• About SWIFT
• Company information
• Community
• SWIFT Shareholders
• Corporate Social Responsibility
• Publications
• Careers at SWIFT
• Press room
• Legal
  • Corporate matters
  • SWIFT contracts
  • Trademark guidelines
  • SWIFTStandards IPR policy
  • Compliance
• White Papers

 

SWIFT Safe Harbor Policy

Effective 16 July 2007 - Updated on 29 May 2009

SWIFT Inc., the U.S. branch of S.W.I.F.T. SCRL (this branch will further be referred to as 'SWIFT' in this Policy) has joined both the U.S.-EU and U.S.-Swiss Safe Harbor Programs in order to enhance the protection of personal data contained in messages transferred from both the European Economic Area and Switzerland to SWIFT's U.S. operational centre (hereinafter referred to as "message data").

We self-certify compliance with

SWIFT has committed to handling such personal data in accordance with the Safe Harbor Principles issued by the U.S. Department of Commerce on July 21, 2000. SWIFT's Safe Harbor certification can be found in the Safe Harbor list.

For more information about the Safe Harbor Principles, please visit the U.S. Department of Commerce's Website at http://www.export.gov/safeharbor/.

The adequacy of the U.S.-EU Safe Harbor Program was recognized by EU Commission Decision 2000/520/EC of 26 July 2000. The U.S.-Swiss Safe Harbor Program negotiated between Switzerland and the U.S. entered into force on 16 February 2009.

This Policy only covers personal data contained in message data (as defined above) that relate to individuals resident of EEA Member States or from Switzerland, or that are sent by SWIFT Customers established in one of the EEA Member States or Switzerland.  

Any questions regarding this Policy or SWIFT´s processing of personal data in the U.S. may be addressed to:

• SWIFT's U.S. registered agent, Williams Mullen,
  marked for the attention of SWIFT Legal Department,
  1021 East Cary Street, 16th floor, PO Box 1320 Richmond USA, VA 23210-1320, USA,
• or to SWIFT's corporate headquarters (the SWIFT parent entity) at S.W.I.F.T. SCRL,
  attention of Privacy Officer,
  Avenue Adèle 1, 1310 La Hulpe, Belgium,
  e-mail privacy.officer@swift.com.

More information about the SWIFT processing of personal data is available at swift.com > About SWIFT > Legal > Compliance.

SWIFT processes message data solely for purposes of contributing to the safety of financial transactions through automated and secured transmission of standardized, integer and immediately exploitable information, and of producing general information on financial transactions. Message data are subject to adequate confidentiality and security protections.

SWIFT has no direct relationship with the clients of its Customers.  SWIFT has adopted the SWIFT Personal Data Protection Policy and Data Retrieval Policy which are binding on SWIFT's Customers who are responsible for complying with their national law (if any) governing the collection and processing of personal data.  

 SWIFT works with its Customers to see that the protections of the Safe Harbor are applied to message data, as follows:

NOTICE:  SWIFT provides information on its web site (http://www.swift.com/) regarding its messaging services, including personal data processing practices.

SWIFT has also informed its Customers about the need, where required by their applicable data protection law, to provide notice to their client individuals, including as to (1) the purposes for which personal data are collected by Customers when used as part of their use of the SWIFT messaging services; (2) how to contact them with any inquiries or complaints; (3) the types of third parties to whom personal data are disclosed; and (4) the choices and means that individuals are offered for limiting use and disclosure of personal data.

CHOICE:  SWIFT provides information on its web site (http://www.swift.com/) regarding its messaging services, including the retrieval, use and disclosure of message data in accordance with its Data Retrieval Policy.

SWIFT has also informed its Customers about the need, where required by their applicable data protection law, to allow their client individuals to choose whether their personal data are to be disclosed to a third party (other than a third party acting under the instructions of the Customers), or to be used for a purpose that is incompatible with that for which it was originally collected or subsequently authorized.  SWIFT does not purposely process personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying sex life (so-called "sensitive information").

ONWARD TRANSFER:  Message data (which may contain personal data) may possibly be disclosed to the following categories of third parties:

• to recipient Customers to whom the message is sent;
• to other intermediaries in the transaction chain to whom the message is either copied (for example when using the FINInform or FINCopy messaging services) or sent for further transmission (for example correspondent banks);
• to organisations (typically a regulatory or supervisory authority or a market infrastructure) entitled to request message data for legitimate collective interests as documented in the SWIFT Data Retrieval Policy ("collective requests");
• to SWIFT suppliers, in exceptional circumstances, for purposes of problem investigation as documented in the SWIFT Data Retrieval Policy; and
• in the scope of a Mandatory Request by a competent authority, under the conditions set forth in the SWIFT Data Retrieval Policy.

