Privacy Statement and Cookie Directive

Privacy statement and cookie policy

for the Official Bundesliga app ('App') for DFL Deutsche Fußball Liga GmbH, Guiollettstrasse 44-46, 60325 Frankfurt am Main, Germany ('the DFL').

The DFL processes and uses personal data collected and stored during the installation and use of the App in compliance with the data privacy regulations applicable in the Federal Republic of Germany. This privacy statement and cookie policy (hereinafter collectively referred to as 'the Statement') sets out which personal data regarding users (hereinafter collectively referred to as 'the User') is collected and how this data is processed and used.

Permissions

For the App to work correctly, it is necessary for the User to grant the App access to certain functions and data on the user's device. During installation, the User will be asked once to grant the relevant permissions. The way in which permissions are granted varies depending on the device manufacturer. In some cases, access permissions have different names, while individual permission categories are sometimes combined, meaning that the User can approve only the entire permission category. By granting permission, the User consents to his/her data being processed accordingly.

Note that if you do not grant one or more of the permissions requested, some functions of the App may not be usable. If the User nonetheless attempts to activate such a function, the App will again ask the User to grant permission. The User can at any time use the device settings to revoke permission that has previously been granted.

If the User has granted permission, the DFL will use it as follows:

Push notifications: The App requires permission to send push notifications about clubs and selected events (news, videos and information relating to matchdays and matches, such as goals, cards, substitutions and match start/end) to the User's device.
Files and media: The App requires access to files and media when creating user feedback so that it can access screenshots taken by the User to show problems occurring in the App.
Camera: The App requires access to the camera when creating user feedback so that it can access screenshots taken by the User to show problems occurring in the App.

Data collection and processing during use of the App

2.1 Installation and use of the App

The following data will automatically be logged on the DFL server when the App is installed and used:

IP address of the requesting device
Date and time of installation
Date and time of access
Quantity of data transferred
Access status (file transferred, file not found etc.)
Name and version of operating system used
Type and version of browser used and browser plugins installed
Time zone settings
Identification data of device used
Name of the User's internet service provider and information about the mobile network used

The collection, processing and use of this data occur for the purposes of enabling the use of the App, system security and the technical administration of the network infrastructure. The data will not be compared with other sets of data or passed on to third parties either in whole or in part.

The legal basis for processing is Art. 6 para. 1 sentence 1 f) of the EU General Data Protection Regulation ('GDPR'). The DFL's legitimate interest is based on the aim of providing the User with a secure and functioning App.

2.2 Crashlytics

In the App, the DFL uses Crashlytics, a service of Google LLC (USA) ('Crashlytics') that collects information about user behaviour and the devices used so as to diagnose and resolve potential problems with the App. This data is stored anonymously. However, data may be transferred to the USA as part of the process. More detailed information about Firebase Crashlytics can be found via the following link and in Firebase Crashlytics’s privacy policy.

The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR. The DFL's legitimate interest is based on the aim of providing the User with the most stable App possible.

2.3 Analysis of the use of the App and its content

Additional reference is made to Clause 4 with regard to the collection and processing of data for analysing the use of the App and its content as well as optimisation of the App through analytical services.

Data collection and processing in the context of registration and login

3.1 Registration and login

The DFL uses the customer identity management platform provided by Okta, Inc., 101 1st Street, San Francisco, CA 94105, USA, (“Okta”) for the registration for Bundesliga accounts and the other services offered through them (e.g. Official Bundesliga Fantasy Manager, Bundesliga Newsletter, access to certain editorial content for registered Users) and for the Bundesliga account login.

During registration and the further onboarding process, the DFL asks the Users for the following data:

Full name
E-mail address
Country
Favourite club (optional)
Gender (optional)
Date of birth (optional)
Password

Okta stores and manages this data in Germany but may refer some support queries to international support teams in Australia, Canada, Singapore, Japan and the USA. Insofar as any of these countries does not have the same level of data privacy as the EU and, particularly in the USA, it is possible for security agencies to access personal data stored there to a considerable extent, Okta safeguards this transfer of data by means of EU standard contractual clauses. Further information can be found in Okta's privacy policy.

