Privacy Statement – April 2019
S.W.I.F.T. SCRL (hereinafter “SWIFT”, with registered office at Avenue Adèle 1, B-1310 La Hulpe, Belgium) and other SWIFT entities as listed here are committed to protecting your privacy.
In this Privacy Statement, the terms “Controller”, “Data Subject”, “Personal Data”, “Processor”, and “Processing” shall have the meaning given to these terms in the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (hereinafter referred to as “EU Data Protection Law”).
The Privacy Statement explains how your Personal Data is processed by SWIFT, as data Controller for the data Processing activities described in this statement. This applies to data collected through our websites (for example, when you submit your data through our online forms, when you use swift.com as a registered user, or when you apply for job offers), or collected during interactions you may have with us (for example, when you attend our events, forums, trainings, or when you use our applications). In this regard, SWIFT will process all your Personal Data in compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and other applicable data protection legislation (hereinafter “Data Protection Laws”). This Privacy Statement can be supplemented by other Privacy Statements that are specific to the visited website, or specific to events or webinars that you attend.
Our websites include amongst others:
We invite you to carefully read this Privacy Statement to understand our data Processing practices.
This statement does not apply to any Personal Data Processing by SWIFT when providing its financial messaging services. Our other data Processing activities are covered by other SWIFT policies, which you can find on our Data Protection Policies page available here. The main data protection policies are:
- The SWIFT Personal Data Protection Policy: This policy explains how we process our customer contact details (when collected on our websites - this part is common to this Privacy Statement - or on paper) and Personal Data that our customers encapsulate in SWIFT messages or files (“message data”). Where relevant for the purposes of this Privacy Statement, we will explicitly refer to this statement.
- The SWIFT Data Retrieval Policy: This policy explains how we retrieve, use, and disclose message and traffic data. It is not relevant for the purposes of this Privacy Statement.
SWIFT may modify this Privacy Statement from time to time. Please check it periodically for changes, in particular when you submit Personal Data on our websites.
SWIFT processes Personal Data collected on our websites or through the interactions you have with us (see above), for the following purposes (together “SWIFT Purposes”):
• The provision of SWIFT services and products, including its websites
• The organisation of Sibos and other events
• Sending commercial communications, newsletters, and other customer communications
• The operation of our websites (IP addresses, cookies, web acceleration, data security, Data anonymisation for reporting and statistics, and for customer retention)
• The improvement and preservation of our websites and infrastructures
For these purposes, SWIFT will generally process the following data pertaining to you (depending on the website, activity, or form used by you): IP address, identification information (for example, last name, first name, job title, company name, contact details - such as mobile, landline, e-mail address), login and password, the history of your interactions with SWIFT (for example, attendance dates to events, photographs, downloads from our websites, connection logs), your financial information (for example, credit card details for billing purposes after your subscription to our events, invoicing history).
More information about the use of your data for specific purposes is given below. Where applicable, we indicate whether, and why, you must provide us with your Personal Data, as well as the consequences of failing to do so. If you do not provide your data when requested, and if that data is necessary to provide you with SWIFT services and products or if we are legally required to collect it, then you may not be able to benefit from our services.
You may also find more information about the use of your Personal Data (as a SWIFT customer) for SWIFT governance and for the provision of SWIFT services and products in the SWIFT Personal Data Protection Policy.
When you use our online recruitment tool (for example, iCims) or when you send us a spontaneous application, you provide us with Personal Data in order to enter the recruitment process of SWIFT. SWIFT, as a Controller, has the right to process your data based on the following legal basis: (i) necessity to enter into an employment contract, (ii) compliance with a legal obligation to which the employer is subject or (iii) where the employer or a third party has a legitimate interest in using the personal data (for example, to assess and evaluate job applicants before eventually making an offer for employment, and to ensure the good functioning of the employer’s own business).
We do not require any 'sensitive' data in our recruitment process. We therefore kindly request you not to communicate any personal details revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning your sex life or sexual orientation. Such data will be ignored and if possible deleted.
We will process your data for the purposes of handling the whole recruitment process, assessing your application, and – where applicable – hiring you. We will keep all your data confidential and act in full compliance with applicable privacy laws (for example, GDPR). We will not share your data with third parties outside the SWIFT group, with the exception of (i) service providers such as providers of HR management services, (ii) agents, advisors, and other third parties providing services to support our business operations, such as recruitment agencies, background screening agencies, and law firms, (iii) governmental, judicial, regulatory, and other bodies and authorities where required by applicable law.
