Privacy Statement and Cookie Policy

As a controller within the context of the European General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act [“BDSG”, Bundesdatenschutzgesetz], DFL Deutsche Fußball Liga GmbH, Guiollettstrasse 44-46, D-60325 Frankfurt am Main (“DFL“) collects, processes and uses personal data which has been captured from visits to the website www.dfl.de (the “Website“) in compliance with the applicable data privacy provisions in the Federal Republic of Germany, in particular the GDPR and the BDSG. This Privacy Statement and Cookie Directive (hereinafter together: the “Statement”) sets out which data of the visitor (“User“) is captured on the Website and how this information is processed.

1. Personal data

Personal data are all information which relate to an identified or identifiable natural person. A natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes, for example, the name, personalized email addresses, the residential address, the telephone number or the date of birth. 

2. Data collection, processing and use when accessing the Website

Each time a User accesses the Website, the User’s Internet browser, for technical reasons, automatically supplies the following data to DFL’s web server:

  • • IP address of the end device
  • • date and time of access
  • • name and URL of accessed page
  • • transferred data volume
  • • access status (data file transmitted, data file not found, etc.)
  • • recognition data of the used browser and operating system of the User’s end device
  • • name of the User’s Internet service provider
  • • website from which the access was made

The collection, processing and use of these data occur for the purposes of enabling the use of the Website (connection set-up), system security and technical administration of the network infrastructure. A comparison with other data sets or a transmission to third parties, even in excerpts, does not take place.

The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest of DFL results from the fact that DFL wants to provide a secure and functioning Website.

With regard to data collection, processing, and use for the purpose of optimizing the Website through web analytics, additional reference is made to Section 4 of this Statement.

3. Data collection, processing and use in the context of the newsletters offered on the Website

3.1 Registration 

In order to receive the newsletters being offered on the Website (DFL Focus: Tomorrow Newsletter, DFL Fan Letter), the User must subscribe to it including entering his or her personal data (first and last name, email address). 

The collection, processing and use of these personal data are solely for the purpose of offering the User information and services requested by him/her and only in the nature and extent of the prior consent of the User. 

The legal basis for processing is Art. 6 para. 1 sentence 1 a) GDPR.

The User may withdraw his or her consent prospectively at any time (e.g. by clicking the unsubscribe link in every newsletter to the contact information listed in the imprint), without this affecting the legitimacy of the processing done prior to the withdrawal of the consent. 

3.2 Analytics of the use of the newsletters

The Users of the respective newsletter are assigned a UserID, which allows the DFL to determine when the respective newsletter was opened and which links or functions from the respective newsletter were activated. This tracking (tracing) takes place for the internal optimization of the respective newsletter. These data will not be disclosed. 

The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR, whereby the legitimate interest for DFL results from the fact that, in the first place, DFL has an interest in optimizing such services. Secondly, the User will not incur any particular disadvantages when comparing the User’s reasonable expectations based on his or her relation to the DFL as the Website operator and newsletter provider. If the User of the respective newsletter does not want this tracking to take place, he/she can unsubscribe from the respective newsletter.

4. Data collection, processing and use in the context of web analysis 

On the Website, DFL uses the open source web analysis service “Matomo” (formerly: Piwik) provided by InnoCraft Ltd., New Zealand which is locally installed on the servers of DFL (“Matomo”). Matomo stores cookies on the User’s end device (more details about the used cookies can be found in Section 9 of this Statement) and the following data will be collected and stored by using Matomo:

  • • Two bytes of the IP address of the User’s accessing network
  • • Called up Website
  • • Website from which the User has accessed the accessed Website (referrer)
  • • Subpages accessed from the accessed Website
  • • Duration of stay on the Website
  • • Frequency with which the Website is accessed

By using the feature „IP2Location™ IP-Country-Region-City-ISP Database [DB4]“ provided Hexasoft Development Sdn Bhd, Malaysia („ip2location“) additional geographic information (country, region, city) will be collected and stored based on the IP addresses in aggregated form. This feature is also locally installed on the servers of DFL. 

A collection and storage always only takes place on the servers of DFL. The data will not be transmitted to Matomo or other third parties.

Matomo and ip2location are set in a way that the IP addresses are not stored completely, but 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to assign the shortened IP address to the calling computer. The User can prevent such an analysis by making use of the following opt-out. However, DFL hereby informs the User that in this case it is possible that the User cannot completely use all functions of the Website. In case the User opt-outs, another cookie will be stored on the User’s end device. This cookie will signal the system of DFL to not store the User’s data. If the User deletes cookies from his/her end device, this opt-out cookie will also be deleted and will have to be set again.

Further information about data protection are available under the following link.

The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR, whereby the legitimate interest for DFL results from the fact that DFL has an interest in evaluating the Website data for purposes of its optimization. 

