Accessibility Tools

- S -


Safe Harbor Principles 

Safe Harbor Principles are a set of privacy and data protection principles that, together with a set of frequently asked questions (FAQs) providing guidance for the implementation of the principles, have been considered by the European Commission to provide an adequate level of protection.

These principles were issued by the Government of the United States on 21 July 2000.

US organisations can claim that they comply with this framework. They should publicly disclose their privacy policies and be subject to the jurisdiction of the Federal Trade Commission (FTC) - under Section 5 of the Federal Trade Commission Act which prohibits unfair or deceptive acts or practices in or affecting commerce - or to the jurisdiction of another statutory body that will ensure compliance with the principles implemented in accordance with the FAQs.

See also: Adequacy decision

Sensitive data 

Sensitive data include data "revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life" (Article 10 of Regulation 45/2001; Article 8 of Directive 95/46/EC).

The processing of such information is in principle prohibited, except in specific circumstances. It is possible to process sensitive data for instance if the processing is necessary for the purpose of medical diagnosis, or with specific safeguards in the field of employment law, or with explicit consent of the data subject.

Schengen Information System (SIS) 

The Schengen Information System (SIS) is a large-scale IT system linked to the abolition of internal border controls of the Schengen territory (most of the EU territory plus a few other countries).

The SIS will be replaced by SIS II in order to allow the connection of more countries and to provide new functionalities (see EDPS Opinion on the establishment of SIS II (pdf).

The SIS contains information on objects (stolen cars, identity documents, etc.), as well as on persons. Personal information may be recorded in the SIS on:

  • third states nationals who are banned from entry to Schengen territory;
  • people wanted in relation with criminal proceedings or people under police surveillance;
  • missing people who should be placed under protection, in particular minors.

The data protection supervision of the system is ensured at national level by data protection authorities and, at European level, by the Schengen Joint Supervisory Authority or “JSA”.

The EDPS will replace the JSA at European level when the SIS II comes into operation, probably in the course of 2009. 

Should you wish to access or rectify your data in the SIS, it is advisable to contact a data protection authority in one of the Schengen countries. Details of the relevant data protection authorities - who can either give you access themselves or tell you where to apply - are available on the JSA website.

Standard contractual clauses 

Standard contractual clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries.

The European Commission has adopted three Decisions declaring Standard Contractual Clauses to be adequate, and therefore, companies can incorporate the clauses into a transfer contract.

In principle no authorisation is required from data protection authorities to be allowed to use these clauses. A formal notification to the authority might nevertheless be necessary.

SWIFT 

SWIFT ("Society for Worldwide Interbank Financial Telecommunication") is a worldwide financial messaging service which facilitates international money transfers.

Following the terrorist attacks of 11 September 2001, the United States Department of the Treasury served administrative subpoenas requiring SWIFT to transfer personal data held on its United States server in order to identify, track and pursue those who provide financial support for terrorist activity.

After press reports revealed this transfer of personal data, involving also banking data of European citizens, European data protection authorities found several breaches to the fundamental data protection principles, in particular relating to transfers of personal data to third countries (see Article 29 WP opinion 10/2006). Also, the EDPS adopted an opinion focusing on the role of the European Central Bank (see EDPS opinion).

Following these findings, many improvements were put in place in order to ensure full compliance with data protection legislation: SWIFT adhered to the Safe Harbor; the US Treasury provided clarifications and assurances concerning access and processing of SWIFT data; SWIFT announced important changes in the architecture of its payment services, ensuring that intra-European messages remain in Europe and are no longer mirrored in the United States.

See also: Safe Harbor and TFTP

Security breach

A breach of security occurs where a stated organisational policy or legal requirement regarding information security has been violated. However, every incident which suggests that the confidentiality, integrity or availability of the information has been compromised can be considered a security incident. Every security breach will always be initiated by a security incident which, only if confirmed, may become a breach.

  • 17 August 2016

    The EDPS, in collaboration with European consumer organisation BEUC, is hosting a joint conference on Big Data: individual rights and smart enforcement. The conference will take place in Brussels on 29 September 2016. For more information on the conference and how to register, visit the EDPS Events page.

  • 05 August 2016

    Our IT services are undergoing scheduled maintenance from 12 to 15 August. Please note that, for technical reasons, we cannot guarantee that the complaints and annexed files submitted during this period will reach us - despite a possible acknowledgement of receipt. Should you not receive any acknowledgement of receipt within 10 working days from submitting your complaint, please do let us know.

  • 25 July 2016

    ePrivacy rules should be smarter, clearer, stronger. Read the EDPS opinion and the press release.

  • 18 July 2016

    Data protection and Whistleblowing in the EU Institutions. Please read the EDPS guidelines and the press release.

  • 15 July 2016

    The EDPS’ free app, EU Data Protection, has been updated! You can now consult the texts of General Data Protection Regulation (REG) 2016/679 and the Directive 2016/680 for the police and criminal justice sector alongside the texts they replace.

  • 26 July 2016

    Fablab on GDPR, Participation of Wojciech Wiewiórowski and Giovanni Buttarelli, Brussels, Belgium

  • 25 July 2016

    Extraordinary Plenary Session of the Article 29 Working Party, Participation of Giovanni Buttarelli, Brussels, Belgium

  • 21 July 2016

    45th Asia Pacific Privacy Authorities Forum, Participation and speeches of Giovanni Buttarelli on Update on EU GDPR and Calibrating Privacy Principles to a Big Data and Digital Society, Singapore

  • 14 July 2016

    Launch of EU Data Protection Whitepaper, British Chamber of Commerce in Denmark, Keynote speech by Giovanni Buttarelli, Brussels, Belgium

  • 07 July 2016

    Marketing and profiling in the European Union, participation and speeches by Giovanni Buttarelli and Wojciech Wiewiórowski, Brussels, Belgium

  • 06 July 2016

    Privacy Laws & Business Annual International Conference, Wojciech Wiewiórowski in panels on Privacy terms and conditions and How data protection rules should be enforced in tandem with competition and consumer policy, Cambridge, UK

  • 06 July 2016

    Confindustria Radio Televisioni General Assembly 2016, Giovanni Buttarelli in a panel on Authority, Markets and Rights, Rome, Italy

  • 30 June 2016

    Reframing Data Transparency, Wojciech Wiewiórowski in a Roundtable Discussion organised by the Centre for Information Policy Leadership and Telefónica, London, UK