Data Protection Policy
This Data Protection Policy has been drafted in English and has been translated into other languages. In the event of any discrepancy between the English and the translated texts, the English text shall prevail and be used to solve doubts of interpretation.
Date of issue of this Data Protection Policy: May 2020
Data Processing
The data controller for the BKMS® Incident Reporting is FIFA. The BKMS® Incident Reporting is operated by Business Keeper GmbH, Bayreuther Str. 35, 10789 Berlin in Germany as a data processor. Personal data and information entered into the BKMS® Incident Reporting will be stored in a database operated by Business Keeper GmbH in a high-security computer centre. Only FIFA can access the data. Business Keeper GmbH and other third parties have no access to the data. This is guaranteed in the certified procedure by comprehensive technical and organizational measures. Furthermore, all data is encrypted and stored in multi-level password protection, so that access is restricted to authorized persons of FIFA.
The collection of information and how FIFA uses it
Please note that the use of the BKMS® Incident Reporting is voluntary. If you wish to submit a report via the BKMS® Incident Reporting, FIFA collects the following categories of personal data and information:
- Your name, provided you disclose your identity; and
- If applicable, names of persons as well as other personal data of the persons you name in the report.
FIFA will use this information for:
- Examination and assessment of the reports; and
- Clarification of further queries.
Personal data is only kept for as long as required for the clarification and the final assessment. After completion of the processing, the personal data is deleted according to any applicable retention periods.
The European Privacy Seal (EuroPriSe) certifies conformity with European data protection law. In a multi-stage evaluation and certification process by independent IT and legal experts, the data protection conformity of the BKMS® Incident Reporting was compared against the applicable, publicly viewable criteria based on the EU General Data Protection Regulation (EU GDPR). Within the scope of the certification process, the technical and organisational measures for data security and data protection were deemed to have exceeded legal requirements. The seal is valid for two years and includes regular monitoring at intervals of eight months. Since the initial certification in 2013, the BKMS® Incident Reporting has been successfully recertified every two years. This included evaluation of new developments in the BKMS® Incident Reporting by the independent IT and legal experts as well as the EuroPriSe certification body. The BKMS® Incident Reporting is the first whistleblowing system in the world to be certified according to the strict EuroPriSe criteria.
Information Sharing and Disclosure
FIFA may send information about you to third parties when:
- We respond to subpoenas, court orders or legal process; or
- We believe it is necessary, as determined in our sole discretion, to investigate, prevent, or take action regarding illegal activities, suspected fraud, emergency situations involving potential threats to the physical safety of any person, violations of our Terms of Service (located at www.fifa.com/legal/terms-of-service), or as otherwise required by law.
Security
The communication between your computer and the BKMS® Incident Reporting takes place via an encrypted connection (SSL). The IP address of your computer will not be saved while using the portal. To maintain the connection between your computer and the BKMS® Incident Reporting a cookie is stored on your computer, which only contains the session ID. The cookie is only valid until the end of your session and becomes invalid when closing the browser.
The information security management system (ISMS) of Business Keeper GmbH has been certified according to ISO 27001. The scope of the certification covers the secure operation of the BKMS® Compliance System. Special attention was paid here to the secure software development as well as high availability in the operation of the BKMS® Compliance System. The BKMS® Compliance System therefore verifiably satisfies higher standards for data security than systems of other providers, which generally only obtain certification according to ISO 27001 for the ISMS of the high-security data centre.
The internationally established standard ISO 27001 specifies requirements for a comprehensive information security management system in organisations that is intended to ensure the availability, integrity and confidentiality of information. The process begins with an analysis of potential threats to IT systems and information. This is followed by the definition and implementation of the necessary technical and organisational security measures. The established security measures for maintaining and continually improving the IT security of the organisation are regularly evaluated and updated.
Your rights as data subject
You have the following rights under the Swiss Data Protection Act (DPA) and the European General Data Protection Regulation (GDPR), which this Data Protection Policy has been designed to uphold:
- The right to be informed about the collection and use of information;
- The right of access to the information we hold about you;
- The right to rectification if any information we hold about you is inaccurate or incomplete;
- The right to erasure– i.e. the right to ask us to delete any personal data we hold about you (We only hold your personal data for a limited time, but if you would like us to delete it sooner, please contact us;
- The right to restrict (i.e. prevent) the processing of your personal data;
- The right to data portability (obtaining a copy of your information); and
- The right to object to the processing for particular purposes.
Do not hesitate to contact us via dataprotection@fifa.org in case you have any queries related to your personal data. We may require you to provide verification of your identity. If we are unable to help, you also have the right to file a complaint with the applicable data protection authorities (https://www.edoeb.admin.ch/edoeb/de/home.html; https://www.datenschutz-berlin.de/). Please, note that in certain circumstances we may withhold access to your information where we have the right to do so under applicable data protection legislation.
Changes to this Data Protection Policy
This Data Protection Policy may be amended from time to time. If we amend this Data Protection Policy, any changes will be immediately posted on this platform.
Contact
If you have any questions about this Data Protection Policy, please contact us by email at dataprotection@fifa.org or by post to Fédération Internationale de Football Association (FIFA), FIFA-Strasse 20, 8044 Zurich, Switzerland. FIFA’s representative in the EU may be contacted as follows: VGS Datenschutzpartner UG, Am Kaiserkai 69, 20457 Hamburg, Germany.
Jurisdiction and applicable law
This Data Protection Policy and all matters arising out of or related to this Data Protection Policy shall be governed by the substantive laws of Switzerland, without regard to conflicts of laws and principles thereof.
Any controversy, claim or dispute between you and FIFA arising out of or relating to this Data Protection Policy shall be subject to the exclusive jurisdiction of the competent Courts of the City of Zurich 1, and each party hereby irrevocably consents to the jurisdiction and venue of such Court.