All data will be used only for the operation and management of the services subject to registration and to establish, implement, or terminate the underlying agreement with the User on participation in the service(s) he/she has selected. The legal basis for processing is Art. 6 para. 1 sentence 1 a) GDPR, provided the User has given his/her consent to the processing (which can be revoked with future effect at any time), and Art. 6 para. 1 sentence 1 b) GDPR.

3.2 Social logins

The social login function, which is also provided via Okta (see Clause 3.1), allows the User to log in to the APP for the access to the Services exclusively available for registered Users within the APP with his/her (social media) account with Facebook, Google or Apple. If the User chooses to use one of these social logins, the relevant social media provider will establish the User's identity and transfer the data about the User outlined below to the DFL.

No usage data (pages visited, fields activated) is transferred to the respective provider, since the DFL has implemented the social logins using OAuth (Open Authorization).

The legal basis for the transmission of data is the User's consent according to Art. 6 para. 1 sentence 1 a) GDPR, which the User grants by choosing to use a social login. The User can revoke this consent at any time with future effect. The DFL will then process the transferred data for the purposes of establishing, implementing and terminating the user agreement in accordance with Art. 6 para. 1 sentence 1 b) GDPR.

The following privacy information regarding data transfer apply to social logins; see also Clause 7.1 on sharing content.

3.2.1 Facebook

IF THE USER DOES NOT WISH DATA TO BE SYNCHRONISED IN THIS WAY, THE USER MUST USE ONE OF THE OTHER AVAILABLE LOGIN OPTIONS.

3.2.2 Google

If the User logs in via Google, the following types of data transmission from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, ('Google') to the DFL will be initiated:

The transmission of certain information from the User's Google account to the DFL with the consequence that in addition to the usage data outlined in this Statement (e.g. IP address), the following information will be transmitted to the DFL:

Profile picture
Full name, as well as
E-mail address

IF THE USER DOES NOT WISH DATA TO BE SYNCHRONISED IN THIS WAY, THE USER MUST USE ONE OF THE OTHER AVAILABLE LOGIN OPTIONS.

3.2.3 Apple

If the User logs in via Apple, the following types of data transmission from Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA, ('Apple') to the DFL will be initiated:

The transmission of certain information from the User's Apple account to the DFL with the consequence that in addition to the usage data outlined in this Statement (e.g. IP address), the following information will be transmitted to the DFL:

Full name, as well as
E-mail address

IF THE USER DOES NOT WISH DATA TO BE SYNCHRONISED IN THIS WAY, THE USER MUST USE ONE OF THE OTHER AVAILABLE LOGIN OPTIONS.

3.3 Login status

When the User logs into his/her account in the App, the User’s login details (e-mail address and password) will be saved. Only once the session has expired (because the User has either logged out, deleted the browser history or cleared the cache), after 14 days of inactivity or after six months at the latest will the User have to log in again. The User's login status is stored by means of refresh tokens and deleted after the periods outlined above as soon as the User has to log in again. If the User logs into the App on a device used by more than one person, he/she should make sure to log out again accordingly at the end of the session.

3.4 Special provisions for individual services subject to registration

3.4.1 Newsletter

The User is given the option of subscribing to newsletters of the DFL (Bundesliga Newsletter and Game Updates) when registering his/her Bundesliga account.

The registration for the subscription is processed via Okta. The service of Mapp Digital Germany GmbH (Germany) is used for the dispatch of newsletters and the associated management of User data.

The DFL will place what is known as a tracking pixel in the HTML code of the respective newsletter and assign a user ID to the User to determine the time at which the respective newsletter was opened and which links or functions were activated from that newsletter. This tracking takes place for the purpose of internal optimisation of the respective newsletter. This data will not be passed on.

