevent or detect crime or to investigate or detect the unauthorised use of the communications system or ensure the effective operation of the system;
- to make any necessary corporate filings;
- protect rights of third parties;
- to administer any academic trading program; and
- in connection with a business transition such as a merger, acquisition by another company, or sale of all or a portion of our assets.
What is our legal basis?
Where we use your personal data in connection with a business transition, to enforce our legal rights, or to protect the rights of third parties it is in our or a third party’s legitimate interest to do so. For all other purposes described in this section, it is our legal obligation to use your personal data to comply with any legal obligations imposed upon us.
- Recruitment, Talent Management and Brand Awareness.
We use your personal data for the following recruitment, talent management and brand awareness purposes:
-
- to build the Citadel brand and to raise awareness of Citadel’s service offerings in the recruitment market (except with respect to Swiss employees);
- to assess your suitability for any position for which you may apply at Citadel (or future positions for which we think you may be suitable) including employment or freelancer positions, member level positions, summer placements or internships, academic trading program positions, and also any business support or services role whether such application has been received by us online, via email or by hard copy or in person application;
- to take any steps necessary to enter into any contract of employment (or otherwise) with you;
- to comply with any regulatory or legal obligations in relation to any such application;
- to review Citadel’s equal opportunity profile in accordance with applicable legislation. Citadel does not discriminate on the grounds of gender, race, ethnic origin, age, religion, sexual orientation, disability or any other basis covered by local legislation;
- to maintain relationships and communicate with potential future recruits such as students, new graduates, survey respondents and attendees at our recruitment events; and
- to maintain relationships with our alumni (with respect to Swiss employees only to the extent former employees separately agree upon termination of the employment relationship that Citadel maintains respective personal data).
What is our legal basis?
Where we use your personal data in connection with recruitment, talent management and brand awareness, it will be in connection with us taking steps at your request to enter a contract we may have with you or it is in our legitimate interest to use personal data in such a way to ensure that we can make the best recruitment, brand awareness and talent management decisions for Citadel or it is our legal obligation to use your personal data to comply with any legal obligations imposed upon us. We will not process any special data except where we are able to do so under applicable legislation or with your explicit consent, or if relating to diversity and inclusion personal data, if such processing is in the substantial public interest (and permissible under local laws). Any personal data we process relating to criminal convictions and offences will be to comply with our legal obligation as a part of financial regulatory compliance and for the prevention of crime (financial or otherwise).
- If we have engaged you or the organisation you represent to provide us with products or services
If we have engaged you or the organisation you represent to provide us with products or services (for example, if you or the organisation you represent provide us with services such as IT support or financial advice), we will collect and process your personal data in order to manage our relationship with you or the organisation you represent, to receive products and services from you or the organisation you represent and, where relevant, to provide our Services to others.
What is our legal basis?
It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you or the organisation you represent, or it is in our legitimate interest to use personal data in such a way to ensure that we have an effective working relationship with you or the organisation you represent and are able to receive the products and services that you or your organisation provides, and, where relevant, to provide our Services to others, in an effective way.
- Physical and health security
We have security measures in place at our offices, including CCTV and building access controls. There are signs in our office showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). CCTV recordings are typically automatically overwritten after a short period of time unless an issue is identified that requires investigation (such as a theft). We require visitors to our offices to sign in at reception and keep a record of visitors for a short period of time. Our visitor records are securely stored and only accessible on a need to know basis (e.g. to look into an incident).
Facial recognition technology may also be used to ensure that only those with the right to access our premises do so.
In relation to pandemic prevention measures, limited health data (e.g. temperature testing or questions about travel) may be processed.
What is our legal basis?
It is in our legitimate interests to process your personal data so that we can keep our premises secure and provide a safe environment for our personnel and visitors to our premises.
Facial recognition technology is used in conjunction with Citadel’s entrance kiosks. Should you not wish to enter through a kiosk, you can let a member of staff know and they will provide an alternative that does not rely on such processing. When using a kiosk, you provide your explicit consent for such processing.
Any processing in relation to pandemic prevention measures will only be undertaken in line with relevant government guidance and where there is a clear lawful basis to process such data (e.g. legitimate interests, legal obligations and public interest).
