PRIVACY STATEMENT
As the controller within the meaning the European General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”), DFL Deutsche Fußball Liga GmbH, Guiollettstrasse 44-46, 60325 Frankfurt am Main, Germany, (“the DFL”) collects, processes and uses personal data that is collected and stored during visits to and use of the websites www.bundesliga.de and www.bundesliga.com (hereinafter collectively the “Website”), in compliance with the data privacy regulations applicable in the Federal Republic of Germany, particularly the GDPR and the BDSG. This Privacy Statement sets out which personal data regarding visitors to the website (hereinafter: “Users”) is collected and how this data is processed.
1. Data collection and processing during visits to the Website
Every time a User accesses the Website, the User’s web browser automatically transfers the following data to the DFL’s web server for technical reasons:
- IP address of the requesting device
- Date and time of access
- Name and URL of the page accessed
- Quantity of data transferred
- Access status (file transferred, file not found etc.)
- Identification data of the browser and operating system used on the User’s device
- Name of the User’s internet service provider
- Website from which the access takes place
The collection, processing and use of this data occur for the purposes of enabling the use of the Website (establishing a connection), system security and the technical administration of the network infrastructure. The data will not be compared with other sets of data or passed on to third parties either in whole or in part.
The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR. The DFL’s legitimate interest is based on the aim of providing the Users a secure and functioning Website.
Additional reference is made to Clause 5 with regard to the collection and processing of data for analysing the use of the Website and its content as well as the optimisation of the Website through web analytical services.
2. Data collection and processing in the context of services offered on the Website
A Bundesliga account enables access to digital products from the DFL and/or individual services offered therein (e.g. Official Bundesliga Fantasy Manager, Bundesliga Newsletter) as well as to content (e.g. certain editorial content) that is only accessible to registered users. A registration of a Bundesliga account or any other subscription (e.g. newsletter subscription) includes the entry of personal data (name, e-mail address, country of residence, etc.) by the User.
The collection and processing of this personal data takes place exclusively for the purpose of being able to offer the User the desired information and services and is carried out only in the manner and to the extent which the User has expressly consented to in advance.
Apart from this, any further use of this personal data for the purpose of delivering additional offers for products or services, particularly by the cooperation partners of the DFL, takes place only if the User has expressly consented to this beforehand. The User can revoke this consent at any time with future effect.
The basic principles of data processing for the services subject to registration are explained in the following:
2.1 Registration and login
Insofar as a Bundesliga account is required for the usage of digital products and/or individual services or content offered therein, the DFL uses the customer identity management platform provided by Okta, Inc., 101 1st Street, San Francisco, CA 94105, USA, (“Okta”) for such registrations and the associated login.
During registration of a Bundesliga account, the DFL asks the Users for the following data:
- Full name
- E-mail address
- Country
- Favourite club(s) (optional)
- Date of birth (optional)
- Password
Okta stores and manages this data in Germany, but in some cases relies on international support teams from Australia, Canada, Singapore, and Japan as well as the US in the context of support requests. Insofar as a level of data protection comparable to the EU is not available in these countries and the possibility of security agencies accessing stored personal data exists, particularly in the US, Okta secures this data transfer by means of EU standard contract clauses. Further information can be found in Okta’s privacy policy.
In order to provide the User with the best possible use of his/her Bundesliga account and the services he/she can access through it, information for the login and the display of his/her profile is encrypted in a token provided by Okta (JSON Web Token) locally in the browser they use, in what is known as local storage. As soon as the User logs out, the token is deleted; if the “Keep me logged in” function is used (see Clause 2.3), this takes place after the session expires (by logging out or deleting the browser history or cache), after 14 days of inactivity or, at the latest, after six months. The User will find further information on local storage at the following link.
Okta also assigns each User a randomly generated Okta ID, which is linked to the User’s Bundesliga account and enables the Bundesliga account and the associated registration and usage data to be matched across products.
This data will be used for the operation and management of the services subject to registration and to establish, implement, or terminate the underlying agreement with the User on participation in the service(s) he/she has selected. The legal basis for processing is Art. 6 para. 1 sentence 1 a) GDPR, provided the User has given his/her consent to the processing (which can be revoked with future effect at any time), and Art. 6 para. 1 sentence 1 b) GDPR.
Insofar as the User has agreed to the use of Amplitude by accepting marketing and analysis cookies, by means of a customer data platform, the Okta ID and the other registration and usage data associated with a Bundesliga account will also be combined with the data collected in accordance with Clause 3.1.1, analysed and used to show the User tailored content and marketing in order to improve and personalise the user experience (for further details see Clause 3.2).
