Privacy Statement and Cookie Policy

As the controller within the meaning of the European General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act [“BDSG”, Bundesdatenschutzgesetz], DFL Deutsche Fußball Liga GmbH, Guiollettstrasse 44-46, 60325 Frankfurt am Main, Germany, (“the DFL“) collects, processes and uses personal data that is collected and stored during visits to and use of the website www.dfl.de (the “Website“), in compliance with the data privacy regulations applicable in the Federal Republic of Germany, particularly the GDPR and the BDSG. This Privacy Statement and Cookie Directive (hereinafter collectively: the “Statement”) sets out which personal data regarding visitors to the website (hereinafter: “Users“) is collected and how this data is processed.

1. Data collection and processing during visits to the Website

Every time a User accesses the Website, the User’s web browser automatically transfers the following data to the DFL’s web server for technical reasons:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the page accessed
  • Quantity of data transferred
  • Access status (file transferred, file not found etc.)
  • Identification data of the browser and operating system used on the User’s device
  • Name of the User’s internet service provider
  • Website from which the access takes place

The collection and processing of this data occur for the purposes of enabling the use of the Website (establishing a connection), system security and the technical administration of the network infrastructure. The data will not be compared with other sets of data or passed on to third parties either in whole or in part.

The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR. The DFL’s legitimate interest is based on the aim of providing the Users a secure and functioning Website.

Additional reference is made to Clause 4 with regard to the collection and processing of data for analysing the use of the Website and its content as well as the optimisation of the Website through web analytical services.

2. Data collection and processing in the context of the newsletters offered on the Website

2.1 Registration

In order to receive the newsletters being offered on the Website (DFL Focus: Tomorrow Newsletter, DFL Fan Letter), the User must subscribe to it including entering his or her personal data (first and last name, email address).

The collection and processing of this personal data takes place exclusively for the purpose of being able to offer the User the desired information and services and is carried out only in the manner and to the extent which the User has expressly consented to in advance.

The legal basis for processing is Art. 6 para. 1 sentence 1 a) GDPR.

The User may withdraw his or her consent prospectively at any time (e.g. by clicking the unsubscribe link in every newsletter to the contact information listed in the imprint), without this affecting the legitimacy of the processing done prior to the withdrawal of the consent.

2.2 Analytics of the use of the newsletters

The DFL will assign a user ID to the User of the respective newsletter to determine the time at which the respective newsletter was opened and which links or functions were activated from that newsletter. This tracking takes place for the purpose of internal optimisation of the respective newsletter. This data will not be passed on.

The legal basis for this data processing is Art. 6 para. 1 sentence 1 a) GDPR. If the User does not want this tracking to take place, he/she can unsubscribe from the respective newsletter (e.g. via the unsubscribe link in each newsletter).

3. Data collection and processing in the context of web analysis

The DFL uses Matomo, an open-source analytics application developed by InnoCraft Ltd., New Zealand (“Matomo”) to analyse use of the Website and its content. This application is installed locally on the DFL’s servers. The DFL uses the application without cookies, unless the User has agreed to the use of such cookies on the User’s device (further details on the cookies used can be found in Section 8 of this Statement).

Matomo collects and stores the following data:

  • Two bytes of the IP address of the User’s system used to access the Website
  • Website accessed
  • Website from where the User arrived at the accessed web page (referrer)
  • Sub-pages which are accessed from the accessed Website
  • Time spent on the Website
  • Frequency at which Website is accessed

If no cookies will be used, repeat users are identified by way of a config_id. This is a random character sequence that is calculated using the first two bytes of the IP address, the browser plugin, the operating system and the User’s selected browser language, and then hashed. The ID is deleted and a new one created after 24 hours so that the Website cannot reidentify the User when visiting again.

Using the IP2Location™ IP-Country-Region-City-ISP Database [DB4] features from Hexasoft Development Sdn Bhd, Malaysia, (“ip2location”) likewise installed locally on the DFL’s servers, additional geolocation information (country, region, town or city) is also collected and stored cumulatively on the basis of IP addresses.