- Insight and Analysis.
- Use of Site and Services
We analyse your contact details with other personal data that we observe about you from your interactions with our Site and/or with our Services.
Where you have given your consent (where required by applicable laws) we and our third parties use cookies, log files and other technologies to collect personal data from the computer hardware and software you use to access the Site, or from your mobile and any emails that you receive from us. This includes the following:
- a session ID to track usage statistics on our Site;
- an IP address to monitor your usage of the Site; and
- information regarding your personal or professional interests, demographics, buying habits, experiences with our products and contact preferences.
Our web pages contain “cookies” “web beacons” or “pixel tags” (all referred to in this Privacy Notice as “cookies”). Cookies allow us to track you, to count users that have visited a web page or opened an e-mail and collect other types of aggregate information (see below for more information under Our use of Cookies and Similar Technologies for more information). We may also use third party cookies and other similar technologies to collect information about your online activity over time and across third party websites.
Please see the “Our use of cookies and similar technologies” section for further information.
By using this information, we are able to measure the effectiveness of our content, digital channels, and branding efforts, count users who have visited our Site or opened an email and collect other types of information, including insights about how visitors use our Site.
This allows us to learn what pages of our Site are most attractive to our visitors, the effectiveness of our emails, which parts of our Site are the most interesting and what kind of information our registered users like to see. The information is also used to create profiles and insights about your demographic. We also use this information to improve the content on our Site and in our marketing efforts- both online and offline. This information also helps us with the selection of future service lines, web design and to remember your preferences.
We also use this information for marketing purposes (see the “Marketing communications” section below for further details), and for recruitment and talent management purposes (see the “Recruitment, Talent Management and Brand Awareness” section above for further details). We may share this information with third parties for these purposes (see the “Personal Information Sharing” section below for further details).
In some of our email messages, we use a “click-through URL” linked to certain websites administered by us or on our behalf. We may track click-through data to assist in determining interest in particular topics and measure the effectiveness of these communications.
What is our legal basis?
Where your data is collected through the use of non-essential cookies, we rely on consent to collect your data. Please see Manage My Preferences for further details about the cookies that we use, and to update your preferences.
However, we may rely on other legal basis when we use your personal data that has been collected via the use of cookies. Where we use this personal data to analyse how you use our Sites and Services, it is in our legitimate interest to use your personal data in such a way to improve our Site and our Services.
Where we use this personal data for the purposes described in the “Marketing communications” section of this Privacy Notice, please see this section for details of the legal basis that we rely on.
Where your personal data is anonymised, we do not require a legal basis to use it as the personal data will no longer constitute personal data that is regulated under data protection laws. However, our collection and use of such anonymised information may be subject to other laws where your consent is required. Please see the “Our use of cookies and similar technologies” section for further details.
- Industry Information
We collect and maintain such databases to be primarily used for research and statistical analysis for business investment purposes, and to gain further global insights.
What is our legal basis?
It is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that we provide the Services in the best way that we can. Further, as part of our legitimate interests assessment, we rely on the fact that the personal data has been manifestly made public by individuals to process their personal data.
- Marketing communications. We carry out the following marketing activities using your personal data:
- Email marketing.
We use information that we observe about you from your interactions with our Site, our email communications to you, our interactions with you on our other digital channels such as social media and/or with Services (see the “Insight and Analysis” section above for more details of the information collected and how it is collected) and/or your address details, to provide information that we think will be of interest about us, our Services and where relevant our recruitment practice. For example, industry updates and insights, newsletters, invites to events and, where permitted by applicable law, promotional materials from Citadel (including in relation to recruitment).
What is our legal basis?
We will only send you marketing communications via email where you have consented to receive such marketing communications, or where it is otherwise within our legitimate interests to do so. You have the right to opt-out of email marketing communications at any time.
- Social media remarketing.
We share your email address (usually in an encrypted or ‘hashed’ form) with third-party providers of social media platforms and other services, such as LinkedIn and other similar platforms (“Social Platforms”), so that the third party providers can try to “match” your data with the data of their registered users of their Social Platforms.
