Last update: February 2024
Table of contents
Introduction
Swift SC (hereinafter “Swift”, with registered office at Avenue Adèle 1, B-1310 La Hulpe, Belgium) and other Swift entities as listed here are committed to protecting your privacy.
In this Privacy Statement, the terms “Controller”, “Data Subject”, “Personal Data”, “Processor”, and “Process/Processing” shall have the meaning given to these terms in the EU General Data Protection Regulation (Regulation (EU) 2016/679) (hereinafter referred to as “GDPR ”).
The Privacy Statement explains how your Personal Data are Processed by Swift, as data Controller, in relation to the data Processing activities described herein. We invite you to carefully read this Privacy Statement to understand our data Processing practices.
Swift collects information that relates to individuals, including Personal Data, through its websites (for example, when you submit your data through our online forms, when you use swift.com as a registered user, or when you apply for job offers), during interactions you may have with us (for example, when you attend our events, forums, trainings, or when you call us or send us emails, mails or use our applications) or via our customers, vendors and partners (e.g. billing or contract contact details, swift.com administrator, National Member Groups/National User Groups representatives).
Swift Processes Personal Data in compliance with the GDPR and other applicable data protection legislations (hereinafter “Data Protection Laws”). This Privacy Statement can be supplemented by other privacy statements that are specific to the visited website, or specific to events or webinars that you attend.
Our websites include amongst others:
- swift.com
- our Sibos website, available at sibos.com
- www.3skey.com,
- https://swift.wd3.myworkdayjobs.com/Join-Swift, and
- other URLs that redirect to swift.com.
This Privacy Statement does not apply to the Processing of Personal Data by Swift in the context of the provision of its financial messaging services or its other products and services (including the Processing of traffic or message data).
These Personal Data Processing activities are covered by specific Swift policies or contractual arrangements, some of which are available on our Data Protection Policies page available here. These include:
- The Swift Personal Data Protection Policy: This policy explains how we Process Personal Data in the context of the provision of Swift transaction processing services, including Personal Data that our customers encapsulate in Swift messages or files (“message data”).
- The Swift Data Retrieval Policy: This policy explains how we retrieve, use, and disclose message and traffic data. It is not relevant for the purposes of this Privacy Statement.
Swift may modify this Privacy Statement from time to time. Please check it periodically for changes, in particular when you submit Personal Data on our websites.
Sources and categories of Personal Data
Swift may Process different types of Personal Data collected from the following sources:
- Information Swift collects directly from Data Subjects. Data Subjects may submit their Personal Data online (for example, through the Online Ordering tool, the MyProfile, the (support) Case Manager, Swift recruitment platform, and the (communications) Preference Centre on www.swift.com), when they register to an event, or through paper forms. Data Subjects may also provide Swift with their Personal Data when they contact Swift otherwise, as further explained below. The Personal Data Swift receives includes (depending on communication channel, the website, activity, or form used by you): IP address, identification and contact information (for example, last name, first name, job title, company name, industry, contact details - such as mobile or landline phone number, e-mail or post address), login, username and password, browsing activity, the history of Data Subject’s interactions with Swift (for example, attendance dates to events, photographs, downloads from our websites, connection logs), financial information (for example, credit card details for billing purposes after subscription to events, invoicing history), the content, date and time of a communication and any attachments thereto, marketing and communication preferences, job applications (including resume, cover letter, picture, career information) and other information Data Subjects may directly provide to Swift.
- Information Swift collects through its customer, vendor and partner relationships. Swift may receive professional contact details of employees of, and other individuals associated with, Swift customers, partners and vendors, such as first and last name, e-mail address, phone number, title and department, and other information relevant to the particular business relationship. Customers, vendors and partners that submit Personal Data relating to a Data Subject to Swift for Swift Purposes (as defined below), must ensure that they do so in accordance with all applicable laws and regulations, including providing notice to the Data Subject about the Swift Purposes and, where required, obtaining appropriate consent.