2.2 Social logins
The social login function, which is also provided via Okta (see Clause 2.1), allows the User to register for services on the Website using his/her social media account with Facebook, Google or Apple. If the User chooses to use one of these social logins, the relevant social media provider will establish the User’s identity and transfer the data about the User outlined below to the DFL.
No usage data (pages visited, fields activated) is transferred to the respective provider, since the DFL has implemented the social logins using OAuth (Open Authorization).
The legal basis for the transmission of data is the User’s consent according to Art. 6 para. 1 sentence 1 a) GDPR, which the User grants by choosing to use a social login. The User can revoke this consent at any time with future effect. The DFL will then process the transferred data for the purposes of establishing, implementing, and terminating the user agreement in accordance with Art. 6 para. 1 sentence 1 b) GDPR.
The following privacy information regarding data transfer apply to social logins; see also Clause 6 on sharing content and Clause 8 for the official social media accounts of the Bundesliga.
2.2.1 Facebook
If the User logs in via Facebook, the following types of data transmission from Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (“Facebook”) to the DFL will be initiated:
- The transmission of certain information from the User’s Facebook account to the DFL with the consequence that in addition to the usage data outlined in this Privacy Statement (e.g. IP address), the following information will be transmitted to the DFL:
- Profile picture
- Full name, as well as
- E-mail address
IF THE USER DOES NOT WISH DATA TO BE SYNCHRONISED IN THIS WAY, THE USER MUST USE ONE OF THE OTHER AVAILABLE LOGIN OPTIONS.
2.2.2 Google
If the User logs in via Google, the following types of data transmission from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) to the DFL will be initiated:
- The transmission of certain information from the User’s Google account to the DFL with the consequence that in addition to the usage data outlined in this Privacy Statement (e.g. IP address), the following information will be transmitted to the DFL:
- Profile picture
- Full name, as well as
- E-mail address
IF THE USER DOES NOT WISH DATA TO BE SYNCHRONISED IN THIS WAY, THE USER MUST USE ONE OF THE OTHER AVAILABLE LOGIN OPTIONS.
2.2.3 Apple
If the User logs in via Apple, the following types of data transmission from Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA, (“Apple”) to the DFL will be initiated:
- The transmission of certain information from the User’s Apple account to the DFL with the consequence that in addition to the usage data outlined in this Privacy Statement (e.g. IP address), the following information will be transmitted to the DFL:
- Full name, as well as
- E-mail address
IF THE USER DOES NOT WISH DATA TO BE SYNCHRONISED IN THIS WAY, THE USER MUST USE ONE OF THE OTHER AVAILABLE LOGIN OPTIONS.
2.3 “Keep me logged in” function
If the User selects the “Keep me logged in” function when logging in, the User’s login details (e-mail address and password) will be saved. The User will only need to log in again once the session has expired (because the User has logged out, deleted his/her browser history, or cleared his/her cache), after 14 days of inactivity, or after six months at the latest. To prevent unauthorised account access, the User should not choose this function on any device also used by other individuals. If the User does not select this function, the User will be logged out automatically after three hours of inactivity or after 24 hours at the latest.
The information regarding whether the User has used the “Keep me logged in” function is stored locally in the User’s browser using the okta-cash-storage and okta-token-storage keys and through the use of cookies (see Cookie Policy for details) and is deleted as soon as the User is required to log in again in accordance with the time periods specified above. More information can be found via the following link.
2.4 Special provisions for individual services subject to registration
2.4.1 Newsletter
The User is given the option of subscribing to newsletters of the DFL (Bundesliga Newsletter and Game Updates) on the Website.
If the User chooses to subscribe during the registration of a Bundesliga account (see Clause 2.1), the registration for the subscription is processed via Okta. If the Bundesliga Newsletter is subscribed to separately, the DFL uses the service of Mapp Digital Germany GmbH (Germany) for this; the same generally applies for the dispatch of newsletters and the associated management of User data.
The DFL will place what is known as a tracking pixel in the HTML code of the respective newsletter and assign a user ID to the User to determine the time at which the respective newsletter was opened and which links or functions were activated from that newsletter. This tracking takes place for the purpose of internal optimisation of the respective newsletter. This data will not be passed on.
The legal basis for this data processing is Art. 6 para. 1 sentence 1 a) GDPR. If the User does not want this tracking to take place, he/she can unsubscribe from the respective newsletter (e.g. via the unsubscribe link in each newsletter or through the account settings).
