It aligns with (and in some cases exceeds) the main requirements of applicable laws and regulations.
This Policy is also aligned with other specific policies of beIN relating to the collection and use of information of Personal Data implemented by each beIN entity to cover the specific Personal Data Processing purposes needed for the day to day activity (e.g. cookies policy, specific local policies such as employee’s privacy policies, job applicants’ privacy policies, information notices for customers or suppliers).
The scope of this Policy as detailed below is the Processing of Personal Data carried out by beIN or on its behalf, including the Personal Data of minors.
1.1 The Policy covers all Personal Data in any form, including but not limited to electronic data, paper documents and disks and all types of Processing, whether manual or automated that is under beIN’s possession or control, in all geographic areas where beIN operates. This will include information held about beIN members, partners, employees, consultants, clients, consumers, suppliers, business contacts and any Third Parties, etc.
1.2 We particularly care about minors’ protection and have implemented certain additional measures to control and/or prevent the Processing of minors’ Personal Data. Therefore, we do not Process Personal Data from children without (i) checking their age (or digital age) which may vary from a country to another and (ii) obtaining their Consent and, where required, their guardian’s Consent if they do not have the minimum age required to provide their Personal Data to us.
You will find below the definitions of key concepts referred to in this Policy.
2.1 beIN shall mean the holding company beIN Media Group (registered in Qatar under the number 63799) and/or, as applicable, each or all the various beIN affiliates which are part of the beIN Media Group.
2.2 Third Party shall mean a third party or business partner who receives from beIN or who is otherwise entrusted with Personal Data on behalf of beIN, for example suppliers, contractors, sub-contractors and other service providers.
2.3 Data Subject shall mean an identified or identifiable person whose Personal Data is being Processed by beIN.
2.4 Consent shall mean any freely given specific and informed indication of the Data Subject’s agreement to the Processing of their Personal Data.
2.5 Personal Data shall mean any information capable of identifying a natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link.
2.6 Process(ed) / Processing shall mean any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, including, but not limited to, collection, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction (and Process shall be interpreted accordingly).
2.7 Sensitive Data or Special Category of Data, which include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, and Personal Data relating to criminal convictions and offences are a subset of Personal Data, which due to their nature have been classified by law or by an applicable policy as deserving additional privacy and security protections.
- How do we ensure the lawfulness, fairness and transparency of our Personal Data Processing?
Personal Data is Processed on the basis of legal grounds with the informed knowledge of the Data Subjects.
3.1 We will only use Personal Data:
- if necessary to perform a contract with relevant Data Subject (e.g. our employees, contractors, clients, suppliers etc.); or
- if required to comply with a legal obligation; or
- where we have a legitimate business need or a legitimate business reason to use Personal Data as part of our business activities (e.g. when carrying out Processing to better know our clients’; or
- where we have the Data Subject’s Consent when it is specifically required. For instance, where required by law (e.g. Consent is generally required – except in certain circumstances – to send marketing information through electronic communication means) or by applicable policy, beIN may need to obtain the Consent of Data Subjects in order to collect, use, retain and disclose their Personal Data. This may also be the case where no other valid grounds described above is applicable, to the extent permitted under applicable law.
3.2 We consider that it is important to assess the privacy risks before we collect, use, retain or disclose Personal Data, such as in a new system or as part of a project.
3.3 beIN will only Process Personal Data in the way described in its specific privacy notices or privacy policies and, where applicable, in accordance with any Consent we have obtained from the Data Subject.
3.4 beIN will not carry out profiling activities based on automated decision making, unless legally grounded on a requirement of applicable law or the performance of a contract or the Data Subject’s Consent and provided that suitable safeguards are implemented to protect the Data Subjects rights.
3.6 Where legally required, we will ensure that Data Subjects are provided with relevant information, concerning the Processing of their Personal Data, unless there is an impossibility to provide such information or if it requires disproportionate efforts to provide such information. Such information will notably include, the purposes of the Personal Data Processing, the types of Personal Data collected (if the Personal Data have not been obtained directly from the Data Subject), the categories of recipients, the list of rights which may be exercised by the Data Subjects, the consequences of a failure to reply, the conditions of the transfer of Personal Data outside EU, if any, and the mechanism used to protect the Personal Data in the event of a transfer, etc. This requirement may be satisfied by issuing a privacy notice to Data Subjects at the point where Personal Data are originally collected from them. Privacy notices shall be written in language which provides Data Subjects with a clear understanding as to how their Personal Data will be used.
- 4. How do we Process Personal Data for specific and legitimate purpose and verify that Personal Data is minimized and accurate?
Personal Data will only be collected and Processed for legitimate purposes, complying with the Personal Data minimization principle and ensuring the accuracy of the Personal Data Processed.