The legal basis for this data processing is Art. 6 para. 1 sentence 1 a) GDPR. If the User does not want this tracking to take place, he/she can unsubscribe from the respective newsletter (e.g. via the unsubscribe link in each newsletter or through the account settings).

3.4.2 Official Fantasy Manager

The User agrees that in the event that he/she wins, the DFL may, at its discretion, publish the User’s first name, the first letter of the User’s surname and the User’s country of residence through the official DFL tele media and/or social media accounts, while the User’s first name and the first letter of the User’s surname will also be made publicly accessible on the Official Fantasy Manager rankings, on the official websites www.bundesliga.de and www.bundesliga.com as well as the Official Fantasy Bundesliga App. Processing for this purpose is permitted on the basis of the User's consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR and the User may revoke this consent at any time with future effect.

3.4.3 Newsletters from partners and licensees

If the User has declared consent for this, the DFL will provide the his/her data (salutation, full name, e-mail address, and country, as well as time and date stamp of the registration and its confirmation via “double opt-in”) to certain partners and licensees so that they can provide the User with information on products and other services via e-mail. Users currently have the option of registering for the newsletters of the following partners and licensees:

TIPICO Services Ltd. (the DFL only provides TIPICO Services Ltd. with the data of Users who have voluntarily entered their date of birth during registration and for whom this data indicates that they have reached the age of 18 years),
Sky Deutschland Fernsehen GmbH & Co. KG
Topps Europe Holdings Ltd.

The DFL has no further knowledge in regard to how the partners/licensees in question process this data, and refers to the respective data protection provisions of the partners and licensees specified above.

The legal basis for this data processing is Art. 6 para. 1 sentence 1 a) GDPR. The User can revoke such consent with future effect at any time (e.g. by clicking the “Unsubscribe” link in the newsletter in question or by contacting the respective partner/licensee directly via the contact details specified in the imprint).

Data collection and processing in the context of analysis of use of the App and its contents by means of Matomo

For the App, the DFL uses Matomo, an open-source analytics application developed by InnoCraft Ltd, New Zealand, ('Matomo') to analyse use of the App and its content. This application is installed locally on the DFL servers. The following data is collected and stored using the SDK (software development kit) provided by Matomo:

Pseudonymised visitor ID
App page accessed
Sub-pages accessed within the App
Time spent on individual App pages
Frequency and timing of App page access
Interactions with the App, such using buttons or watching videos

Using the IP2Location™ IP-Country-Region-City-ISP Database [DB4] features from Hexasoft Development Sdn Bhd, Malaysia, ('ip2location') likewise installed locally on the DFL servers, additional geolocation information (country, region, town or city) is also collected and stored cumulatively on the basis of IP addresses.

Collection and storage take place only on the DFL servers. The data will not be passed on to Matomo or any other third parties.

Matomo and ip2location are set up to ensure that IP addresses are not stored in their entirety; instead, two bytes of each IP address are masked (e.g. 192.168.xxx.xxx). This renders it impossible to attribute the abbreviated IP address to the specific device used. A User can prevent such an analysis by choosing to opt out in this privacy section or in the App settings.

However, the DFL hereby informs the User that in this case, it is possible that the User may not be able to use all functions of this App to their fullest extent.

Further information on privacy can be found in Matomo's privacy policy.

The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR, with the DFL's legitimate interest in processing being evaluating the App data for the purposes of optimising it.

Reference is made to Clause 8.1 with regard to the use of the data collected by Matomo as part of the analysis of the use of the App and its content for the purpose for the determination of the User's interests for the sending of personalised push notifications and to Clause 8.2 with regard to the use of such data for the purpose of recommending editorial articles in accordance with Clause 4.

Google Ad Manager for showing online advertisements

The DFL uses Google Ad Manager from Google LLC (USA) ('Google') for placing online advertisements in the App. This allows the DFL to show certain advertisements to the User. The DFL does not place personalised advertisements from third-party provider networks but only advertisements marketed directly by the DFL. Further information can be found via the following link and in Google's privacy policy.

