Swift and data

Privacy is a fundamental commitment at Swift, an essential component of our core services and integral to the Swift environment. We protect the data and privacy of our customers around the world. We operate our services to strict privacy and data protection standards and in compliance with EU data protection regulation, considered as the most stringent privacy legislation in the world.

We take our commitment to privacy extremely seriously and seek to deliver a very strong degree of privacy by ensuring that all data is protected by design in the Swift environment, as well as by ensuring our full compliance with all applicable privacy and data protection laws.

Privacy protections are embedded into the design and architecture of our systems and business practices at Swift. We operate according to two important principles: privacy by design, and data minimisation.

Swift’s approach to protecting data is proactive and preventative: we aim to anticipate and prevent events before they happen; we do not wait for privacy risks to materialise; and we trust, but verify.

Privacy protections at Swift are extended securely throughout the entire lifecycle of the data involved, from start to finish. This ensures that data is securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, we ensure cradle-to-grave, secure lifecycle management of data.

Over the years Swift has repeatedly improved transparency by enhancing its contractual documentation with respect to the processing of customers’ data (including personal data). In doing so, Swift has been assisted by a working group of data protection and compliance experts from Swift users around the world.

Swift policies, principles and practices

Swift has corporate policies and practices in place that are designed to ensure privacy and to protect all data in our possession, whether personal or not.

Swift operates according to its stated promises and objectives, as set out in its data policies. These policies are governed by the following key principles:

• Appropriateness:We regularly review our data policies and contractual documentation to ensure we explain clearly how we handle data, whether personal or not.
• Transparency:Our customer related data policies are made publicly available on our website and form an integral part of the contractual documentation for Swift’s messaging services.
• Privacy by design: Respect for privacy is paramount at every stage of the design, development and delivery of our products and services.

• Data minimisation: We collect the minimum amount of data needed to fulfil our messaging service obligations.
• Awareness:We provide awareness training to all employees to ensure they have a clear understanding of the importance of data privacy and how to ensure data is protected.

At Swift, use and protection of data is strictly controlled according to formal policies and audited processes. Our annual ISAE 3000 report on our SwiftNet and FIN messaging services, includes data protection controls and our Data Protection Officer regularly reviews these controls and makes appropriate modifications within the related policies as required.

Data Protection Officer

Swift has appointed a Data Protection Officer who ensures that Swift complies with all applicable data protection legislation and that Swift’s own privacy and data protection policies are up to date and fit for purpose.

Messaging Services

Swift messages and data flows are encrypted, and both logical and physical security measures are implemented and monitored for continued effectiveness. Encryption and customer-to-customer authentication prevent unauthorised access by, or malicious injection of data from, internal or external sources. We constantly monitor the Swift messaging services for suspicious activity.

Some of our messaging services require Swift to store message data for 124 days. This is to ensure that customers have the ability to retrieve their own data in the case of disasters, catastrophe, queries or disputes.

Message data is stored at our operating centres (OPCs). Our OPCs are highly secure, and access to them is strictly controlled. Our security measures are designed to prevent unauthorised physical and logical access, and include physical measures that protect premises as well as logical measures that prevent unauthorised access to data.

Swift maintains three OPCs in two different continental zones (EU and Trans-Atlantic) to ensure full site redundancy.

Customers located in countries inside the European Economic Area (EEA), Switzerland and other territories and dependencies considered to be part of the European Union or associated with EU countries, are assigned to the European Zone (OPCs based in the Netherlands and Switzerland) and their intra-zone message data must remain in the EU Zone.

Customers located in the United States and its territories are assigned to the Trans-Atlantic Zone (OPCs based in US and Switzerland) and their intra-zone message data must remain in the Trans-Atlantic Zone. Customers in all other countries are allocated either to the Trans-Atlantic or to the EU zone according with their preference, and in line with operational and technical criteria, such as load balancing. Messages exchanged between Swift customers in different zones are stored both in the Netherlands OPC and in the Virginia OPC, as well as in the Switzerland back-up OPC.

Data is held in two OPCs so that there is always a back-up in the case of disruption to an OPC.

Law enforcement requests

We do not share customers’ data (personal or not) with any third party unless we are authorised by our customers to do so or compelled to do so by law. We carefully review each demand we receive and, in the rare cases where we are legally compelled to provide customers’ data (which may include personal data), we respect any relevant agreements, protect our customers’ personal data to the largest extent possible, and inform our customers of our compliance with such enforceable requests unless this is prohibited by law. Transparency is important for Swift.

For example, as a consequence of the TFTP ("Terrorist Finance Tracking Program"), Swift is subject to legally binding requests to provide the U.S. Treasury Department (UST) with data located in its US operating centre, which is necessary for the purpose of the prevention, investigation, detection or prosecution of terrorism or terrorist financing. The TFTP programme is controlled and audited, constantly overseen, and periodically reviewed.