4.1 Personal Data will be collected for specified, explicit and legitimate purposes (which could be multiple) and not further Processed in a manner that is incompatible with those purposes.
4.2 We carefully evaluate and define the purposes of the Personal Data Processing before launching a project (e.g. management of HR data, management of recruitment data, payroll purposes, accounting and financial management, risk management, management of employees’ safety, allocation of IT tools and any other digital solutions or collaborative platforms, IT support management, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering and anti-bribery obligations or any other legal requirements, data analytics operations, implementation of compliance processes, management of mergers and acquisition, etc.).
4.3 We will ensure that the Personal Data we collect are relevant, adequate and not excessive in relation to the purpose of the Personal Data Processing and its eventual use (insights, marketing, promotions, etc.). This means that only necessary and relevant information for the purpose sought can be collected and Processed.
4.4 When collecting Sensitive Data or Personal Data relating to criminal convictions and offences, proportionality is fundamental and more strictly construed. We do not collect Sensitive Data or Personal Data relating to criminal convictions and offences, unless required by applicable law or when allowed by applicable law with the Data Subject’s prior express Consent.
4.5 Every reasonable step will be taken to ensure that Personal Data are maintained in an appropriately accurate and up-to-date form at every step of Personal Data Processing (i.e. collect, transfer, storage and retrieval).
4.6 We encourage the Data Subjects to help us to ensure their Personal Data is up to date by exercising their rights notably of access and rectification (for more information on Data Subjects rights, see Section 7 below).
- What Security measures are implemented?
As employees, customers, suppliers, consumers and business partners put their trust in beIN when they communicate to us their Personal Data, beIN takes appropriate measures to ensure the security of the Personal Data it Processes.
5.1 We protect any Personal Data collected, used, retained and disclosed to support our business activities by following the relevant usage, technical and organizational policies, standards and processes.
5.2 Industry standard technical and organizational measures are implemented to prevent accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access, or any other unlawful or unauthorized forms of Processing.
5.3 Where Processing is to be carried out on behalf of beIN, it will select service providers providing sufficient guarantees (including by implementing technical and organizational measures) to carry out a Personal Data Processing that meet the requirements of applicable data protection laws and ensure the protection of the Data Subjects’ rights.
5.4 beIN endeavors to take reasonable measures based on Privacy by design and Privacy by default as appropriate to implement necessary safeguards when carrying out Personal Data Processing. beIN will thus implement technical and organizational measures, at the earliest stages of the design of the Processing operations, in such a way that safeguards privacy and data protection principles and rights from the start (‘Privacy by design’). By default, beIN should ensure that Personal Data is Processed with privacy protection (for example only the data necessary should be Processed, short storage period, limited accessibility) so that by default Personal Data is not made accessible to an indefinite number of persons (‘Privacy by default’).
5.5 When a type of Personal Data Processing is likely to result in a high risk to the rights and freedoms of Data Subjects, we will carry out a privacy impact assessment prior to its implementation.
5.7 Further information on the Information security measures are described in beIN Information Security Policies, Standards and programs which are designed to protect the confidentiality, integrity and availability of Personal Data and information stored and processed in beIN environment.
- For how long do we keep your Personal Data?
Personal Data is kept, as a maximum, only for the period necessary for the purpose of the Processing in accordance with beIN applicable retention policy.
6.1 Any person handling Personal Data for beIN will keep it only for as long as it is necessary for the purpose for which it has been collected and Processed (and other compatible purposes) which may include:
- to meet or support a business activity; or
- to comply with a legal or regulatory requirement and comply with applicable statute of limitation requirements;
- to defend against legal or contractual actions (in which case, the Personal Data may be retained until the end of the corresponding statute of limitation or in accordance with any applicable litigation hold policies).
6.2 Personal Data is retained and destroyed in a manner consistent with applicable law and in accordance with beIN’s applicable retention policy.
- What are your rights, as Data Subject?
We are receptive to queries or requests made by Data Subjects in connection with their Personal Data and, where required by law, we provide Data Subjects with the ability to access, correct, restrict and erase their Personal Data. We also allow them to oppose in certain circumstances the Processing of their Personal Data, and to exercise their right to portability.
7.1 Access right: we will provide access to all Personal Data related to a Data Subject as required by law, to the purposes of the Processing, categories of Personal Data Processed, categories of recipients, data retention term, rights to rectify, delete or restrict the data accessed, if applicable, etc.
7.2 Right to portability: we may also provide a copy of any Personal Data that we hold in our records in a format compatible and structured to allow the exercise of right to data portability, to the extent it is relevant under applicable law.