The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR, with the DFL's permission arising from the fact that it wishes to deploy its efforts involved in operating the App for direct advertising as well and that the User will not be at any particular disadvantage as a result of this, considering the User's reasonable expectations based on his/her relationship with the DFL as the operator of the App.

Social media content

Some content that the DFL has published on its official social media accounts on Facebook, X, Instagram and YouTube will be loaded in the App via WebView (e.g. in articles or the live ticker). Cookies will be used in the process. More details about the cookies used can be found in Clause 9.2 'Cookies'.

Further information on data processing by the providers can be found in the applicable privacy statements: Facebook, X, Instagram and YouTube(the DFL embeds content from the latter in privacy-enhanced mode; find out more here).

With regard to the sharing of App content via social media services, see also Clause 7.1.

Sharing content

The DFL provides users of the App with the opportunity to share the App's content as described in the following section.

7.1 Using the Facebook, X, Google+ and WhatsApp social media services

Users can share content from this App on the social media services provided by Facebook, X, Google+ and WhatsApp. To prevent User data being shared with the providers without the User's consent, the DFL offers only social sharing links in the App. This ensures that no data will be transferred to third parties without the permission of the User. Only when the User activates the social media services by clicking the relevant icon, thereby consenting to connect with Facebook, X, Google+ and WhatsApp, will a connection to the applicable service be established and the social sharing links created, and the User can then publish these links through the service. Further information on data processing by the providers can be found in the applicable privacy statements: Facebook, X, Google+ and WhatsApp.

7.2 E-mail forwarding

The User can also share and recommend content from this App via e-mail by clicking the relevant button. The DFL will not use, process or store in any way the recipient e-mail addresses that the User enters in the e-mail application that opens when the User clicks the relevant icon.

7.3 Sharing via Android and iOS

If a User uses an Android or iOS device and clicks the Share button, the App will – in addition to the aforementioned social media platforms and e-mail forwarding function – show all applications that are installed on the User's device and that offer a share function. The DFL has no influence on which data is shared with the corresponding platforms and recommends referring to the respective privacy statements.

Additional services and functions

8.1 Push notifications

The DFL uses Amazon Pinpoint, a technology from Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA, and its European subsidiary Amazon Web Services EMEA Sàrl, Rue Plaetis 5, 2338 Luxembourg, Luxembourg, ('AWS') to send push notifications about clubs and selected events (in particular news, videos and information relating to matchdays and matches, such as goals, cards, substitutions and match start/end, live broadcasting) via the iOS and Android native interfaces. This will take place only if the User has consented to corresponding push notifications when first launching the App or later in the App settings.

If the User has not opted out of the use of Matomo in accordance with Clause 4, the DFL will use the data collected for the purpose of personalised push notifications in accordance with Clause 4. These personalised push notifications are intended to suggest editorial articles that would potentially appeal to users based on their interests and browsing histories and to make them aware of events (e.g. live broadcasts) that may interest them. If the User has opted out, the only pieces of information that the DFL will process about the User for the purpose of delivering push notifications will be whether the User has consented to push notifications, which language has been selected and the clubs and events about which the User would like to receive push notifications.

The legal basis for sending push notifications is the User's consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR. The User can revoke this consent at any time by disabling push notifications again in the App or device settings. The legal basis for determining the User's interests for the purpose of sending personalised push notifications is Art. 6 para. 1 sentence 1 f) of the GDPR, according to which the DFL's legitimate interest lies in referring the User to further events and information that may interest him/her.

8.2 Recommended editorial articles

The DFL uses the data collected by Matomo in accordance with Clause 4 as part of the analysis of the use of the App and its content for the purpose of suggesting editorial articles that would potentially appeal to the User based on his/her interests and use of the App and its content via the separation 'Recommended for you' section.

If the User has opted out of the use of Matomo in accordance with Clause 4, the most popular articles in general will be shown instead. If the User does not wish to be shown any recommended editorial articles at all, he/she can disable them in the App in this privacy section.