- Information Swift collects automatically. Swift may automatically collect information about a Data Subject’s use of Swift websites or of Swift products and services through logs, cookies, web beacons and similar technologies. Swift informs Data Subjects of such Processing through this Privacy Statement and the Cookie Policy available on Swift websites.
Swift purposes
Swift Processes Personal Data for the following purposes (together “Swift Purposes”):
- Customer management, including:
- The provision of Swift services and products
- The management of Swift governance:
- The management of contacts and relationships with our customers and prospects
- The organization and management of Swift advisory and working groups
- The admission as a Swift customer or shareholder and ongoing management of such customer or shareholder relationship
- Third Party Management, including:
- Vendor and Partner management
- Accounting, records keeping, security and fraud detection, claim management and audit
- Recruitment
- Communications and events, including:
- The organisation of Sibos and other regional or local events
- Marketing and promotional activities (e.g. sending commercial communications, newsletters, and other customer communications like surveys)
- The operation of our websites, including:
- IP addresses, cookies, web acceleration, data security, Data anonymisation for reporting and statistics, and for customer retention
- The improvement and preservation of our websites and infrastructures
- The exercise of Swift's obligations, rights and remedies as set out in this Privacy Statement and the Terms of Use related to the particular websites, as listed above (for example, swift.com terms of use)
More information about the collection, use and Processing of your Personal Data for these specific purposes is provided in the following sections. Where applicable, we indicate whether, and why, you must provide us with your Personal Data, as well as the consequences of failing to do so. If you do not provide your data when requested, and if that data is necessary to provide you with Swift services and products or if we are legally required to collect it, then you may not be able to fully benefit from our services.
Customer management
Swift may Process Personal Data of employees or representatives of our customers (including prospects) for the development, subscription, deployment, provision, support, evaluation, and invoicing of Swift services and products, services and products offers to Swift partners or service bureaus, and online services and products, including via its websites.
Swift will typically need to process Personal Data in the context and for the purpose of the admission as a Swift customer or as a Swift shareholder, including for due diligence purposes and for the ongoing management of such customer or shareholder relationship.
Swift will also request specific Personal Data for the purpose of registering and managing customers’ security officers, as may be required to use Swift products and services. Security officers handle security matters for the Swift users.
As part of its specific governance as a Belgian cooperative, Swift organizes, participates in or handles relationships with several Swift-related bodies, such as the Swift Board and related Committees, the Swift National Member Groups and National User Groups or other consultation groups, which requires the Processing of Personal Data.
Swift relies on the following legal grounds to Process your Personal Data for such purposes:
- Contract. When Swift must Process your Personal Data to provide you with the Swift services and products you subscribed to, or allow you to participate in a working group.
- Legitimate interest. Swift has a legitimate interest in Processing your Personal Data to operate quality services and products, establish and develop good and ethical relationships with customers and shareholders, keep track of the proper implementation of its contracts and ensure a good internal governance.
Third Party Management
Swift Processes Personal Data (mainly professional contact details of contacts at vendors and partners) to manage contacts and the commercial relationship with its vendors and partners, including due diligences, contract management and invoicing.
More generally, Swift will Process Personal Data for accounting, records keeping, customer information, security (investigations), fraud detection, claim management and audit purposes.
Swift relies on the following legal grounds to Process your Personal Data for such purposes:
- Legal obligation. When Swift has a legal obligation to Process Personal Data, for example legal obligations relating to fraud prevention, accounting, or tax.
- Legitimate interest. Swift has a legitimate interest in Processing Personal Data to ensure the safety, security, and performance of its business, and in keeping good and ethical relationships with its vendors and partners.
Recruitment
When you use our online recruitment tool (for example, Workday) or when you send us a spontaneous application, you provide us with Personal Data in order to enter the recruitment process of Swift. Swift, as a Controller, has the right to Process your Personal Data based on the following legal basis:
- Contract: necessity to enter into an employment contract,
- Legal Obligation: compliance with a legal obligation to which the employer is subject or
- Legitimate Interest:) where the employer or a third party has a legitimate interest in using the Personal Data (for example, to assess and evaluate job applicants before eventually making an offer for employment, and to ensure the good functioning of the employer’s own business).