2.4.2 Official Fantasy Manager
The User agrees that in the event that he/she wins, the DFL may, at its discretion, publish the User’s first name, the first letter of the User’s surname and the User’s country of residence through the official DFL tele media and/or social media accounts, while the User’s first name and the first letter of the User’s surname will also be made publicly accessible on the Official Fantasy Manager rankings, on the Website. Processing for this purpose is permitted on the basis of the User's consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR and the User may revoke this consent at any time with future effect.
2.4.3 Newsletters from partners and licensees
If the User has declared consent for this, the DFL will transfer his/her data (salutation, full name, e-mail address, and country, as well as time and date stamp of the registration and its confirmation via “double opt-in”) to TIPICO Services Ltd. (‘Tipico’) so that Tipico can provide the User with information on products and other services via e-mail. The DFL only provides Tipico with the data of Users who have voluntarily entered their date of birth during registration and for whom this data indicates that they have reached the age of 18 years.
The DFL has no further knowledge in regard to how Tipico processes this data, and refers to the Tipico privacy policy.
The legal basis for this data processing is Art. 6 para. 1 sentence 1 a) GDPR. The User can revoke such consent with future effect at any time (e.g. by clicking the “Unsubscribe” link in the newsletter in question or by contacting Tipico directly via the contact details specified in the imprint).
2.5 Friendly Captcha (anti-bot/spam protection)
To ensure adequate data security in the submission of forms, the DFL has incorporated Friendly Captcha, a service from Friendly Captcha GmbH, into its registration process. Friendly Captcha is used to check whether inputs are being carried out by a real person or whether the system is being abused by automated processes.
In connection with this, the DFL has integrated Friendly Captcha code allowing a User's device to connect to the Friendly Captcha servers so that Friendly Captcha can send a mathematical problem. The User's device will solve the problem by using certain system resources and send the solution back to the DFL server. The latter will then contact the Friendly Captcha server via an interface and receive an answer telling it whether the device has correctly solved the puzzle. Depending on the outcome, the DFL can apply security rules to requests and thus either process them or deny them, for example.
Overall, the following technical information is processed: HTTP request header data (particularly User-Agent, Origin and Referer), date/time of request, version of widget used, DFL customer account ID, hash value (one-way encryption) of the IP address, number of requests from the (hashed) IP address per period, answer to the mathematical problem solved by the User's device. All this information is used exclusively for the aforementioned purpose of protection against spam and bots. Friendly Captcha does not store or read cookies on the User's device. IP addresses are stored only in hashed (one-way-encrypted) form and do not enable the DFL or Friendly Captcha to identify individuals. Further information on privacy can be found here.
The legal basis for this processing is Art. 6 para. 1 sentence 1 f) GDPR, according to which the DFL's legitimate interest in the processing is protecting the Website against unauthorised access by bots and thus against spam and attacks (e.g. those that flood the system with requests).
3. Data collection and processing in the context of web analysis
3.1 Analysis of the use of the Website and its content
3.1.1 Web analysis with Amplitude
The DFL uses Amplitude, an analytical service provided by Amplitude, Inc., 201 3rd Street, Suite 200, San Francisco, CA 94103 (USA) (“Amplitude”), on the Website. Google Analytics uses cookies. More details about the cookies used can be found in the Cookie Policy.
Amplitude collects and stores the following data:
- Pseudonymised visitor ID
- Website accessed
- Sub-pages which are accessed from the accessed Website
- Time spent on individual pages of the Website
- Frequency and timing of the access of individual pages of the Website
- Interactions with the Website, such using buttons or watching videos
- Geolocation information based on the IP address (country, region, town or city)
- Device-related information (e.g. device type, model, operating system, type and version of the browser used, and selected language)
In addition to cookies, Amplitude stores certain data (e.g. online and offline events) in the local storage of the browser used. Online events are temporarily saved and deleted after successful upload to Amplitude. If the User carries out events offline, up to a maximum of 1,000 events can be saved in the local storage. If this number is exceeded, older events are deleted. Every failed event is saved for a new attempt. You will find further information on local storage at the following link.
Amplitude will use all this information on behalf of the DFL to evaluate the use of the Website and its content by Users, compile reports on Website activities and provide the DFL with additional services relating to Website and internet usage. Amplitude also uses artificial intelligence and machine learning to recognise patterns and predict future behaviour. The DFL will use the analyses to optimise and further develop the Website and its content.