Where there is a successful match, we will display our advertising to you when you use the relevant Social Platform (e.g. on your LinkedIn newsfeed). We may do this through LinkedIn Custom Audiences. This is known as “custom audience” advertising, because we “customise” the audience that we want to reach on the relevant service.
Please note that such activity is also subject to the privacy choices you have elected to make on such Social Platforms.
What is our legal basis?
Where we use your personal data to provide you with personalised advertising on Social Platforms, we rely on the consent that you have provided in respect of the collection of such data, or it is otherwise in our legitimate interests to promote our Site and our Services to you when you use those Social Platforms (including in relation to recruitment).
- Your feedback about our Services.
From time to time we will contact you to invite you to provide feedback about our Services. We use this information to help us improve the quality of service provided by our staff. We also use your feedback to monitor the quality of our Services.
What is our legal basis?
It is in our legitimate business interests to use the information you provide to us in your feedback for the purposes described above.
- Hosting and managing events
From time to time, we may organise and host events for the purpose of promoting our business or for charitable causes or other reasons. We may process your personal data to communicate with you about such events where you have specifically requested information about such events or where we have another lawful basis for sending that information to you.
If you attend one of our events, we may process your personal data to record your attendance at the event and for related record-keeping purposes and, if relevant, we may collect and process any dietary requirements you may have. You may also feature in photographs taken at our events and such photographs may appear in publications that we make available.
What is our legal basis?
It is necessary for us to use your personal data in this way to perform our obligations in accordance with any contract that we may have with you where you have signed up to attend an event, or it is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that the event is operated in an effective way.
We may specifically ask your permission to use your photographs, quotes, testimonials, or other content that you make available or publish at the event. Where this is the case, our processing of your such personal data will be based on consent.
5. IF YOU FAIL TO PROVIDE YOUR PERSONAL DATA
Where we are required by law to collect your personal data, or we need to collect your personal data under the terms of a contract we have with you, and you fail to provide that personal data when we request it, we may not be able to perform the contract we have or are trying to enter into with you. This may apply where you do not provide the personal data we need in order to provide the Services you have requested from us or to process an application to register an account. In these circumstances, we may have to cancel your application or the provision of the relevant Services to you, in which case we will notify you.
6. HOW DO WE OBTAIN YOUR CONSENT?
Where our use of your personal data requires your consent, you can provide such consent:
- at the time we collect your personal data following any instructions provided; or
- by informing us by e-mail, post or phone using the contact details set out in this Privacy Notice.
7. OUR USE OF COOKIES AND SIMILAR TECHNOLOGIES
The Site uses certain essential, functional, marketing and analytics cookies, pixels, beacons, log files and other technologies to allow the Site to function (all referred to as “cookies”).
There are various ways that you can manage your cookie preferences, but please be aware that in order to use some parts of our Site you will need to allow certain essential or functional cookies. If you block or subsequently delete those cookies, some aspects of our Site may not work properly, and you may not be able to access all or part of our Site.
For more information about our use of cookies, please see the “Insight and Analysis” and “Marketing communications” sections of this Privacy Notice.
For further information about types of cookies used and to customise your cookie preferences please visit Manage My Preferences.
For more information on cookie management and blocking or deleting cookies for a wide variety of browsers, visit www.allaboutcookies.org.
8. PERSONAL INFORMATION SHARING
We will only share personal data with others when we are legally permitted to do so. When we share personal data with others, we use reasonable efforts to put contractual arrangements and security mechanisms in place to protect the personal data and to comply with our data protection, confidentiality and security standards.
Please note that when processing your personal data we may need to share it with other third parties as follows:
- Our affiliated companies and licensees using the Citadel or other Citadel affiliate name, including subsidiaries of such companies. For details of our office locations, please click here. We may share personal data with other Citadel Group entities where necessary for administrative purposes and to provide Services to our clients, investors and intermediaries.
- Third party service providers that provide applications/functionality, data processing or IT services to us. We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems. For example, providers of information technology, cloud based software as a service providers, identity management, website hosting and management, data analysis, data back-up, security, recruitment portals, advertising and marketing and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world and personal data may be stored in any one of them.
- Third party service providers that otherwise assist us in providing Services or information (including but without limitation any Administrator of an investment fund managed by Citadel).
- Third party organisations that assist us with our marketing activities listed above, such as survey providers and similar.