It is limited in scope, searches are targeted, and the data is protected. Controls and safeguards are in place to ensure that the subpoenaed data, which is limited in nature, is used strictly and only for counterterrorism purposes. The controls and safeguards ensure that data may only be retained for as long as necessary for counterterrorism purposes and that all data is maintained in a secure environment and properly handled.

Similarly and for the same purposes, Swift is subject to legally binding requests under the internationalEU-US TFTP Agreementto provide data located in its EU OPC to the US Treasury. Swift provides such data to the US Treasury after verification of each request by Europol. The EU-US TFTP Agreement upholds EU data protection principles and provides additional safeguards, ensuring that the EU data is adequately protected and used in accordance with the principles described above.

Data Policies

Swift’s commitments in terms of data protection compliance are set out in the following documents:

• Swift General Terms and Conditions:

Swift’s General Terms and Conditionsprovide the general framework of Swift’s contractual documentation and underpin other applicable documents, including Swift’s data policies.

• Swift Personal Data Protection Policy:

Personal data, whether collected by Swift, provided by its users, or contained within Swift messages, is protected by theSwift Personal Data Protection Policy. This policy sets out the roles and responsibilities of Swift and its customers with regard to the processing of personal data that either Swift collects for its own purposes or that Swift’s users collect as a result of their use of Swift’s messaging services. TheSwift Personal Data Protection Policyforms an integral part of the contractual arrangements between Swift and its customers for the provision of the Swift services and products.

• Swift Data Retrieval Policy:

TheSwift Data Retrieval Policycovers Swift’s policy for the retrieval, use and disclosure of traffic and message data. Swift traffic data is the technical routing and processing data of a message (such as the date and time the message was sent, details of the sending and receiving institution), but not the business content. Swift traffic data does not contain any information about, nor can it be used to identify, individuals. Message data refers to the business content of a message which can contain both personal and non-personal data, depending on the nature of the message content.

• Privacy statement:

Swift’sPrivacy StatementonSwift.comrefers to the protection of personal data collected on our websites for the purposes of recruitment, attendance at events or training courses, the provision of newsletters, and participation in surveys and through cookies and online questionnaires.

• General Data Protection Regulation:

Swift is GDPR-compliant since May 2018, and has consequently aligned its contractual provisions related to the use of the Swift messaging services by the Swift customer to the GDPR requirements.

快速的信息服务,比利时Privacy Commission concluded in December 2008 that Swift processes the Swift customers’ message data in its capacity of ‘De Facto Delegate by default’ of the Swift community. This role of Swift as De facto Delegate was re-confirmed in the Privacy Commission’s official opinion of May 2016 on Swift’s Ad Hoc Clauses (implemented in order to replace Swift’s Safe Harbor Policy). Both documents are publically available on the official website of the Belgian Privacy Commission:

• Data Protection Auhority(English)
• Data Protection Authority(French and Dutch)

As a consequence, Swift processes the customers’ message data neither as data controller nor as data processor. This implies that the related contractual relationship between Swift and its customers cannot be covered by a standard data processing agreement between a data controller and data processor.

The roles and responsibilities between Swift (including its role of De facto Delegate), the Swift community and its customers with regards to the processing of personal data are set out in the Swift contractual documentation, which is compliant with the GDPR requirements. The main relevant documents are thePersonal Data Protection Policyand theData Retrieval Policy.

As explained in these documents, the respective roles of the customers and Swift are as follows:

• Swift customers must, each with regard to the individuals that are their clients, comply with the obligations that require a direct contact with these individuals (such as obligations concerning data quality, information, personal data breach notification, access, correction, and opposition rights).
  
• As De Facto Delegate by default of the Swift community, Swift has no relationship with the customers’ clients and does not have any search capabilities in order to look for specific individuals mentioned in the customers’ message data. Consequently, Swift is not able to assist its customers to respond to any data protection requests coming from their clients for exercising their data subject's rights and can only comply with those obligations that cannot be performed individually by Swift customers (such as the obligations to notify personal data breaches to the Belgian Privacy Commission and to Swift users - if and as required under applicable law - and to ensure an appropriate legal ground for the data transfers between its operating centres).

Supervision by Data Protection Authorities

In May 2014 the Belgian Data Protection Authority (Commission de la protection de la vie privée/Commissie voor de bescherming van de persoonlijke levenssfeer) and the Dutch Data Protection Authority (College bescherming persoonsgegevens) announced the successful completion of their investigation into the security of Swift’s networks.

The authorities concluded there were no indications that third parties have had, or could have had, unlawful access to financial messaging data. The authorities also verified that there had been no violations of the security obligations under EU data protection law.

Swift takes its security and data protection responsibilities extremely seriously and cooperated fully during the six-month long investigation. We appreciate the efforts the authorities made in order to reach this positive conclusion.

Statements on Data Privacy