In addition, the DFL will, by means of a customer data platform, combine the above data with the Okta ID and the other registration and usage data associated with a Bundesliga account, analyse this data and use it to show the User tailored content and marketing in order to improve and personalise the user experience (for further details see Clause 2.1 and Clause 3.2).
Amplitude stores and manages the information generated in Germany but may refer some support queries to international support teams in Canada, Singapore, the USA and the United Kingdom. Insofar as any of these countries does not have the same level of data privacy as the EU Amplitude safeguards this transfer of data by means of EU standard contractual clauses. Further information can be found via the following link and in Amplitude’s privacy policy.
The User can also prevent such an analysis by declining the use of marketing and analysis cookies when initially accessing the Website or by later revoking his or her consent by declining in the cookie settings.
However, the DFL hereby informs the User that, in this case, it is possible that the User may not be able to use all functions of the Website to their fullest extent.
The legal basis for processing is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR. The User may revoke consent at any time (such as by opting out by changing the cookie settings), effective from that point onwards, without affecting the lawfulness of processing based on consent before its withdrawal.
3.1.2 Web analysis by Matomo
In addition, the DFL uses Matomo, an open-source analytics application developed by InnoCraft Ltd, New Zealand, (“Matomo”) to analyse use of the Website and its content. This application is installed locally on the DFL’s servers. The DFL uses the application without cookies, unless the User has agreed to the use of such cookies on the User’s device (further details on the cookies used can be found in the Cookie Policy).
Matomo collects and stores the following data:
- Two bytes of the IP address of the User’s system used to access the Website
- Website accessed
- Website from where the User arrived at the accessed web page (referrer)
- Sub-pages which are accessed from the accessed Website
- Time spent on the Website
- Frequency at which Website is accessed
If no cookies will be used, repeat users are identified by way of a config_id. This is a random character sequence that is calculated using the first two bytes of the IP address, the browser plugin, the operating system and the User’s selected browser language, and then hashed. The ID is deleted and a new one created after 24 hours so that the Website cannot reidentify the User when visiting again.
Using the IP2Location™ IP-Country-Region-City-ISP Database [DB4] features from Hexasoft Development Sdn Bhd, Malaysia, (“ip2location”) likewise installed locally on the DFL’s servers, additional geolocation information (country, region, town or city) is also collected and stored cumulatively on the basis of IP addresses.
Collection and processing take place only on the DFL’s servers. The data will not be passed on to Matomo or any other third parties.
Matomo and ip2location are set up to ensure that IP addresses are not stored in their entirety; instead, two bytes of each IP address are masked (e.g. 192.168.xxx.xxx). This renders it impossible to attribute the abbreviated IP address to the specific device used.
A User can prevent such an analysis by using the following opt-out. When the Privacy Statement with this opt-out is accessed, an iframe is loaded for the opt-out and a session cookie with the name “matomo_sessid” that checks whether the opt-out has already been activated is created inside this iframe.
[Opt-out]
However, the DFL hereby informs the User that in this case, it is possible that the User may not be able to use all functions of the Website to their fullest extent. If the User chooses to opt-out, an additional cookie with the name “matomo_ignore” and a lifetime of 30 years that prevents Matomo from storing incoming scripts from the Website is installed on the User’s device. In addition, the opt-out also results in the installation of a cookie (in addition) with the name “mtm_consent_removed” and a lifetime of 30 years that signals to the DFL’s system not to process or analyse the User’s data. If the User later clears the cookies on their device, these opt-out cookies will also be cleared and will need to be reinstalled.
Further information on privacy can be found in Matomo’s privacy policy.
The legal basis for this processing is Art. 6 para. 1 sentence 1 f) GDPR, whereby the DFL’s legitimate interest in the processing is the evaluation of Website data for the purpose of optimising it.
3.2 Combination and analysis of the User’s data via a customer data platform
Insofar as the User has agreed to the use of Amplitude by accepting marketing and analysis cookies, the DFL will combine the Okta ID and the other registration and usage data associated with the Bundesliga account (see Clause 2.1) with the data collected by Amplitude (see Clause 3.3.1) and analyse this data via a customer data platform. Because the Bundesliga account can be used across various products, the data contained on the customer data platform can also include data from other digital products from the DFL (e.g. Official Bundesliga App, Official Bundesliga Fantasy Manager App); for further details, see the privacy policy of the product in question.
The DFL uses the customer data platform provided by Tealium, Inc., 9605 Scranton Rd., Suite 600, San Diego, CA 92121, USA, (“Tealium”).