7.3 Right to rectification: Data Subjects can request to correct, amend, erase, any information which is incomplete, out of date or inaccurate as set forth by applicable law.
7.4 Right to erasure: Data Subjects can request the deletion of their Personal Data (i) if such Personal Data is no longer necessary for the purpose of the Personal Data Processing, (ii) the Data Subject withdraws their Consent to the Personal Data Processing based exclusively on such Consent, (iii) the Data Subject objects to the Personal Data Processing, (iv) the Personal Data Processing is unlawful, (v) the Personal Data must be erased to comply with a legal obligation applicable to beIN. beIN will take reasonable steps to inform the other entities of beIN of such erasure.
7.5 Right to restriction: Data Subjects can request the restriction of the Processing of their Personal Data (i) in the event the accuracy of the Personal Data is contested by a Data Subject, for a period of time enabling beIN to check such accuracy, (ii) if the Data Subject wishes to restrict the Personal Data rather than deleting it despite the fact that the Processing is unlawful, (iii) if the Data Subject wishes beIN to keep the Personal Data because they need it for their defense in the context of legal claims, (iv) if the Data Subject has objected to the Processing but beIN conducts verification to check whether it has legitimate grounds for such Processing which may override the Data Subject’s own rights.
7.6 Right to withdraw their Consent: when the Personal Data Processing is based on Data Subject’s Consent, Data Subject may withdraw such Consent at any moment, without affecting the lawfulness of Processing based on Consent before its withdrawal.
7.7 Right to object: Data Subject can also indicate their objection to the Processing of their Personal Data at any time (i) when used for marketing purposes or profiling to send targeted advertising, or (ii) to object to the sharing of their Personal Data with Third Parties or within the entities of beIN , or (iii) when the Processing is based on beIN’s legitimate interest, unless beIN demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims.
Data Subject has also the right to lodge a complaint with the competent supervisory authority.
- When and how do we disclose your Personal Data to Third Parties?
Personal Data is only disclosed outside beIN where there is an overarching legal justification to do this.
8.1 Disclosure is made on a strictly limited ‘need to know’ basis where there is clear justification for transferring Personal Data – either because the Data Subject has consented to the transfer or because disclosure is required to perform a contract to which the Data Subject is a party, or for a legitimate purpose that does not infringe the Data Subject’s fundamental rights, including the right to privacy (e.g. sharing in the context of a merger and acquisition operation etc.).
8.2 In each case, the Data Subject will be aware (for instance, through an information notice) that the disclosure is likely to take place.
8.3 Assurances will also be sought from the recipient that they will only use the Personal Data for legitimate / authorized purposes and keep it secure.
8.4 If a particular disclosure is required to meet a legal obligation (for example to a government agency or police force / security service) or in connection with legal proceedings, generally the Personal Data may be provided so long as the disclosure is limited to that which is legally required and, if permitted by law, the Data Subject has been made aware of the situation (i.e. the Data Subject was told of the possibility of such an event in a Consent or is notified at the time of the request for disclosure).
- How are international transfers of Personal Data from EU protected?
Personal Data originating from those beIN entities operating within the EU will not be transferred outside the EU to a third country which does not ensure an adequate level of protection unless appropriate safeguards are implemented in accordance with applicable laws.
9.1 International Personal Data transfer is a very sensitive topic which beIN takes seriously in the case of any proposed transfer of Personal Data from its EEA or United Kingdom country of origin to another non EEA country or outside the United Kingdom, whether such transfer is done for technical purposes (storage, hosting, technical support, maintenance etc.) or the main purposes (HR management, clients’ database management, etc.).
9.2 We never carry out international transfers of Personal Data from a EEA country or the United Kingdom to another non EEA country or outside the United Kingdom without ensuring that appropriate transfer mechanisms as required by applicable data protection laws are in place, to ensure adequate protection of the data when transferred (e.g. adequacy decision, signature of EU Commission model clauses as appropriate, etc.). In some cases, we may also have to notify or gain pre-approval from the relevant privacy regulator prior to the transfer taking place.
- How do we handle complaints?
To exercise any of your rights, or if you have any complaints or questions regarding the processing of Personal Data by beIN, please refer to the contacts below.
10.1 beIN is committed to resolving the legitimate privacy issues of its staff, clients and other contacts.
10.3 Data Subjects may complain about privacy issues by writing an email to:
– In connection to clients or any other contact: the Privacy Department at the following email address : DPO@bein.com;
– In connection to beIN employees: the relevant HR contact in the country where she/he is located and report the matter.
They may, when applicable, file a complaint with a supervisory authority. In particular, this shall be expressly specified in the privacy notices communicated to and/or accessible by Data Subjects.
* * *