- Third party organisations, such as Google Analytics, Lucky Orange and LinkedIn who assist us with our insight and analytics activities listed above.
- Third party organisations that assist with our recruitment activities listed above, such as SalesForce and third-party providers that undertake background checks on our behalf and other entities within the Citadel Group.
- Third-party service providers that are assisting us with the operation and administration of our events. If we are running an event in partnership with other organisations, we will share your personal data with such organisations for use in relation to the event.
- Auditors, lawyers, accountants and other professional advisers.
- Law enforcement or other government and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation.
Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.
9. EXTRA-EEA, EXTRA-SWITZERLAND AND EXTRA-UK TRANSFERS
Please note that, due to the international operations of Citadel, where necessary to deliver the Services (as set out in this Privacy Notice) we will transfer personal data to countries outside the EEA, Switzerland and the UK (including to Citadel’s US affiliates) and such personal data may be stored on servers located outside the EEA, Switzerland and the UK; in principle, in any country in the world. Citadel – and many third-party service providers that Citadel works with – are based in the US, but Citadel also has material operations in the UK and the EEA. As such, your personal data will be transferred (both to other companies within the Citadel Group as well as to third party service providers) to the US, the UK, and the EEA as required to deliver the Services. However, your personal data may also be shared with other companies within the Citadel Group or third-party service providers outside of the EEA, Switzerland, and/or the UK, on a less frequent basis, where necessary to deliver the Services.
When transferring your personal data outside of the UK, the EEA, and/or Switzerland, we will use reasonable efforts to comply with applicable legal and regulatory obligations in relation to the personal data, including but without limitation having a lawful basis for transferring personal data where required and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. Unless we can rely on a derogation under Art. 49 GDPR or equivalent provision under applicable law (e.g., if the transfer is necessary for the performance of a contract, in the case of legal proceedings abroad, or if you have consented to the transfer in question), we will, where required by applicable law, implement at least one of the safeguards set out below. Please contact us if you would like further information on the specific mechanisms used by us when transferring your personal data outside the UK, the EEA, and/or Switzerland.
Adequacy decisions | We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data, or have a system of certification pursuant to which transfers of personal data to participating organisations are deemed adequate, by the European Commission, the Swiss Federal Council, and/or the UK Government (as applicable). Such systems of certification may include the EU-US Data Privacy Framework adopted pursuant to European Commission Implementing Decision of 10 July 2023, the UK Extension to the EU-US Data Privacy Framework adopted pursuant to The Data Protection (Adequacy) (United States of America) Regulations 2023, and any analogous frameworks or certification schemes adopted by the applicable governmental or regulatory body under applicable law. |
Model clauses | Where we transfer your personal data to certain service providers or entities within the Citadel Group, we may use specific standard contractual clauses approved by the European Commission (as adapted to also satisfy Swiss law requirements) and/or the UK Government which give personal data the same protection it has in Europe, Switzerland, and/or the UK (as applicable). |
10. HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
Regarding visitors to the Site, we will retain relevant personal data for at least six years from the date of our last interaction with you and in compliance with our obligations under the EU General Data Protection Regulation, the Swiss Federal Data Protection Act, the UK GDPR and the UK Data Protection Act 2018, the Irish Data Protection Act 2018 or similar legislation around the world (or for longer as we are required to do so according to our regulatory obligations or professional indemnity obligations).
Regarding personal data we have processed as part of providing you with the Services, we will retain relevant personal data for at least six years from the date of our last interaction with you and in compliance with our obligations under the EU General Data Protection Regulation, the Swiss Federal Data Protection Act, the UK GDPR and the UK Data Protection Act 2018, the Irish Data Protection Act 2018 or similar legislation around the world (or for longer as we are required to do so according to our regulatory obligations or professional indemnity obligations). We may then destroy such files without further notice or liability. If you request your files and documents we may charge you for the costs of copying a duplicate.
Regarding personal data we have processed in relation to any recruitment activity, if you are unsuccessful in your application your personal data will be kept for a period after informing you that you were unsuccessful. If you are successful any retention protocols that apply to staff members at Citadel will apply. In considering how long to keep your personal data, its relevance to Citadel’s business and your potential employment either as a record or in the event of a legal claim will be taken into account.