Tealium stores and manages this data in Germany but may refer some support queries to international support teams in Australia, Hong Kong, Japan, Singapore and the United Kingdom. Insofar as any of these countries does not have the same level of data privacy as the EU, Tealium safeguards these transfers of data by means of EU standard contractual clauses. Further information can be found in Tealium’s privacy policy.
By means of the data processed via the customer data platform, the DFL will show the User tailored content and marketing in order to improve and personalise the user experience.
Insofar as the User has consented to the collection of the analysis data used for this purpose, the legal basis is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR, which may be revoked at any time with future effect. The data is linked with other user information from the registration of the User’s Bundesliga account in order to safeguard the DFL’s legitimate interests in accordance with Art. 6 para. 1 sentence 1 f) GDPR. The DFL’s legitimate interest is to present Users with the most tailored offering possible. If Users do not wish their data to be linked in this way or be shown tailored content and marketing, they can change this in their account settings under “Profile” (personalized fan profile).
3.3 Web analysis for statistically analysing the speed of the Website
In addition, the DFL uses a plugin on the website from the performance analysis service provided by Instana Inc., 222 South Riverside Plaza, 15th Floor, Chicago, IL 60606, USA, (“Instana”) which enables it to collect statistical analyses of the speed of the Website. The application places cookies on the User’s device (further details on the cookies used can be found in the Cookie Policy).
When the User accesses a page of the Website which contains such a plugin, the User’s browser establishes a direct connection with the servers of Instana. As such, the DFL has no influence over the scope of the data which Instana collects using this plugin and thus hereby informs Users of its level of knowledge accordingly.
The integration of the plugin serves to provide Instana with the information that a User has accessed the corresponding page of the Website. If the User is logged into Instana, Instana can associate the visit to the Website with the User’s Instana account. If the User is not a member of Instana, however, the possibility still exists that Instana will learn and store the User’s IP address.
In addition to the configuration options for protecting the User’s privacy, the purpose and scope of data collection as well as information on the processing and use of the data by Instana can be found in the Instana privacy policy.
In addition to using servers in the European Economic Area, Instana also processes personal data on servers in the US. The US does not have a level of data protection comparable to the GDPR; in particular, US security agencies have extensive access to data stored in the US. Instana safeguards this data processing by adopting EU standard contract clauses.
If the User is a member with Instana and does not want Instana to collect information on them on the Website in order to associate it with their member data stored with Instana, the User must log out of Instana before visiting the Website.
The legal basis for this processing is Art. 6 para. 1 sentence 1 f) GDPR, whereby the DFL’s legitimate interest in the processing is the evaluation of Website data for the purpose of optimising it.
4. Google Ad Manager for showing online advertisements
The DFL uses Google Ad Manager from Google LLC (USA) (“Google”) to display online advertisements on the Website. This allows the DFL to show certain advertisements to the User. The DFL does not place personalised advertisements from third-party provider networks but only advertisements marketed directly by the DFL. Further information can be found via the following link and in Google’s privacy policy.
If the User gives his/her consent, the application will place cookies on the User’s device (further details on the cookies used can be found in the Cookie Policy). The legal basis for processing is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR. The User can revoke consent previously granted to the DFL in regard to cookie settings with future effect at any time.
5. Social media content
Some content that the DFL has published on its official social media accounts on Facebook, X, Instagram, and YouTube will be loaded on the Website. Cookies will be used in the process. Further information on the cookies used can be found in the Cookie Policy.
Further information on data processing by the providers can be found in the applicable privacy statements: Facebook, X, Instagram and YouTube (the DFL embeds content from the latter in privacy-enhanced mode; find out more here).
In regard to the sharing of Website content via social media services, see Clause 6.1; in regard to special provisions for the official social media accounts of the Bundesliga, see Clause 8.
6. Sharing content
The DFL provides users of the Website with the opportunity to share the Website’s content as described in the following section.
6.1 Using the Facebook, X (formerly: Twitter), and WhatsApp social media services
Users can share content from this Website on the social media services provided by Facebook, X (formerly: Twitter), and WhatsApp.
In order to prevent User data from being shared with these services without the User’s consent, the DFL offers only social sharing links on the Website. This ensures that no data will be transferred to third parties without the permission of the User. Only when the User activates the social media services by clicking the relevant icon, thereby consenting to connect with Facebook, X (formerly: Twitter) and WhatsApp, will a connection to the applicable service be established and the social sharing links created, and the User can then publish these links through the service. Further information on data processing by the providers can be found in the applicable privacy statements: Facebook, X and WhatsApp.