Collection and processing take place only on the DFL’s servers. The data will not be passed on to Matomo or any other third parties.

Matomo and ip2location are set up to ensure that IP addresses are not stored in their entirety; instead, two bytes of each IP address are masked (e.g. 192.168.xxx.xxx). This renders it impossible to attribute the abbreviated IP address to the specific device used. A User can prevent such an analysis by using the following opt-out.

However, the DFL hereby informs the User that in this case, it is possible that the User may not be able to use all functions of the Website to their fullest extent. If the User chooses to opt-out, a (additional) cookie with the name “matomo_ignore” and a lifetime of 30 years will be set on the User’s device, which signals to DFL’s system not to process or analyse the User’s data. If the User later clears the cookies on their device, this opt-out cookie will also be cleared and will need to be reinstalled.

Further information on privacy can be found in Matomo’s privacy policy .

The legal basis for this processing is Art. 6 para. 1 sentence 1 f) GDPR, whereby the DFL’s legitimate interest in the processing is the evaluation of Website data for the purpose of optimising it.

4. Data collection and processing in the context of the registration for and use of the media centre

The use of parts of the media centre requires a prior registration including entering personal data (name, company address, contact information, etc.)

The legal basis for processing are

  • Art. 6 para. 1 sentence 1 a) GDPR for data for which the User has issued his or her consent to the DFL. Insofar as the processing is based on the consent of the User, the User has the right to withdraw the consent at any time without affecting the legality of the processing on the basis of the consent done prior to the withdrawal.
  • Art. 6 para. 1 sentence 1 b) GDPR for data which are necessary for fulfilling the obligations resulting from the registration and use of the media center.
  • Art. 6 para. 1 sentence 1 f) GDPR because of legitimate interests to monitor of the compliance with the provisions in these Terms and Conditions for Use and Data Privacy for the Media Center, as well as for any correction of errors of the media center.

5. PFiFF – Pool zur Förderung innovativer Fußball- und Fankultur

The submission, review, processing, implementation and evaluation as well as control of applications for the granting of funding requires the provision of personal data (name, contact details etc.) by the User.

The legal basis for processing of the data entered by the User are

  • Art. 6 para. 1 sentence 1 a) GDPR for data for which the User has issued his or her consent to the DFL. Insofar as the processing is based on the consent of the User, the User has the right to withdraw the consent at any time without affecting the legality of the processing on the basis of the consent done prior to the withdrawal.
  • Art. 6 para. 1 sentence 1 b) GDPR for data which are necessary for for the examination, processing, implementation and evaluation as well as control of funding applications and – upon positive decision – the implementation of funding projects.
  • Art. 6 para. 1 sentence 1 c) GDPR for data which are required to comply with official or judicial orders.

6. Special provisions for the DFL’s official social media accounts

6.1 Special provisions for the DFL’s official Twitter account

The DFL processes personal data via the official Twitter account of the DFL in joint responsibility together with Twitter. In this context, the DFL processes personal data on the basis of its legitimate interest in promptly providing information to and interacting with the Users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. The DFL has selected the most privacy-friendly settings possible for the use of the official Twitter account.

The DFL and Twitter have concluded an agreement on joint responsibility in accordance with Art. 26 para. 1 GDPR. A description of how Twitter processes personal data in connection with the DFL’s official Twitter account and how the agreement on joint responsibility between the DFL and Twitter is structured can be found via the the following link. The privacy policy of Twitter can be found at the following link .

6.2 Special provisions for the DFL’s official LinkedIn account

The DFL processes personal data via the official LinkedIn account of the DFL in joint responsibility together with LinkedIn. In this context, the DFL processes personal data on the basis of its legitimate interest in promptly providing information to and interacting with the Users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. The DFL has selected the most privacy-friendly settings possible for the use of the official LinkedIn account.