The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest in this case consists of the evaluation of these data for the purpose of optimising the content and services of the App as well as the objective of highlighting the most interesting content possible for the User.

8.3 Playing videos

The DFL embeds videos in the App using JW Player software from Longtail Ad Solutions, Inc. (USA). JW Player does not process any user data, and it records only the video play counts.

For legal reasons, the DFL is not permitted to make the videos shown in the App available in certain countries. To ensure this, when the User selects a video, the GeoLite2 feature from Maxmind, Inc. (USA) installed locally on DFL servers is used to determine the countries in which the relevant video may be played and to compare this list against the current location of the User's device, identified via the IP address of the User's device. On this basis, the App checks whether the video is permitted to be played in the country in which the User's device is currently located or whether it must be disabled for legal reasons. In the latter case, the User will be shown only a notice to that effect instead of the video. This information will remain intact only for the duration of this check on the device and will then be deleted; furthermore, it will not be stored or transferred to a back-end system.

The legal basis for this processing is Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest of the DFL is based on compliance with the existing contractual agreements with its national and international licensees for the media rights to the matches of the Bundesliga and Bundesliga 2.

8.4 'TV partners' section

In the 'TV partners' section, the User can find out about the broadcaster through which the Bundesliga can be followed live in the country in which the User is currently located. To direct the User to the correct broadcaster, the IP address of the User's device is used to determine the appropriate country. This information will then be stored locally as a default setting on the User's device until the User logs in with an IP address from a different country, changes the setting manually or uninstalls the App. This information will not be transferred to the DFL servers or to any third parties.

The legal basis for this processing is Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest of the DFL is based on informing the User of how he/she can watch Bundesliga matches live at his/her current location.

8.5 Zendesk

The DFL uses the ticket system of Zendesk Inc. (USA) ('Zendesk') to respond to enquiries that have been submitted as well as to process problems with the App reported by users.

Information on how Zendesk processes data can be found in the Zendesk privacy policy.

Zendesk also processes user data in the USA, which does not have the same level of data privacy as the EU. In particular, in the USA, it is possible for security agencies to access personal data stored there to a considerable extent. Zendesk ensures security for this data transfer to the USA by means of its approved internal Zendesk Binding Corporate Rules in accordance with Art. 46 para. 2 b) GDPR. These were approved by the European Data Protection Supervisor on 19 May 2017 and are available online. Zendesk uses the EU's standard contractual clauses as an additional safeguard.

The legal basis for processing is the User's consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR, granted when the User submits an enquiry or report, which the User may revoke at any time, effective from that point onwards.

8.6 Feedback service

The DFL uses the feedback service “GetFeedback” from Momentive Europe UC ('Momentive') to provide the User with the opportunity to provide feedback on the App and its functions and to participate in online surveys. The DFL uses the resultant feedback and surveys to improve the App and its functions in line with user requests. When a User uses the feedback form or the feedback button or participates in an online survey, the User’s device will establish a direct link to Momentive’s server and the information entered by the User (e.g. full name, e-mail address), the User's IP address and other device-related information will be transmitted. Further details can be found in Momentive’s privacy policy. The legal basis for processing is the User's consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR, which the User may revoke at any time with future effect.

SDKs and cookies used

9.1 SDKs used

With the App, the DFL has implemented some services using SDKs (software development kits). Some of the various SDKs process personal User data by establishing a direct link between the device and the SDK provider when the User opens the App. Users may decline the use of SDKs used for statistical purposes or individual App functions.

For technical reasons, the DFL cannot remove the SDKs in such cases but will merely configure settings to prevent further data being retrieved via the SDKs. However, as the provider of the App, the DFL cannot control which data the SDK providers retrieve (even if settings to that effect forbid data retrieval).