6.2 E-mail forwarding
The User can also share and recommend content from the Website via e-mail by clicking the relevant button. The DFL will not use, process or store in any way the recipient e-mail addresses that the User enters in the e-mail application that opens when he/she clicks the relevant icon.
6.3 Temporary storage
The User can also temporarily store links to content from the Website on his/her device and process them via services chosen by the User (e.g. sending them to his/her contacts).
7. Other online services and applications
7.1 Playing videos
The DFL embeds videos on the Website using “JW Player” software solution from Longtail Ad Solutions, Inc. (USA).
For legal reasons, the DFL is not permitted to make the videos shown on the Website available in certain countries. To ensure this, when the User selects a video, the User’s current location is transmitted to JW Player via the IP address of the User’s device in order to verify the authorisation to play the relevant video in the countries approved by the DFL. The IP address is used to check whether playing the video is permitted in the country in which the User’s device is currently located or whether this must be avoided for legal reasons. In the latter case, the User will be shown only a notice to that effect instead of the video. This information will remain intact only for the duration of this check on the device and will then be deleted; furthermore, it will not be stored or transferred to a back-end system. Apart from the User’s IP address, JW Player does not process any personal data, and it records only the video play counts.
The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest of the DFL is based on compliance with the existing contractual agreements with its national and international licensees for the media rights to the matches of the Bundesliga and Bundesliga 2.
7.2 Information on broadcasters
Various parts of the Website (including the “Broadcasters” section) provide the User with the opportunity to find out which broadcaster will allow him/her to follow the Bundesliga live in the country in which he/she is currently located. In order to direct the User to the right broadcaster, the relevant country is determined based on the IP address of the User’s device. This information will then be stored locally as a default setting on the User’s device until the User visits the Website with an IP address from a different country or changes the setting manually. This information will not be transferred to the DFL’s servers or to any third parties.
The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest of the DFL is based on informing the User of how he/she can watch Bundesliga matches live at his/her current location.
7.3 Feedback service
The DFL uses the feedback service “GetFeedback” from SurveyMonkey Europe UC (“SurveyMonkey”) to provide the Users with the opportunity to provide feedback on the Website and its functions and to participate in online surveys. The DFL uses the resultant feedback and surveys to improve the Website and its functions in line with User requests. When a User uses the feedback form or the feedback button or participates in an online survey, the User’s device will establish a direct link to Survey Monkey’s server and the information entered by the User (e.g. full name, e-mail address), the User’s IP address and other device-related information will be transferred. Further information can be found in the Survey Monkey privacy policy. The legal basis for processing is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR, which the User may revoke with future effect at any time.
7.4 Ticket system
The DFL uses the ticket system of Zendesk Inc. (USA) (“Zendesk”) to respond to enquiries that have been submitted as well as to process problems with the Website reported by Users. Information on how Zendesk processes data can be found in the Zendesk privacy policy.
Zendesk also processes User data in the USA, which does not have the same level of data privacy as the EU. In particular, in the USA, it is possible for security agencies to access personal data stored there to a considerable extent. Zendesk ensures security for this data transfer to the USA by means of its approved internal Zendesk Binding Corporate Rules in accordance with Art. 46 para. 2 b) GDPR. These were approved by the European Data Protection Supervisor on 19 May 2017 and are available online. Zendesk uses the EU’s standard contractual clauses as an additional safeguard.
The legal basis for processing is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR, granted when the User submits an enquiry or report, which the User may revoke with future effect at any time.
7.5 Online quizzes, surveys, and other interactive content
The DFL also uses a plugin developed by Apester Ltd. (Israel) (“Apester”) in order to create and offer online quizzes, surveys, and other interactive content. If a User participates in such online quizzes, surveys, or other interactive content, Apester can record certain information (e.g. IP addresses, device-related information) which could be classified as personal data under the legal provisions concerning data protection applicable in the Federal Republic of Germany. Further information on the collection and use of this information by Apester can be found in the Apester privacy policy[TL3] . The legal basis for this processing is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR, which the User may revoke with future effect at any time.
7.6 Calendar function
The DFL also uses the “calovo” service provided by calovo GmbH (Germany) in order to give Users the option to add individual or multiple matches of the clubs of the Bundesliga and Bundesliga 2 as well as the full Bundesliga and Bundesliga 2 schedules to their device’s calendar (e.g. via downloading the events, synchronisation, or downloading the calovo app). Further information can be found in the calovo GmbH privacy policy. The legal basis for this processing is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR, which the User may revoke with future effect at any time.