The DFL and LinkedIn have concluded an agreement on joint responsibility in accordance with Art. 26 para. 1 GDPR. A description of how LinkedIn processes personal data in connection with the DFL’s official LinkedIn account and how the agreement on joint responsibility between the DFL and Facebook is structured can be found via the following link. The privacy policy of LinkedIn can be found at the following link.

6.3 Special provisions for DFL’s official YouTube channel

The DFL processes personal data via the official YouTube channel of the DFL in joint responsibility together with Google. In this context, the DFL processes personal data on the basis of its legitimate interest in promptly providing information to and interacting with the Users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. The DFL has selected the most privacy-friendly settings possible for the use of the official YouTube channel.

The DFL and Google have concluded an agreement on joint responsibility in accordance with Art. 26 para. 1 GDPR. A description of how Google processes personal data in connection with the DFL’s official YouTube account and how the agreement on joint responsibility between the DFL and Facebook is structured can be found via the following link. The privacy policy of Google for YouTube can be found at the following link.

7. Sharing content

The DFL provides Users of the Website with the opportunity to share the Website’s content as described in the following section.

7.1 Using the Facebook, Twitter, WhatsApp and LinkedIn social media services

Users can share content from the Website on the social media services provided by Facebook, Twitter, WhatsApp and LinkedIn.

In order to prevent User data from being shared with these services without the User’s consent, the DFL offers only social sharing links on the Website. This ensures that no data will be transferred to third parties without the permission of the User. Only when the User activates the social media services by clicking the relevant icon, thereby consenting to connect with Facebook, Twitter, WhatsApp and LinkedIn, will a connection to the applicable service be established and the social sharing links created, and the User can then publish these links through the service. Further information on data processing by the providers can be found in the applicable privacy statements: Facebook , Twitter, WhatsApp, and LinkedIn.

7.2 E-mail forwarding

The User can also share and recommend content from the Website via e-mail by clicking the relevant button. The DFL will not use, process or store in any way the recipient e-mail addresses that the User enters in the e-mail application that opens when he/she clicks the relevant icon.

7.3 Temporary storage

The User can also temporarily store links to content from the Website on his/her device and process them via services chosen by the User (e.g. sending them to his/her contacts).

8. Cookies

The DFL uses different cookies on the Website. Cookies are small text files that are stored on the User’s end device and allow to recognize this end device. The Users have the option to adjust their browser’s settings to prevent it from accepting the storage of cookies. Please note that in that case that certain parts of the Website may not work.

The following sections describes which categories of cookies are used on the Website and which cookies belong to each category:

8.1 Strictly Necessary Cookies

Strictly necessary cookies are necessary for the Website to function and cannot be switched off by the Users. The legal basis for the use of these cookies are the legitimate interests of the DFL pursuant to Art. 6 para. 1 sentence 1 f) GDPR. The DFL’s legitimate interest results from the fact that the DFL wants to ensure a secure and most efficient operation of the Website.

The DFL uses the following strictly necessary cookies on the Website:

Name Domain First Party / Third Party Lifespan Description
AWSELB dfl.de First Party Session This cookie from Amazon Web Services (AWS) is necessary for the operation of the Website via AWS. The cookie enables AWS to direct requests from a specific session to the same server whenever possible (so-called sticky session). This is mainly used to ensure that a session is not lost as a result of requests for a session being routed to different servers.
AWSELBCORS dfl.de First Party Session This cookie from Amazon Web Services (AWS) is necessary for the operation of the Website via AWS. The cookie enables AWS to direct requests from a specific session to the same server whenever possible (so-called sticky session). This is mainly used to ensure that a session is not lost as a result of requests for a session being routed to different servers.
PHPSESSID dfl.de First Party Session Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number that can be used to maintain a certain status of a User between pages (for example if the User is logged in).
OptanonAlertBoxClosed dfl.de First Party 1 year This cookie is set by us regarding the use of the cookie law compliance solution from OneTrust. It is set after Users have seen a cookie information notice and in some cases only when they actively close the notice down. It enables us not to show the message more than once to a User.
OptanonConsent dfl.de First Party 1 year This cookie is set by us regarding the use of the cookie law compliance solution from OneTrust. It is set after Users have seen a cookie information notice and in some cases only when they actively close the notice down. It enables us not to show the message more than once to a User.