- Consent: in relation to the provision of optional information linked to our Diversity and Inclusion program.
We do not require any 'sensitive' data or ‘special categories of Personal Data’ in our recruitment process. We therefore kindly request you not to communicate any personal details revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning your sex life or sexual orientation. Such data will be ignored and if possible deleted.
We will Process your data for the purposes of handling the whole recruitment process, assessing your application, and – where applicable – hiring you. We will keep all your data confidential and act in full compliance with applicable Data Protection Laws (for example, GDPR). We will only share your Personal Data with the following third parties outside the Swift group: (i) service providers such as providers of HR management services, (ii) agents, advisors, and other third parties providing services to support our business operations, such as recruitment agencies, background screening agencies, and law firms, (iii) governmental, judicial, regulatory, and other bodies and authorities where required by applicable law.
You can always object to further Processing, update, or delete your Personal Data by using your login and password.
Your data will not be kept longer than required for the recruitment process needs, unless Swift needs to keep your data (for example, in case of confirmed employment) on the history of the employee (in which case, the data will be deleted as per legal retention period applicable to HR files).
During the recruitment process you can answer a few questions about yourself (gender identity, ethnicity, disability and social mobility). We collect these Personal Data based on consent. Your consent is entirely voluntary and you will not suffer any disadvantages if you refuse to provide such information. You can withdraw your consent at any moment. The goal is for us to analyse how we connect with traditionally underrepresented groups and their progression, both during the recruiting process and during their career at Swift, in order to improve our Diversity and Inclusion program.
The data collected is only accessible to a small team in charge of aggregating the information to produce internal reports. This team is not involved in the recruitment process and the answers remain confidential.
We keep the information for 24 months after the end of the recruitment process.
Communications and Events
Sibos and other Events
When you register for Sibos or other events, we collect Personal Data related to your subscription and participation to the event.
Swift relies on its legitimate interest in Processing Personal Data to manage its relationship with customers and prospects, keep them informed of Swift related news and follow-up on Swift related events.
For this purpose, Swift has created dedicated privacy statements, which you can refer to for more information:
Marketing communication and Surveys
Swift has a legitimate interest to Process Personal Data that you submit on our websites or during your interactions with us (for example, subscription to an event, purchase or use of our products), to provide you with commercial communications related to Swift products and services to promote its business. In this respect, if you or your company are a Swift customer, we might send you communications related to the Swift products or services that you use or purchased (including events to which you registered) or similar ones.
In addition, you can consent to receiving commercial communications pertaining to Swift activities in general, tailored to your profile (“Advanced Matching”) or related to specific topics or domains of interest which you can select and manage through your online Preference Centre. If you choose to use “Advanced Matching”, you leave us in charge of identifying your topics or domains of interest based on your online engagement with us (for example, downloading factsheets), so that we can provide you with curated content and ensure you only receive information that is relevant to you.
You have the right to opt out of this type of tailored communication, to unselect specific domains of interests or to opt out from any type of commercial communication from Swift, at any moment, without motivation. You can do so by accessing the Preference Centre, on swift.com or through a link provided in each commercial e-mail from us. For swift.com registered users, the Preference Centre is also accessible through the secured area of “MySwift”.
Please note that if you are a swift.com registered user, you can subscribe to specific newsletters, which you can manage through the secured area of “MySwift”. When you choose to opt out from all communications from us in your Preference Centre, we will stop your subscription to these specific newsletters.
Through the Preference Centre, you will be able to:
- manage your commercial communication preferences, such as what content we send you, by adjusting your domains of interest, subscribing to or opting out of general communications from Swift and/or Advanced Matching;
- update and edit your Personal Data, or request that your details be deleted.