7.7 Bundesliga Bar Finder
The DFL uses Google Maps in connection with the Bundesliga Bar Finder. Google Maps automatically loads content from Google Fonts. This are services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) (“Google“). These services allows the DFL to display interactive maps directly on the Website and enables the User to interact with these maps. The additionally loaded content from Google Fonts helps to display the content in the best possible way for the User. The DFL has integrated Google Maps in such a way that the User must first activate the integration by clicking on the button “Allow google maps content”.
As soon as Google Maps is activated, information about the User’s use of the Website (such as the User’s IP address) is transmitted to Google servers and stored there. These servers may be in the USA. This occurs regardless of whether Google provides a user account through which the User is logged in or whether a user account exists. If the User is logged in to Google, however, his/her data may also be assigned to his/her account. If the User does not wish to have his/her data associated with his/her Google profile, the User may not activate Google Maps or the User must log out before activating it. Google stores the User’s data (even for users who are not logged in) as usage profiles and evaluates them; how exactly Google processes the data is not fully verifiable for the DFL.
The use of Google Maps and Google Fonts is justified by the User’s consent granted by clicking on the corresponding button in accordance with Art. 6 para. 1 sentence 1 a) GDPR. The User can revoke his/her consent at any time with effect for the future, for example by clicking here.
More information on the processing of personal data by Google can be found in the Google Terms of Service and the Google Privacy Policy.
8. Special provisions for the official social media accounts of the Bundesliga
8.1 Special provisions for the official Facebook account of the Bundesliga
The DFL processes personal data via the official Facebook account of the Bundesliga in joint responsibility together with Facebook. In this context, the DFL processes personal data on the basis of its legitimate interest in promptly providing information to and interacting with the Users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. The DFL has selected the most privacy-friendly filter settings possible for the use of the official Facebook account of the Bundesliga.
The DFL and Facebook have concluded an agreement on joint responsibility in accordance with Art. 26 para. 1 GDPR. A description of how Facebook processes personal data in connection with the official Facebook account of the Bundesliga and how the agreement on joint responsibility between the DFL and Facebook is structured can be found via the following link. The privacy policy of Facebook can be found at the following link.
8.2 Special provisions for the official X account of the Bundesliga
The DFL processes personal data via the official X account of the Bundesliga in joint responsibility together with X. In this context, the DFL processes personal data on the basis of its legitimate interest in promptly providing information to and interacting with the Users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. The DFL has selected the most privacy-friendly settings possible for the use of the official X accounts of the Bundesliga.
The DFL and X have concluded an agreement on joint responsibility in accordance with Art. 26 para. 1 GDPR. A description of how X processes personal data in connection with the official X account of the Bundesliga and how the joint responsibility between the DFL and X is structured can be found via the following link. The privacy policy of X can be found at the following link.
8.3 Special provisions for the official Instagram account of the Bundesliga
The DFL processes personal data via the official Instagram account of the Bundesliga in joint responsibility together with Instagram. In this context, the DFL processes personal data on the basis of its legitimate interest in promptly providing information to and interacting with the Users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. The DFL has selected the most privacy-friendly settings possible for the use of the official Instagram account of the Bundesliga.
The DFL and Instagram have concluded an agreement on joint responsibility in accordance with Art. 26 para. 1 GDPR. A description of how Instagram processes personal data in connection with the official Instagram account of the Bundesliga and how the joint responsibility between the DFL and Instagram is structured can be found via the following link. The privacy policy of Instagram can be found at the following link.
8.4 Special provisions for the official YouTube channel of the Bundesliga
The DFL processes data via the official YouTube channel of the Bundesliga in joint responsibility together with Google. In this context, the DFL processes personal data on the basis of its legitimate interest in promptly providing information to and interacting with the Users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. The DFL has selected the most privacy-friendly settings possible for the use of the official YouTube channel of the Bundesliga.
The DFL and Google have concluded an agreement on joint responsibility in accordance with Art. 26 para. 1 GDPR. A description of how Google processes personal data in connection with the official YouTube channel of the Bundesliga and how the joint responsibility between the DFL and Google is structured can be found via the following link. Google’s YouTube privacy policy can be found at the following link.
8.5 Special provisions for the official TikTok channel of the Bundesliga
The DFL processes data via the official TikTok channel of the Bundesliga in joint responsibility together with TikTok. In this context, the DFL processes personal data on the basis of its legitimate interest in promptly providing information to and interacting with the Users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. The DFL has selected the most privacy-friendly settings possible for the use of the official TikTok channel of the Bundesliga.