8.2 Performance Cookies

These cookies enable the DFL to analyse the use of the Website and to optimize the Website based on the User behaviour. The DFL does not share information obtained from these cookies with third parties and does not use it for individual advertising.

Performance cookies will only be used upon the User’s consent to the respective processing and use of the cookies. The legal basis for the use of these cookies is Art. 6 para. 1 sentence 1 a) GDPR. Users can withdraw their consent at any time with effect to the future by changing their cookie settings.

DFL uses the following performance cookies on the Website:

Name Domain First Party / Third Party Lifespan Description
_pk_id* dfl.de First Party 13 months This cookie from Matomo provided by InnoCraft Ltd. (New Zealand) is used to help us track user behaviour and measure site performance. The cookie is used to store a few details about the User such as the unique visitor ID to distinguish unique returning Users and merge the data from previous visits. The cookie records statistics about User visits to the Website, such as the number of visits, average time spent on the Website and which pages were read. We do not share any information generated by this cookie with Matomo or any other third party.
_pk_ses* dfl.de First Party 30 minutes This cookie from Matomo provided by InnoCraft Ltd. (New Zealand) is used to help us track User behaviour and to track page requests of the User during the session. The cookie is used to temporarily store data for the visit. We do not share any information generated by this cookie with Matomo or any other third party.
AWSALB mt.dfl.de First Party 7 days This cookie from Amazon Web Services (AWS) is related to the integration of Matomo via AWS on the Website. The cookie enables AWS to direct requests from a specific session to the same server whenever possible (so-called sticky session). This is mainly used to ensure that a session is not lost as a result of requests for a session being routed to different servers.
AWSALBCORS mt.dfl.de First Party 7 days This cookie from Amazon Web Services (AWS) is related to the integration of Matomo via AWS on the Website. The cookie enables AWS to direct requests from a specific session to the same server whenever possible (so-called sticky session). This is mainly used to ensure that a session is not lost as a result of requests for a session being routed to different servers.
test dfl.de First Party Session This cookie from Matomo provided by InnoCraft Ltd. (New Zealand) is used to check if the User’s browser supports party cookies.

8.3 Functional Cookies

These cookies enable the DFL to provide enhanced functionality and personalisation on the respective Website. These cookies can be set by the DFL or its processors whose services we have added to the respective Website. If the User does not allow these cookies, then some or all of these services may not function properly. The legal basis for the use of these cookies are the legitimate interests of the DFL pursuant to Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest of the DFL results from the fact that the DFL wants to offer a Website with as many functions and interesting content as possible.

DFL uses the following functional cookies on the Website: 

Name Domain First Party / Third Party Lifespan Description
matomo_ignore dfl.de First Party 30 Years This cookie from Matomo provided by InnoCraft Ltd. (New Zealand) is set if the User chooses to opt-out (see Section 3). This cookie signals which signals to our system not to store process or analyse the User’s data.

8.4 Social Media Cookies

These cookies are used by social media providers whose content the DFL embeds into the Website. Among other things, they enable Users to distribute our content on social media. These cookies can track the Users’ browser across other sites and building up a profile of their interests. This may affect content and messages that Users see on other websites. So these cookies also serve marketing purposes.

Social media cookies will only be used upon the User’s consent to the respective processing and use of the cookies. The legal basis for the use of these cookies is Art. 6 para. 1 sentence 1 a) GDPR. Users can withdraw their consent at any time with effect to the future by changing their cookie settings.