- manage your preferences with regards to surveys.
From time to time, we may send you invitations to participate in surveys or market researches in order to seek community feedback on existing products and services or on future product developments. It is both Swift’s and its customers’ legitimate interest to identify how to improve the quality of Swift services and products through surveys, in compliance with the recipients’ commercial communications preferences. If you do not wish to receive surveys or market researches, you may choose to opt out from all types of surveys through the Preference Centre.
To monitor the effectiveness of our e-mail campaigns and facilitate further interactions between us, Swift measures specific actions related to e-mails (e.g. clicks, bounce, open). It is Swift’s legitimate interest to maintain accurate, effective and quality interactions with its current and prospective customers. If you opt out from any type of commercial communications from Swift on your Preference Centre, your personal data will no longer be used for that purpose.
It is also important for Swift to monitor the effectiveness of its online advertising and social media campaigns and the use of its websites, in order to improve them. For more information on this type of data processing activities, see our Cookie policy.
Finally, we may ask you to provide your feedback on our websites, so we can improve their content and navigation. The participation is voluntary and you will be free to choose whether or not to provide your email address.
Your personal data will be kept until the information is no longer necessary for the purposes for which we process it. This typically means no longer than two years after the last interaction between Swift and you for your contact details and marketing activities, three years for your responses to surveys and five years for support cases. Swift may however keep the information for a longer period of time if we are required by law or to defend our rights.
China addendum
Operation of our websites and infrastructure
Swift has a legitimate interest to Process your Personal Data for the operation of its websites and infrastructure, as detailed below:
IP Addresses
For our internal purposes, we may use IP addresses (the Internet address of your computer) stored in web logs to generate aggregate statistics on the usage of our websites, such as volume, traffic patterns, and time spent on a page.
Cookies
Our websites use cookies. Cookies are small pieces of information that are stored by your browser on your computer's hard drive or in your browser memory.
The information stored in cookies include your name, first name, registration number on https://www.swift.com/, language preference, navigation settings, login ID, and IP addresses.
In addition, our websites use Google Analytics, a service which transfers traffic data to Google servers in the United States. For more information about this feature, you can read Google’s dedicated page available here.
Where required under applicable Data Protection Laws, Swift will ask for your consent to use cookies and similar technologies. For a detailed description on the use and purposes of cookies via this Website, please consult the related Cookie Policy.
Search Relevance
Swift websites and applications make use of user tracking and usage analytics (profile and actions performed, like key words searched and results selected) to provide an increase in the relevance of web content for the user. We use the services of a supplier to accomplish this goal so that we can improve the web experience for the end-user.
This supplier only Processes data upon our instructions for search optimization and provides sufficient guarantees in respect of technical and organizational data security measures. This supplier also commits to notify us in case of a security breach compromising your Personal Data (see also ‘Sharing Data’ section below).
Web Acceleration Services
For purposes of accelerating the consultation of our websites, we use the services of a supplier specialised in web acceleration services. This requires caching the content of our websites on a substantial number of servers worldwide.
This supplier only processes data upon our instructions for web acceleration services and provides sufficient guarantees in respect of technical and organisational data security measures. This supplier also commits to notify us in case of a security breach compromising your Personal Data (see also ‘Sharing Data’ section below).
Hyperlinks to other websites
Our websites may contain links to other websites not owned or operated by Swift. Swift is not responsible for the privacy practices of these websites.
Tracking of URL activation
Upon registration to certain services (such as Swift Index), we will send you, by e-mail, a dedicated URL from where you can download relevant material. For purposes of measuring and following up on the use of these services, we will track the identity of the persons who activated such URLs, as well as the moment of download.
Data anonymisation for reporting and statistics
Swift has a legitimate interest to produce reports and statistics about the usage of its websites (for example, visitors per day, geographical reach).
These reports will be fully anonymised.