The suppliers that SWIFT uses to operate its backbone network act as a mere conduit for message data in encrypted form only.  SWIFT does not provide such suppliers with the means to decrypt message data.

SECURITY: SWIFT offers a high level of data security to protect message data (which may contain personal data) from loss, misuse and unauthorized access, disclosure, alteration and destruction.  As documented in the Personal Data Protection Policy, SWIFT has implemented an information security framework, including a corporate security policy and standards that are based on the principles of ISO/IEC 27002:2005.  This internationally recognized standard provides wide-ranging security guidelines.  The framework is supported by technical and organizational security measures which are formally documented.

In addition, for the SWIFTNet and SWIFTNet FIN messaging services, key security commitments have also been summarized in the SWIFT Security Control Policy, which forms the basis for SWIFT's annual SAS 70 report that provides an overview of the controls in place to meet the objectives stated in the Security Control Policy. The SAS 70 report also contains an independent audit opinion providing reasonable assurance on the adequacy of the design of the controls, the fact that they have been placed in operation and their operating effectiveness. Since 2008, the SAS 70 audit scope contains a specific control objective and specific controls relating to SWIFT's data protection policies, including this Safe Harbor Policy.

DATA INTEGRITY: SWIFT's messaging services are designed to process message data (which may contain personal data) without affecting the integrity of such data. 
SWIFT has also informed its Customers about the need, where required by their applicable data protection law, to put in place procedures to ensure that message data (which may contain personal data) are reliable for their intended use, accurate, complete, and current.  SWIFT does not process message data (which may contain personal data) for purposes incompatible with those for which the data were submitted by the Customers.  However, SWIFT is obligated to comply with mandatory legal requirements in the countries in which it operates, which may include complying with a Mandatory Request by a competent authority under the conditions set forth in the SWIFT Data Retrieval Policy.

ACCESS: An individual may be granted access to his or her personal data contained in message data under the following procedure:

• A query should first be directed to the SWIFT Customer (typically the individual's bank) that originally collected the individual's data.  When required by Customers, SWIFT will provide them with the necessary assistance in handling this query.
• When the individual is unable to contact the Customer, or does not obtain a response from the Customer, SWIFT will provide the necessary assistance in forwarding the individual's access request to the Customer.

Any request to correct, amend, or delete personal data when they are inaccurate, should also be directed to the SWIFT Customer that originally collected the individual's data. SWIFT will forward any such requests it receives to the respective Customer and will provide the Customer with the necessary assistance in handling such requests.  

DISPUTE RESOLUTION AND ENFORCEMENT: SWIFT reviews its compliance with this Policy to verify that the assertions made in it are true and that the practices it contains are correctly implemented.  Any breach of this Policy that has been reported to SWIFT will be duly investigated.

An individual with a complaint or dispute about the processing of its personal data contained in message data in SWIFT's U.S. operational centre should use the following procedure:

•  the individual should first contact the SWIFT Customer (typically its bank) that originally collected the data, and use the Customer's relevant dispute resolution mechanism (if available).  SWIFT will participate in this mechanism at the request of the Customer or the individual;
• If the individual is still dissatisfied, then the matter may be submitted to the Judicial Arbitration and Mediation Services Inc. (JAMS), a mediation provider, for mediation under the JAMS International Mediation Rules (the ‘Rules'), which are accessible on the JAMS web site. Mediation may be commenced as provided for in the rules. Mediation shall be conducted using electronic communications mechanisms such as telephone, e-mail, and Internet. The mediator may propose any appropriate remedy, such as publicity for findings of non-compliance, the payment of compensation for losses incurred as a result of non-compliance, or the cessation of processing of the personal data of the individual who has brought the complaint.  SWIFT will assume the costs of administrative fees (as referred to in paragraph 14 of the Rules) if the mediator makes a written recommendation that finds SWIFT to be in breach of its duties under Safe Harbor.  However, SWIFT need not take any action which would conflict with national security, public interest, or law enforcement requirements applicable to SWIFT.
• The mediator or the individual may also refer the matter to the U.S. Federal Trade Commission (FTC), which has legal jurisdiction over SWIFT.  The FTC may be contacted here.

MANDATORY REQUESTS: As set out in the U.S. Safe Harbor Principles, adherence to the Principles may be limited to the extent necessary to meet national security, public interest, or law enforcement requirements.