Those following questions and answers give us informations on your rights according to SWIFT agreement.
What is SWIFT?
Society for Worldwide Interbank Financial Telecommunication ( SWIFT ) is an international cooperative of financial institutions, founded in 1973, which manage a telecommunications network (the SWIFT network ) for the exchange of messages between members.
The registered office is based in La Hulpe (Belgium). An operational centre ( OPC ) is located in Zoeterwoude (Netherlands), Culpeper (Virginia/ USA) and the Zurich area (Switzerland ). SWIFT carries messages between financial institutions, but does not keep accounts for partners and does not cancel payments.
Messages include:
– payments, including UE
– Standardüberweisung
Securities purchases and foreign exchange transactions
– bank statements for each account kept between banks
– payment notices with address details coverage
– Credit letters (a promise document of the issuing bank’s debt)
– Securities transactions.
After the US terrorist attacks of 11 September 2001, SWIFT affirmed that it was requested to provide confidential information on financial transactions to the US authorities.
At the end of July 2009, the UE Under Secretary of State decided to allow US investigators to have access to EU account informations. They assigned the EU Commission to negotiate an agreement (the so called TFTP). It was signed on the 28 June 2010 from UE and USA. Because data are always shared using SWIFT, the agreement is alway called SWIFT.
What kind of data are shared to US Authorities?
The SWIFT agreement allow the data processing toward extra-eu countries. This includes customers and recipients details, as name, account number and address.
Intra-EU transfers are excluded even if they are processed by the SEPA system.
SEPA, Single European Payment Area, is based on an European IBAN (international bank account number) and BIC (international bank code) for transfers.
How does the federal data protection officer assess that further information on the data subject needs to be shared to the US authorities in order to enforce the rights?
In order to specify the request for information and prevent abuse, it may be necessary to transmit additional personal information (address, possibly bank details).
The BFDI is trying to clarify and simplify different procedures. This means that other personal data are shared with few positions.
What kind of possibility the data subject has if wrong data are processed according to SWIFT agreement?
According to article 16 of SWIFT agreement, the data subject has the right to reply, erase or block if his data stored are incorrect or if the processing of the data has violated the provisions of the SWIFT agreement.
If the data subject applies these rights, wrong data will be blocked in the US Authorities database or tagged as wrong. However, since it is not possible to correct the wrong data on the shared payment transaction, the data subject must also make a correction on wrong data at his bank.
What can the data subject do if his rights have not been fulfilled?
Anyone who thinks that his personal data have been processed with a SWIFT agreement violation, can file an administrative and judicial complaint according to UE legislation, their Member States or USA.
Does the data subject the right to be informed on his stored data?
The regulations on the right to information are contained in Article 15 of the SWIFT Agreement.
A data subject that exercises the information right on US Authorities can, upon request, confirm that all the controls have been applied and that the SWIFT agreement has not been infringed during the processing.
The SWIFT agreement also allows the US Authorities to deny to give informations in case of special reasons.
In this case, the data subject understands if or why his data are stored in a US system.
Which authority is used to claim the information right?
The data subject gets in touch with the National data protection Authority to enforce its own information right. In Germany is the Federal Data Protection and Freedom Information Committee (BFDI) that forwards the request to the US Treasury Department Data Protection Officer.
The request will be controlled and processed. The US Authority informs the BFDI if the data subject right has been protected.
What kind of conditions we need for exercising the information right?
According to the US Treasury Department Data Protection Officer a new simple procedure has been adopted, and entered in force on 1 September 2013. Consequently, the applicant identity is checked by the National Data Protection Authorities. It is no longer necessary to send copies of identity documents to the US authorities.
The following documents are required to submit the request for information:
– Confirmation of identity (will be shared without a copy of the proof of identity); – Request for information requests or requests for correction, cancellation or blocking;
– Authorization form of the national data protection authority.
These documents will be sended to the United States Treasury Department along with a cover letter.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA GERMANIA – BfDI