Analysis of End Users’ Usage Data for Customer Retention
Swift has a legitimate interest to analyse and produce reports about the usage of its products and services, as made available through swift.com (such as the Knowledge Center, Watch, Compliance Analytics, or Swift GPI Observer) by their related end users and administrators for the following purposes:
- Create internal reporting about the individual or aggregated usage of the product or service, and use it to improve the quality of our products or services.
- Provide specific training, and more generally awareness communication, to the customers.
- Provide ad hoc reporting to customers on their usage of the product or service.
This Personal Data is kept for twelve (12) months, after which it is purged from the systems.
Improvement and preservation of our websites and infrastructures
When you submit your data through the Responsible Disclosure Policy, Swift has a legitimate interest to process your Personal Data (for example, your personal identification data) to get in contact with you in order to obtain additional information about, or to undertake actions with regard to, your reported vulnerability.
Swift will not share your Personal Data with third parties without your permission, unless we are required to do so by law (for example, sharing with the relevant authorities) or in order to exercise our rights and remedies, for instance in case of malicious activity (for example, sharing with external lawyers).
Your Personal Data collected for the purposes under this section will be kept for ten (10) years, unless we are required by law to keep the information for a longer period of time.
Data Security
We are committed to protect your Personal Data against accidental or unlawful destruction, accidental loss, alteration, and unauthorised disclosure or access. Therefore, we monitor and record the data exchange (IP address, timestamp, volumes), both incoming and outgoing, in order to preserve the security, integrity, and availability of our infrastructure and information/data. In addition, in case of suspicious activity, Swift might collect data (including Personal Data) from various sources (for example, public sources, threat intelligence providers) in order to start and manage its own investigation.
This data is kept for up to one year. Data can be kept longer when a security issue has been encountered and evidences need to be kept for Swift to exercise its rights and remedies.
Any Personal Data collected during this process may be shared by Swift with the relevant authorities.
Please be aware that we cannot ensure the security of your data on your computer or during transmission over the Internet. In this regard, we advise you to take every possible precaution to protect Personal Data stored on your computer and transiting on the Internet.
In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that Swift Processes for the purposes set out in this Privacy Statement, Swift will notify the Personal Data breach to the Belgian Data Protection Authority and to the individuals concerned, if and as required under the GDPR.
Data submitted on behalf of someone else
If you provide Personal Data of another person to Swift for the purposes mentioned above, you shall ensure that (i) this person has been duly informed about Swift's right to process such Personal Data as set out herein, and has been provided with the present Privacy Statement, (ii) such Personal Data is collected and supplied in accordance with applicable legislation and without infringing such person's or any third party’s rights and (iii) you have obtained his or her prior consent where needed.
Sharing data
As a rule, Swift ensures that your Personal Data is only accessible or shared on a need-to-know basis, to authorized persons with a legitimate business need to Process these data.
For instance, Swift may share your Personal Data (merely your identification and contact details, as well as your function and role profile) to people within your own organization, on a need-to-know basis, and where this sharing is required for the mere administration of the Swift membership or for the performance of the contract between Swift and your organization.
When required to achieve the Swift Purposes, we may share your Personal Data within the Swift group in countries where the Swift Offices are located, carefully selected suppliers who perform functions on Swift’s behalf (for example, Swift’s suppliers hosting or operating its CRM systems, SwiftSmart and SwiftRef platforms, security specialists, maintenance suppliers, marketing/events organisation suppliers), or other selected third parties (including professional advisers, National Member and User Groups, other offices within the Swift Group, or Swift partners).
In case of a security investigation, Swift only discloses Personal Data to customers that are impacted by the security incident.
In addition, Swift may, in exceptional circumstances, disclose Personal Data to third parties when:
- disclosure is required by law or regulation;
- non-disclosure exposes Swift or its staff to civil or criminal liability;
- disclosure is necessary to co-operate with competent authorities; or
- disclosure is necessary to the relevant persons involved in any further investigation or subsequent judicial proceedings instigated as a result of an enquiry by Swift (for example, external counsel) or at a customer’s request
Before sharing your Personal Data, we require third parties acting as Data Processors to only process your Personal Data upon our instructions and to provide sufficient guarantees in respect of the technical and organisational security measures protecting the data processing activities.