The DFL uses the following social media cookies on the Website:

Name Domain First Party / Third Party Lifespan Description
GPS youtube.com Third Party 30 minutes The cookie is set by YouTube, a platform owned by Google LLC (USA) for hosting and sharing videos. It registers a unique ID on mobile devices to enable tracking based on geographical GPS location. YouTube combines such data with other information from Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. More information can be found here.
Lang cdn.syndication.twimg.com Third Party Session This cookie is set by Twitter and stores the language version of a website selected by the User to display the social media content accordingly. More information can be found here.
VISITOR_INFO1_ LIVE youtube.com Third Party 180 days
The cookie is set by YouTube, a platform owned by Google LLC (USA) for hosting and sharing videos. The cookie is used to estimate the Users’ bandwidth on pages with integrated YouTube videos to determine which version of the YouTube player is displayed. More information can be found here.
YSC youtube.com Third Party Session The cookie is set by YouTube, a platform owned by Google LLC (USA) for hosting and sharing videos. The cookie registers a unique ID to keep statistics of the videos from YouTube that the user has seen. More information can be found here.

9. Data forwarding to third parties

Aside from the cases outlined, the DFL will forward personal data to third parties only if it is authorised or obliged to do so. This is the case particularly if the DFL transfers personal data to government agencies and authorities in accordance with mandatory national legislation or if forwarding is necessary for the purpose of legal action or criminal prosecution in the event of attacks on network infrastructure. The legal basis for this processing is Art. 6 para. 1 sentence 1 c) GDPR in conjunction with Section 24 para. no. 1 BDSG.

10. Storage and deletion of personal data

All stored personal data and pseudonymised usage data will be deleted immediately and permanently as soon as they are no longer needed for the purposes for which they were collected or if the User demands this, unless the DFL is required or entitled by law to preserve the data. If the DFL is required or entitled by law to preserve the data, the stored personal data and pseudonymised usage data will be permanently deleted upon expiry of the statutory retention periods.

11. Security

The DFL uses technical and organisational security measures to protect personal User data against accidental or intentional tampering, loss, destruction or access by unauthorised persons. These security measures are regularly adapted in accordance with technological developments. Nonetheless, the DFL advises the User that absolute security can never be guaranteed in online data transmission.

12. Links to other websites

The Website may contain links to other websites. This Statement applies solely to this Website. The DFL has no influence over content from other providers and does not control whether other providers comply with the applicable data protection regulations or other legal requirements. If a user alerts the DFL to the presence of unlawful content on linked websites, the DFL will remove the links from the Website immediately.

13. Rights of the User

The GDPR grants a number of rights to the User. In particular, the User has

  • a right of access to personal data concerning themselves (Art. 15 GDPR)
  • a right to rectification of inaccurate data (Art. 16 GDPR)
  • a right to erasure of data under the conditions stipulated in Art. 17 GDPR
  • a right to restriction of processing (Art. 18 GDPR)
  • a right to data portability in accordance with Art. 20 GDPR
  • a right to object to processing, unless this takes place to protect the legitimate interests of the DFL (Art. 21 GDPR).

If data processing is based on the User’s consent, the User may revoke this at any time with future effect.

The User can assert their rights by submitting a message via the contact form accessible at this link or by post using the address specified at the beginning of this Privacy Statement. The DFL’s privacy officer can be contacted at dataprivacy@dfl.de. This e-mail address is used to respond solely to enquiries pertaining to privacy.

Furthermore, the User can submit a complaint about the data processing to an appropriate supervisory authority. The authority responsible for the DFL is the Hessian Commissioner for Data Protection and Freedom of Information [Hessischer Beauftragter für Datenschutz und Informationsfreiheit], and the User can submit a complaint via the following link.

14. Where can the User find the relevant legal texts?

The User can access the GDPR via this link and the BDSG and other relevant German legal texts via this link.

15. Applicability, validity and up-to-date status of the Statement

The provisions in this Statement on the collection, processing and use of the User’s data apply to the User when using the Website. This Statement is up to date as at 24 February 2023. The DFL reserves the right to amend this Statement as needed at any time and with future effect, especially for the purposes of adapting to later versions of the Website or implementing new technologies. The User can view the current Statement on the Website at any time under the “Privacy Statement and Cookie Policy” menu item in the footer.