If personal data is only useful for a short period, e.g. for specific marketing campaigns or CCTV footage, we may delete it after such retention period.
11. PERSONAL DATA SECURITY
We take the security of all the personal data we hold very seriously. We use reasonable efforts to adhere to internationally recognised security standards. We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the personal data we hold secure.
12. YOUR RIGHTS AND ACCESS TO PERSONAL DATA
You have the following rights in relation to the personal data we hold about you:
- Right of access.
If you ask us, we will confirm whether we are processing your personal data and, if necessary, provide you with a copy of that personal data (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
- Right to rectification.
If the personal data we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If you are entitled to rectification and if we have shared your personal data with others, we will let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
- Right to erasure.
You can ask us to delete or remove your personal data in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal data with others, we will let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
- Right to restrict processing.
You can ask us to ‘block’ or suppress the processing of your personal data in certain circumstances such as where you contest the accuracy of that personal data or you object to us. If you are entitled to restriction and if we have shared your personal data with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
- Right to data portability.
You have the right, in certain circumstances, to obtain personal data you have provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
- Right to object.
You can ask us to stop processing your personal data, and we will do so, if we are:
- relying on our own or someone else’s legitimate interests to process your personal data, except if we can demonstrate compelling legal grounds for the processing; or
- processing your personal data for direct marketing.
- Rights in relation to automated decision-making and profiling.
You have the right not to be subject to a decision when it is based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.
- Right to withdraw consent.
If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time.
- Right to provide instructions on the handling of your personal data after your death (France only).
You have the right to define guidelines as regards the retention, erasure and communication of your personal data after your death. Such guidelines may be general or specific, as set out in the French Data Protection Act.
- Right to lodge a complaint with the supervisory authority.
If you have a concern about any aspect of our privacy practices, including the way we have handled your personal data, you can report it to your local data protection regulators – for instance but without limitation those regulators in the EU, Switzerland and the UK in which Citadel has offices are as follows:
In the UK the data protection regulator is the Information Commissioner’s Office (ICO). You can contact the ICO using the following website https://www.ico.org.uk.
In Ireland the data protection regulator is the Data Protection Commissioner- Ireland (DPC). You can contact the DPC using the following website https://www.dataprotection.ie/docs/Making-a-Complaint-to-the-Data-Protection-Commissioner/r/18.htm.
In France the data protection regulator is the Commission nationale de l’informatique et des libertés (CNIL). You can contact the CNIL using the following website https://www.cnil.fr/.
In Sweden the data protection regulator is the Swedish Data Protection Authority (Datainspektionen). You can contact the Datainspektionen using the following website https://www.datainspektionen.se/other-lang/in-english/.
In Switzerland the data protection regulator is the Federal Data Protection and Information Commissioner (FDPIC). You can contact the FDPIC using the following website https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.
13. COLLECTION OF INFORMATION BY THIRD-PARTY SITES AND SPONSORS
The Site contains links to other sites whose information practices may be different than ours. Visitors should consult the other sites’ privacy notices as Citadel is not responsible for, and has no control over, information that is submitted to, or collected by, these third parties. You may also be giving information to Social Platforms such as LinkedIn who provide us with data which we in turn use to improve our marketing performance. Citadel has no control over the information collected by social media networks. You should review the relevant social media network privacy notice for further information about what information is being collected, the legal basis for such collection and your rights in relation to your personal data.
14. REVISIONS TO THIS PRIVACY NOTICE
We may make changes to this Privacy Notice from time to time.
To ensure that you are always aware of how we use your personal data we will update this Privacy Notice from time to time to reflect any changes to our use of your personal information. We may also make changes as required to comply with changes in applicable law or regulatory requirements. We encourage you to review this Privacy Notice periodically to be informed of how we use your personal data.
15. CONTACT US
If you have any questions about this Privacy Notice or want to exercise your rights set out in this Privacy Notice, please contact us by:
- sending an e-mail to [email protected]; or
- sending a written request to:
Citadel Enterprise Americas LLC
ATTN: Corporate Communications
Southeast Financial Center
200 S. Biscayne Blvd.
Miami, FL 33131