Data Transfers
Swift may transfer Personal Data to affiliates, Processors and third parties that may be located in or outside the European Economic Area (EEA), including in countries that do not offer a level of data protection considered as adequate under EU standards.
In case Personal Data need to be transferred outside of the EEA, Swift makes sure to have adequate transfer arrangements in place. In particular, Swift may transfer Personal Data to countries for which adequacy decisions have been issued by the European Commission, use contractual protections for the transfer of Personal Data, or rely on alternative transfer mechanisms recognised in the EEA.
As regards Swift affiliates, Swift has implemented an Intra-Group Data Transfer Agreement based on the standard contractual clauses that were approved by the European Commission. These standard contractual clauses, together with additional technical or organisational safeguards as appropriate, ensures that transfers between entities within the Swift group are compliant with the requirements of the GDPR.
For more information about Swift offices and the list of countries where entities from the Swift group are located, see www.swift.com > Contact Us > Swift offices.
You have a right to obtain more information about these safeguards used to transfer data outside of the EEA, by contacting our Data Protection Officer (see below).
Data retention
As part of its practices, Swift takes measures to delete Personal Data or keep it in a form that does not permit to directly identify the individual when this information is no longer necessary for the purposes for which Swift Processes it, unless Swift is required by law to keep this information for a longer period.
When determining the appropriate retention period, Swift takes into account various criteria, such as mandatory retention periods provided by law and the statute of limitations, good practices known to Swift, the sensitivity of the Personal Data Processed, the nature and length of Swift’s relationships with customers, shareholders or partners, the duration of Swift’s events, the impact on the products and services Swift provides if Swift deletes some Personal Data,
When relevant, specific retention periods applicable are indicated above, together with a description of the Processing activity.
Your rights
Your Personal Data will not be kept by Swift for longer than necessary, after which your Personal Data will be deleted. As general rule, and unless specified differently in this Privacy Statement, Swift will keep your data for the duration of the statute of limitation applicable to our relationship with you.
Data Protection Laws, including GDPR, provide individuals with individuals rights, such as the right to access, correct, restrict, receive a copy, and ask for deletion or their own Personal Data, and the right to object to the Processing of their Personal Data (including their use for direct marketing purposes).
In addition, where relevant, individuals may withdraw their consent, at any time and without motivation, for those types of data Processing to which their consented. Note however that this does not affect the lawfulness of the data Processing based on your consent before the withdrawal.
To facilitate the exercise of individuals’ rights, Swift has created a Preference Center accessible online. You can update your own privacy settings, and review and update your Personal Data and your profile page, at any time, through this platform (see above section “Marketing Communication and Surveys”). In addition, you may exercise your data protection rights by sending your request, together with a proof of your identity, to Swift's Privacy Officer (see dedicated section below).
If you have any other questions or any complaints regarding the Processing of your Personal Data, you can contact the Swift Privacy Officer or lodge a complaint with the supervisory data protection authority in your country of residence, place of work, or where an incident took place. In Belgium, the data protection authority is:
Belgian Data Protection Authority
Rue de la Presse 35, 1000 Brussels
Phone: +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35
E-mail: contact@apd-gba.be
Website: www.dataprotectionauthority.be
For accountability reasons, Swift will need to keep limited information regarding requests received from individuals and related actions taken.
Privacy Officer
The Swift Privacy Officer carries out internal supervision in connection with our responsibilities under this Privacy Statement.
You may exercise your rights and address any questions to the Privacy Officer:
- by letter to Swift SC, attention of Privacy Officer, Avenue Adèle 1, 1310 La Hulpe, Belgium
- by e-mail to privacy.officer@swift.com
- by calling Swift at the number indicated below