The DFL and TikTok have concluded an agreement on joint responsibility in accordance with Art. 26 para. 1 GDPR. A description of how TikTok processes personal data in connection with the official TikTok channel of the Bundesliga and how the joint responsibility between the DFL and TikTok is structured can be found via the following link. The privacy policy of X can be found at the following link.
8.6 Community management
The DFL uses an application from Areto Labs Inc. (Canada) (“Areto”) for community management on the Bundesliga’s official Facebook, Instagram and YouTube accounts.
With the support of Areto, the DFL checks the comments published by Users of these social media services on these DFL accounts for spam or unwanted content (e.g. discriminatory, racist, sexist, homophobic, transphobic, harassing or threatening content). Areto uses artificial intelligence to make an automated selection based on tags defined by the DFL to determine whether a comment constitutes spam and/or contains undesirable content. A comment that contains undesirable content is automatically removed. Comments that are not clear are initially hidden. The DFL reserves the right to take further legal action in addition to permanent deletion.
Further information can be found in Areto’s privacy policy.
The legal basis for the processing is Art. 6 para. 1 sentence 1 f) GDPR, whereby the authorisation of the processing to safeguard the legitimate interests of the DFL results from moderating the above-mentioned official social media accounts and keeping them free of hate and aggression, and to enable all Users to interact with the content on these social media accounts without discrimination.
9. Data forwarding to third parties
Aside from the cases outlined, the DFL will forward personal data to third parties only if it is authorised or obliged to do so. This is the case particularly if the DFL transfers personal data to government agencies and authorities in accordance with mandatory national legislation or if forwarding is necessary for the purpose of legal action or criminal prosecution in the event of attacks on network infrastructure. The legal basis for this processing is Art. 6 para. 1 sentence 1 c) GDPR in conjunction with Section 24 para. no 1 BDSG.
10. Storage and deletion of personal data
All stored personal data and pseudonymised usage data will be deleted immediately and permanently as soon as they are no longer needed for the purposes for which they were collected or if the User demands this, unless the DFL is required or entitled by law to preserve the data. If the DFL is required or entitled by law to preserve the data, the stored personal data and pseudonymised usage data will be permanently deleted upon expiry of the statutory retention periods.
11. Security
The DFL uses technical and organisational security measures to protect personal User data against accidental or intentional tampering, loss, destruction or access by unauthorised persons. These security measures are regularly adapted in accordance with technological developments. Nonetheless, the DFL advises the User that absolute security can never be guaranteed in online data transmisson.
12. Links to other websites
The Website may contain links to other websites. This Privacy Statement applies solely to this Website. The DFL has no influence over content from other providers and does not control whether other providers comply with the applicable data protection regulations or other legal requirements. If a user alerts the DFL to the presence of unlawful content on linked websites, the DFL will remove the links from the Website immediately.
13. Rights of the User
The GDPR grants a number of rights to the User. In particular, the User has
- a right of access to personal data concerning themselves (Art. 15 GDPR)
- a right to rectification of inaccurate data (Art. 16 GDPR)
- a right to erasure of data under the conditions stipulated in Art. 17 GDPR
- a right to restriction of processing (Art. 18 GDPR)
- a right to data portability in accordance with Art. 20 GDPR
- a right to object to processing, unless this takes place to protect the legitimate interests of the DFL (Art. 21 GDPR).
If data processing is based on the User’s consent, the User may revoke this at any time with future effect.
The User can assert their rights by submitting a message via the contact form accessible at this link or by post using the address specified at the beginning of this Privacy Statement. The DFL’s privacy officer can be contacted at dataprivacy@bundesliga.com. This e-mail address is used to respond solely to enquiries pertaining to privacy.
Furthermore, the User can submit a complaint about the data processing to an appropriate supervisory authority. The authority responsible for the DFL is the Hessian Commissioner for Data Protection and Freedom of Information, and the User can submit a complaint via the following link.
15. Applicability, validity and up-to-date status of this Privacy Statement
The provisions in this Privacy Statement on the collection, processing, and use of the User’s data apply to the User when using the Website. This Privacy Statement is up to date as at 30 May 2024. The DFL reserves the right to amend this Privacy Statement as needed, at any time and with future effect, especially for the purposes of adapting to later versions of the Website or implementing new technologies. The User can view the current Privacy Statement on the Website at any time under the “Privacy Statement” menu item in the footer.