As the controller within the meaning the European General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”), DFL Deutsche Fußball Liga e.V., Guiollettstrasse 44-46, 60325 Frankfurt am Main, Germany (the“ DFL e.V.”) collects, processes and uses personal data that is collected and stored during visits to and use of the website products.bundesliga.com (the “Website”), in compliance with the data privacy regulations applicable in the Federal Republic of Germany, particularly the GDPR and the BDSG. This Privacy Statement sets out which personal data regarding visitors to the website (hereinafter: “Users”) is collected and how this data is processed.
Every time a User accesses the Website, the User’s web browser automatically transfers the following data to the DFL e.V.’s web server for technical reasons:
The collection and processing of this data occur for the purposes of enabling the use of the Website (establishing a connection), system security and the technical administration of the network infrastructure. The data will not be compared with other sets of data or passed on to third parties either in whole or in part.
The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR. The DFL e.V.’s legitimate interest is based on the aim of providing the Users a secure and functioning Website.
Additional reference is made to Clause 2 with regard to the collection and processing of data for analysing the use of the Website and its content as well as the optimisation of the Website through web analytical services.
The DFL e.V. uses Matomo, an open-source analytics application developed by InnoCraft Ltd, New Zealand, (“Matomo”) to analyse use of the Website and its content. This application is installed locally on the DFL e.V.’s servers. The DFL e.V. uses the application without cookies.
Matomo collects and stores the following data:
Repeat users are identified by way of a config_id. This is a random character sequence that is calculated using the first two bytes of the IP address, the browser plugin, the operating system and the User’s selected browser language, and then hashed. The ID is deleted and a new one created after 24 hours so that the Website cannot reidentify the User when visiting again.
Using the IP2Location™ IP-Country-Region-City-ISP Database [DB4] features from Hexasoft Development Sdn Bhd, Malaysia, (“ip2location”) likewise installed locally on the DFL e.V.’s servers, additional geolocation information (country, region, town or city) is also collected and stored cumulatively on the basis of IP addresses.
Collection and processing take place only on the DFL e.V.’s servers. The data will not be passed on to Matomo or any other third parties.
Matomo and ip2location are set up to ensure that IP addresses are not stored in their entirety; instead, two bytes of each IP address are masked (e.g. 192.168.xxx.xxx). This renders it impossible to attribute the abbreviated IP address to the specific device used.
A User can prevent analysis by Matomo and ip2location by using the following opt-out.
However, the DFL e.V. hereby informs the User that in this case, it is possible that the User may not be able to use all functions of the Website to their fullest extent. If the User chooses to opt-out, a cookie with the name “matomo_ignore” and a lifetime of 30 years will be set on the User’s device, which signals to DFL e.V.’s system not to process or analyse the User’s data. If the User later clears the cookies on their device, this opt-out cookie will also be cleared and will need to be reinstalled.
3. Region-based Website content
The Website automatically detects the time zone of the User’s Internet browser in order to assign the User to a certain region (Asia, America, EMEA). The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR, whereby the legitimate interest of DFL e.V. results from the fact that DFL e.V. wants to offer helpful information to the User and in particular to ensure that relevant region-based content is presented to the User.
The User can change the region and also the time zone of the User’s Internet browser and manually.
5. Data forwarding to third parties
Aside from the cases outlined, the DFL e.V. will forward personal data to third parties only if it is authorised or obliged to do so. This is the case particularly if the DFL e.V. transfers personal data to government agencies and authorities in accordance with mandatory national legislation or if forwarding is necessary for the purpose of legal action or criminal prosecution in the event of attacks on network infrastructure. The legal basis for this processing is Art. 6 para. 1 sentence 1 c) GDPR in conjunction with Section 24 para. no 1 BDSG.
6. Storage and deletion of personal data
All stored personal data and pseudonymised usage data will be deleted immediately and permanently as soon as they are no longer needed for the purposes for which they were collected or if the User demands this, unless the DFL e.V. is required or entitled by law to preserve the data. If the DFL e.V. is required or entitled by law to preserve the data, the stored personal data and pseudonymised usage data will be permanently deleted upon expiry of the statutory retention periods.
The DFL e.V. uses technical and organisational security measures to protect personal User data against accidental or intentional tampering, loss, destruction or access by unauthorised persons. These security measures are regularly adapted in accordance with technological developments. Nonetheless, the DFL e.V. advises the User that absolute security can never be guaranteed in online data transmission.
8. Links to other websites
The Website may contain links to other websites. This Privacy Statement applies solely to this Website. The DFL e.V. has no influence over content from other providers and does not control whether other providers comply with the applicable data protection regulations or other legal requirements. If a user alerts the DFL e.V. to the presence of unlawful content on linked websites, the DFL e.V. will remove the links from the Website immediately.
9. Rights of the User
The GDPR grants a number of rights to the User. In particular, the User has
If data processing is based on the User’s consent, the User may revoke this at any time with future effect.
The User can assert their rights by emailing email@example.com or by post using the address specified at the beginning of this Privacy Statement. Questions regarding data protection can be addressed firstname.lastname@example.org. This e-mail address is used to respond solely to enquiries pertaining to privacy.
Furthermore, the User can submit a complaint about the data processing to an appropriate supervisory authority. The authority responsible for the DFL e.V. is the Hessian Commissioner for Data Protection and Freedom of Information, and the User can submit a complaint via the following link.
10. Where can the User find the relevant legal texts?
11. Applicability, validity and up-to-date status of this Privacy Statement
The provisions in this Privacy Statement on the collection, processing, and use of the User’s data apply to the User when using the Website. This Privacy Statement is up to date as at 1 December 2021. The DFL e.V. reserves the right to amend this Privacy Statement as needed, at any time and with future effect, especially for the purposes of adapting to later versions of the Website or implementing new technologies. The User can view the current Privacy Statement on the Website at any time under the “Privacy Statement” menu item in the footer.