You can always object to further processing, update, or delete your data by using your login and password.
Your data will not be kept longer than required for the recruitment process needs unless SWIFT needs to keep the data (for example, in case of confirmed employment) on the history of the employee (in which case, the data will be deleted as per legal retention period applicable to HR files).
Sibos and Other Events
When you register for Sibos or other events, we collect Personal Data related to your subscription and participation to the event.
For this purpose, SWIFT has created dedicated privacy statements, which you can refer to for more information:
- The Sibos Privacy statement
- Events Data Protection statement, available at the registration to the related event
Newsletters and Other Customer Communications
SWIFT has a legitimate interest to Process Personal Data that you submit on our websites or during your interactions with us (for example, subscription to an event), and to provide you with commercial communications related to the SWIFT products and services that you use, or have purchased, or related to the event to which you participated. In addition, you can consent to receiving other commercial communications pertaining to SWIFT events, products and services, and newsletters. You can furthermore consent to “Advanced Matching”.
You have the right to opt out of his type of communication, at any moment, without motivation.
In case you agree to “Advanced Matching”, we will make sure that you only receive information that is the most relevant to you. Advanced Matching enables us to identify topics or domains of interest to you, based on your preferences and online interactions with SWIFT (for example, downloading factsheets), and helps us to understand your business needs and send you personalised communications.
To monitor the effectiveness of e-mail, online advertising, and social media campaigns, as well as the level of engagement on swift.com web pages, SWIFT measures the ratio of clicks on specific links provided through these different channels, and other online interactions, such as searching a page or watching a video. These types of processing are on aggregated data.
If you are a swift.com registered user, then you can, at any time, manage your communication preferences and subscriptions to our newsletters by accessing your preference centre through the secured area of “mySWIFT”. If you are not a swift.com registered user, then you can access your preference centre through a link provided in each commercial e-mail from us.
Your data will be kept no longer than two years after the last interaction between SWIFT and you, or until the information is no longer necessary for the purposes for which we process it, unless we are required by law to keep the information for a longer period of time.
Operation of our Websites
SWIFT has a legitimate interest to Process your Personal Data for the operation of its websites and as detailed below:
For our internal purposes, we may use IP addresses (the Internet address of your computer) stored in web logs to generate aggregate statistics on the usage of our websites, such as volume, traffic patterns, and time spent on a page.
The information stored in cookies include your name, first name, registration number on https://www.swift.com/, language preference, navigation settings, login ID, and IP addresses.
In addition, our websites use Google Analytics, a service which transfers traffic data to Google servers in the United States. For more information about this feature, you can read Google’s dedicated page available here.
Web Acceleration Services
For purposes of accelerating the consultation of our websites, we use the services of a supplier specialised in web acceleration services. This requires caching the content of our websites on a substantial number of servers worldwide.
This supplier only processes data upon our instructions for web acceleration services and provides sufficient guarantees in respect of technical and organisational data security measures. This supplier also commits to notify us in case of a security breach compromising your Personal Data (see also ‘Sharing Data’ section below).
Hyperlinks to other websites
Our websites may contain links to other websites not owned or operated by SWIFT. SWIFT is not responsible for the privacy practices of these websites.
Tracking of URL activation
Upon registration to certain services (such as SWIFT Index), we will send you, by e-mail, a dedicated URL from where you can download relevant material. For purposes of measuring and following up on the use of these services, we will track the identity of the persons who activated such URLs, as well as the moment of download.
We are committed to protect your Personal Data against accidental or unlawful destruction, accidental loss, alteration, and unauthorised disclosure or access. Therefore, we monitor and record the data exchange (IP address, timestamp, volumes), both incoming and outgoing, in order to preserve the security, integrity, and availability of our infrastructure. In addition, in case of suspicious activity, SWIFT might collect data (including Personal Data) from various sources (for example, public sources, threat intelligence providers) in order to start and manage its own investigation.
This data is kept for up to one year. Data can be kept longer when a security issue has been encountered and evidences need to be kept for SWIFT to exercise its rights and remedies.
Any Personal Data collected during this process may be shared by SWIFT with the relevant authorities.
Please be aware that we cannot ensure the security of your data on your computer or during transmission over the Internet. In this regard, we advise you to take every possible precaution to protect Personal Data stored on your computer and transiting on the Internet.
Data anonymisation for reporting and statistics
SWIFT has a legitimate interest to produce reports and statistics about the usage of its websites (for example, visitors per day, geographical reach).