The App incorporates the following SDKs:

Provider/name of SDK	Description	Category
Firebase Crashlytics (Google)	This SDK is used to collect data on crashes in the App to enable the most stable product possible to be provided. This involves gathering information about user behaviour and the devices used so as to diagnose and resolve potential problems with the App. This data is stored anonymously. However, data may be transferred to the USA as part of the process. More detailed information about Firebase Crashlytics can be found via the following link and in Firebase Crashlytics' privacy policy.	Functional
Firebase Remote Config	This SDK is used to define and detect segments that form the basis for A/B tests. Further information can be found via the following link and in Google's privacy policy.	Functional
Get Feedback	This SDK enables users to give the DFL feedback about the App. In addition, the DFL can invite users to take part in surveys and send in-app messages to inform users about important news. Further information can be found in Momentive’s privacy policy.	Functional
Lokalise (Zeplin.io)	This SDK is used to display the App in the available languages. English, German and Spanish are currently supported. Further information about Lokalise can be found via the following link and Lokalise's privacy policy.	Functional
Firebase Analytics (Google)	This SDK is used to collect information on tracking events for Matomo. The Analytics SDK uses SQLite for the purpose of persistence for events and other app-specific data. Further information can be found in Google's privacy policy. The User can prevent such an analysis by declining the use of performance SDKs when initially launching the App or later in the App settings.	Performance
Firebase-perf (Google)	Firebase Performance Monitoring is an app analysis service that helps the DFL to obtain performance data for the App. The DFL uses this information to refine and improve the App. Further information about Firebase Performance Monitoring can be found via the following link or in Google's privacy policy. The User can switch off performance data monitoring at any time by declining the use of performance SDKs when initially launching the App or later in the App settings.	Performance
Google Tag Manager	This SDK is used to arrange tracking events in the correct structure for Matomo. Further information on the SDK can be found via the following link and in Google's privacy policy. If the User chooses to opt out from Matomo (see Clause 4), no further data will be processed via this SDK.	Performance
Matomo	This SDK is used to track the User's interactions with the App in order to refine and improve the App in accordance with how it is actually used. The SDK is not used to send any data to servers outside the control of the DFL. If the User chooses to opt out from Matomo (see Clause 4), no further data will be processed via this SDK.	Performance
Google Mobile Ads SDK	This SDK is used to play advertisements in the App. The SDK processes personal data only if the User has granted consent. The User may revoke consent at any time, effective from that point onwards, by declining the use of marketing and analysis SDKs in the App settings. Further information on the SDK can be found via the following link and in Google's privacy policy.	Marketing and analysis

The DFL used other SDKs as tools during development of the app, not all of which are identified individually in the above list. The use of these SDKs is strictly necessary for the App to run and cannot be stopped.

9.2 Cookies

Cookies are placed via the social media content integrated via WebView (see Clause 6). Cookies are small text files that are stored on the User's device and enable the device to be recognised. These social media cookies are capable of tracking the User's browser across multiple visited websites and to create a profile of his/her interests. This may have an impact on content and news that the User sees on other websites. Cookies are thus used for purposes including marketing.

Social media cookies are placed via the used WebViews only if the User has consented to the corresponding processing and placement of cookies. The legal basis for the use of these cookies is Art. 6 para. 1 sentence 1 a) GDPR. Users may revoke their consent at any time in the App settings, effective from that point onwards.

The DFL uses the following social media cookies in the App:

Name	Domain	First-party/ third-party	Lifetime	Description
CONSENT	.youtube- nocookie .com	Third- party	37 years	The DFL embeds videos via YouTube in 'privacy-enhanced mode'. This cookie is intended to ensure that YouTube does not place any further cookies. Further information can be found here.
csrftoken	.instagram .com	Third -party	1 year	This cookie from Instagram (a Facebook service) is placed when an Instagram plugin is embedded. The cookie aids IT security when the plugin is used by blocking cross-site request forgery (CSRF) attacks. Further information can be found here.
datr	.facebook .com	Third- party	2 years	The purpose of this cookie is to identify the browser establishing a link to Facebook, irrespective of which user is logged in. It prevents fake and spam accounts, reduces the risk of accounts being hacked by others, protects Facebook content and blocks DDoS attacks. Further information can be found here.
fr	.facebook .com	Third- party	91 days	This is a display statistics cookie from Facebook that is placed when a Facebook plugin is embedded. Further information can be found here.
ig_cb	www.instagram. com	Third- party	36524 days (approximately 100 years)	This cookie is placed by Instagram (a Facebook service) and is linked to the acceptance of the Instagram cookie banner. Further information can be found here.
ig_did	.instagram .com	Third- party	3652 days (approximately 10 years)	This cookie is placed by Instagram (a Facebook service). Further information can be found here.
lang	cdn. syndication .twimg.com	Third- party	Session	This cookie is placed by X and saves the language that the User has chosen for the website to display the social media content in the appropriate language. Further information can be found here.
mid	.instagram .com	Third- party	3652 days (approximately 10 years)	This cookie is placed by Instagram (a Facebook service). Further information can be found here.
rur	.instagram .com	Third- party	Session	This cookie from Instagram (a Facebook service) is placed when an Instagram plugin is embedded. It enables this Instagram plugin to work correctly, such as for embedded Instagram posts. Further information can be found here.

Data forwarding to third parties

Aside from the cases outlined, the DFL will forward personal data to third parties only if it is authorised or obliged to do so. This is the case particularly if the DFL transfers personal data to government agencies and authorities in accordance with mandatory national legislation or if forwarding is necessary for the purpose of legal action or criminal prosecution in the event of attacks on network infrastructure. The legal basis for this processing is Art. 6 para. 1 sentence 1 c) GDPR in conjunction with Section 24 para. 1 no 1 of the German Federal Data Protection Act [Bundesdatenschutzgesetz, “BDSG”].

Storage and deletion of personal data

All stored personal data and pseudonymised usage data will be deleted immediately and permanently as soon as they are no longer needed for the purposes for which they were collected or if the User demands this, unless the DFL is required or entitled by law to preserve the data. If the DFL is required or entitled by law to preserve the data, the stored personal data and pseudonymised usage data will be permanently deleted upon expiry of the statutory retention periods.

Security

The DFL uses technical and organisational security measures to protect personal User data against accidental or intentional tampering, loss, destruction or access by unauthorised persons. These security measures are regularly adapted in accordance with technological developments. Nonetheless, the DFL advises the User that absolute security can never be guaranteed in online data transmission.

Links to other websites

The App may contain links to other websites. This Statement applies solely to this App. DFL has no influence over content from other providers and does not control whether other providers comply with the applicable data protection regulations or other legal requirements. If a user alerts the DFL to the presence of unlawful content on linked websites, the DFL will remove the links from the App immediately.

Rights of the User

The GDPR grants a number of rights to the User. In particular, the User has

a right of access to personal data concerning themselves (Art. 15 GDPR)
a right to rectification of inaccurate data (Art. 16 GDPR)
a right to erasure of data under the conditions stipulated in Art. 17 GDPR
a right to restriction of processing (Art. 18 GDPR)
a right to data portability in accordance with Art. 20 GDPR
a right to object to processing, unless this takes place to protect the legitimate interests of the DFL (Art. 21 GDPR).

If data processing is based on the User's consent, the User may revoke this at any time with future effect.

The User can contact the DFL via e-mail to info@bundesliga.de. The DFL's privacy officer can be contacted at dataprivacy@bundesliga.de. This e-mail address is used to respond solely to enquiries pertaining to privacy.

Furthermore, the User can submit a complaint about the data processing to an appropriate supervisory authority. The authority responsible for the DFL is the Hessian Commissioner for Data Protection and Freedom of Information, and the User can submit a complaint via the following link.

Applicability, validity and up-to-date status of this Statement

The regulations in this Statement on collection, processing and use of the User's data apply to the User when the latter uses the App. This Statement is up to date as at 20 July 2022. The DFL reserves the right to amend this Statement at any time with future effect, especially for the purposes of adapting to later versions of the App or implementing new technologies. The User can view the current Statement in the App at any time by going to ‘Privacy’ under ‘More’ on the menu.