Transfer of payment data to the US authorities

The transfer of personal data by Postfinance to a banking institute in the territory of the United States must have a legal justification and the person concerned must be informed in an appropriate manner. Following our intervention, Postfinance changed its practice and proposed measures that take account of our comments.

A customer issued an order to Postfinance to transfer via Yellownet (Postfinance’s internet payment system) an amount in US dollars to the account of a Cuban tour operator held in a Zurich bank. The postal account of the customer was debited for the amount, but the Cuban company never received the money. When questioned about this by the customer, Postfinance answered that the transfer had been blocked as a result of the US authorities’ embargo on Cuba and that the amount was now being held on the account of the US Department of Treasury. According to the explanation that was given, transactions in foreign currencies that pass through a foreign banking institute – in this particular case a US banking institute – are subject to US laws which require all financial transactions involving Cuba to be reported. The customer told Postfinance that the transfer involved two financial institutions with their headquarters in Switzerland (Postfinance and the bank in Zurich) and that no mention was made anywhere on the Yellownet website that transactions in foreign currencies within Switzerland might be channelled via a third country.

At the request of the person concerned, we analysed the personal data that had been processed by Postfinance in the case in question. The Data Protection Act applies to the transfer of personal data by Postfinance to the bank in the United States. The subsequent onward transfer of the aforementioned data by this bank to the US authorities is not subject to Swiss but to US law. Postfinance is only authorised to transfer personal data to a US bank if there is a legal justification for doing so. A legal justification could take the form of the consent of the person concerned, or the existence of an overriding public or private interest or a legal requirement. In the present case, only two justifications are possible: the consent of the person concerned or the existence of an overriding private interest. Consent is only valid if it is given voluntarily and in full cognizance of the facts. This means that the person concerned must be fully informed about the list of data that is to be communicated and also that it will be transferred to a country which does not offer an equivalent level of data protection as that of Switzerland. The person must also be informed that the recipient of the data may be required by legislation in the country concerned to share it with the national authorities. Apart from obtaining the consent of the person concerned, Postfinance may also invoke an overriding private interest in communicating the data to the bank in order to comply with the order placed by the customer. However, the transparency requirement, which derives from the principle of good faith, demands that full information be disclosed to the person concerned, particularly when his/her personality rights may be in serious jeopardy because the data protection system is not equivalent to the one in Switzerland. In the present case we came to the conclusion that the customer had been given insufficient information. Furthermore, when data is regularly transferred to a recipient in a country which does not offer the same level of data protection as Switzerland, the supplier of such data must be in possession of a signed agreement from the recipient in which the latter undertakes to provide the same level of data protection as that offered under Swiss law.

On the basis of our analyses, we requested Postfinance to provide all necessary information to the persons concerned and to negotiate agreements that ensure that all data transferred comply with data protection requirements. In response to our request, Postfinance suggested a series of measures which take our concerns into account. Postfinance only communicates to the foreign corresponding bank the amount of the transaction, the name and account number of the beneficiary bank in Switzerland, as well as a reference number. If the transaction is blocked, Postfinance makes representations to the foreign authorities as soon as it has received a power of attorney from the person concerned. In order to ensure that the persons concerned are properly informed, Postfinance undertakes to modify the data protection clause the next time it revises its general terms of business.

[July 2006]