These reports will be fully anonymised.
Analysis of End Users’ Usage Data for Customer Retention
SWIFT has a legitimate interest to analyse and produce reports about the usage of its products and services, as made available through swift.com (such as Watch, Compliance Analytics, or SWIFT gpi Observer) by their related end users and administrators for the following purposes:
• Create internal reporting about the individual or aggregated usage of the product or service.
• Provide specific training, and more generally awareness communication, to the customers.
• Provide ad hoc reporting to customers on their usage of the product or service.
This Personal Data is kept for twelve (12) months, after which it is purged from the systems.
Improvement and Preservation of Our WebSites and Infrastructures
When you submit your data through the Responsible Disclosure Policy, SWIFT has a legitimate interest to process your Personal Data (for example, your personal identification data) to get in contact with you in order to obtain additional information about, or to undertake actions with regard to, your reported vulnerability.
SWIFT will not share your Personal Data with third parties without your permission, unless we are required to do so by law (for example, sharing with the relevant authorities) or in order to exercise our rights and remedies, for instance in case of malicious activity (for example, sharing with external lawyers).
Your Personal Data collected for the purposes under this section will be kept for ten (10) years, unless we are required by law to keep the information for a longer period of time.
Data Submitted on Behalf of Someone Else
If you provide Personal Data of another person to SWIFT for the purposes mentioned above, you shall ensure that (i) this person has been duly informed about SWIFT's right to process such Personal Data as set out herein, and has been provided with the present Privacy Statement, (ii) such Personal Data is collected and supplied in accordance with applicable legislation and without infringing such person's or any third party’s rights and (iii) you have obtained his or her prior consent where needed.
When required for the SWIFT Purposes, we may share your data with other offices in the SWIFT group (see the SWIFT Offices page for more information), carefully selected suppliers (for example, security specialists, maintenance suppliers, marketing/events organisation suppliers), or other selected third parties (typically SWIFT partners or sub-contractors).
Before sharing your data, we require such third parties to only process your Personal Data upon our instructions and to provide sufficient guarantees in respect of the technical and organisational security measures protecting the data processing activities.
Such SWIFT offices or third parties may be located in or outside the European Economic Area (EEA), including in countries that do not offer a level of data protection considered as adequate under an EU Commission adequacy decision.
In the latter case, we ensure the lawfulness of such transfers by:
- agreeing with other SWIFT offices on the standard contractual clauses approved by the European Commission Decision 2004/915/EC of 27 December 2004
- agreeing with third parties on the most appropriate statutory, contractual, or self-regulatory basis (for example, Privacy Shield certification) to allow such transfers
You have a right to obtain more information about these safeguards used to transfer data outside of the EEA, by contacting our Data Protection Officer (see below).
Your Personal Data will not be kept by SWIFT for longer than necessary, after which your Personal Data will be deleted. As general rule, and unless specified differently in this Privacy Statement, SWIFT will keep your data for the duration of the statute of limitation applicable to our relationship with you.
During this period, you have the right to access, correct, restrict, receive a copy, and even erase your own Personal Data in accordance with the Data Protection Laws, and you can object to the processing of your
Personal Data for direct marketing purposes.
In addition, where relevant, you can withdraw your consent, at any time and without motivation, for those types of data Processing to which you consented. Note however that this does not affect the lawfulness of the data Processing based on your consent before the withdrawal.
Finally, in some circumstances, you also have the right to object to the Processing of your Personal Data mentioned above.
You can update your own privacy settings, and review and update your Personal Data, at any time, through your preference centre (see above section “Newsletters and Other Customer Communications”) and your profile page. In addition, you may exercise your data protection rights by sending your request, together with a proof of your identity, to SWIFT's Privacy Officer (see below).
If you have any other questions or any complaints regarding the Processing of your Personal Data, you can contact the SWIFT Privacy Officer or lodge a complaint with the supervisory data protection authority in your country of residence, place of work, or where an incident took place. In Belgium, the data protection authority is:
Belgian Data Protection Authority
Rue de la Presse 35, 1000 Brussels
Phone: +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35
The SWIFT Privacy Officer carries out internal supervision in connection with our responsibilities under this Privacy Statement.
You may exercise your rights and address any questions to the Privacy Officer:
- by letter to S.W.I.F.T. SCRL, attention of Privacy Officer, Avenue Adèle 1, 1310 La Hulpe, Belgium
- by e-mail to firstname.lastname@example.org