5. Data collection, processing and use in the context of the registration for and use of the media center

The use of parts of the media center requires a prior registration including entering personal data (name, company address, contact information, etc.) 

The legal basis for processing are

  • – Art. 6 para. 1 sentence 1 a) GDPR for data for which the User has issued his or her consent to DFL. Insofar as the processing is based on the consent of the User, the User has the right to withdraw the consent at any time without affecting the legality of the processing on the basis of the consent done prior to the withdrawal.
  • – Art. 6 para. 1 sentence 1 b) GDPR for data which are necessary for fulfilling the obligations resulting from the registration and use of the media center. 
  • – Art. 6 para. 1 sentence 1 f) GDPR because of legitimate interests to monitor of the compliance with the provisions in these Terms and Conditions for Use and Data Privacy for the Media Center, as well as for any correction of errors of the media center. 

6. PFiFF – Pool zur Förderung innovativer Fußball- und Fankultur

The submission, review, processing, implementation and evaluation as well as control of applications for the granting of funding requires the provision of personal data (name, contact details etc.) by the User.

The legal basis for processing of the data entered by the User are

  • – Art. 6 para. 1 sentence 1 a) GDPR for data for which the User has issued his or her consent to DFL. Insofar as the processing is based on the consent of the User, the User has the right to withdraw the consent at any time without affecting the legality of the processing on the basis of the consent done prior to the withdrawal.
  • – Art. 6 para. 1 sentence 1 b) GDPR for data which are necessary for for the examination, processing, implementation and evaluation as well as control of funding applications and – upon positive decision – the implementation of funding projects.
  • – Art. 6 para. 1 sentence 1 c) GDPR for data which are required to comply with official or judicial orders. 

7. Special terms for DFL’s official social media accounts 

7.1 Special terms for DFL’s official Twitter account 

DFL processes personal data via the official Twitter account in joint responsibility together with Twitter. DFL processes personal data to protect its legitimate interests in a modern information and interaction with users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. For the use of the official Twitter account, DFL has chosen the most privacy-friendly filter settings possible. 

DFL and Twitter have concluded a joint controllership agreement in accordance with Art. 26 para. 1 GDPR. How Twitter processes personal data in connection with DFL’s account and the essence of the joint controllership between DFL and Twitter can be found under the following link. Twitter’s privacy policy can be found under the following link

7.2 Special terms for DFL’s official LinkedIn account 

DFL processes personal data via the official LinkedIn account in joint responsibility together with LinkedIn. DFL processes personal data to protect its legitimate interests in a modern information and interaction with users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. For the use of the official LinkedIn account, DFL has chosen the most privacy-friendly filter settings possible. 

DFL and LinkedIn have concluded a joint controllership agreement in accordance with Art. 26 para. 1 GDPR. How LinkedIn processes personal data in connection with DFL’s account and the essence of the joint controllership between DFL and LinkedIn can be found under the following link. LinkedIn’s privacy policy can be found under the following link

7.3 Special terms for DFL’s official YouTube channel

DFL processes personal data via the official YouTube channel of DFL in joint responsibility together with Google. DFL processes personal data to protect its legitimate interests in a modern information and interaction with users in accordance with Art. 6 para. 1 sentence 1 f) GDPR. For the use of the official YouTube channel, DFL has chosen the most privacy-friendly filter settings possible. 

DFL and Google have concluded a joint controllership agreement in accordance with Art. 26 para. 1 GDPR. How Google processes personal data in connection with DFL’s YouTube account and the essence of the joint controllership between DFL and Google regarding YouTube can be found under the following link. Google’s privacy policy for YouTube can be found under the following link.

7.4 Special terms for PFiFF’s official Facebook account 

DFL processes personal data via the official Facebook account of PFiFF in joint responsibility together with Facebook. DFL processes personal data to protect its legitimate interests in a modern information and interaction with users in accordance with Art. 6 para. 1 sentence f) GDPR. For the use of the official Facebook account of PFiFF, DFL has chosen the most privacy-friendly filter settings possible. 

DFL and Facebook have concluded a joint controllership agreement in accordance with Art. 26 para. 1 GDPR. How Facebook processes personal data in connection with the fanpage and the essence of the joint controllership agreement between the DFL and Facebook can be found under the following link. Facebook’s privacy policy can be found under the following link

8. Sharing of content

DFL provides Users of the Website with the opportunity to share the Website’s content. The legal basis for the following processing is Art. 6 para. 1 sentence 1 a) GDPR. 

8.1 Use of platforms Facebook, Twitter, WhatsApp and LinkedIn

Users can share the Website’s content on services provided by Facebook, Twitter, WhatsApp and LinkedIn.

The use of these plugins will normally result in the transfer of data to Facebook, Twitter, WhatsApp or LinkedIn with each content visited, without the User’s explicit permission. Along with the web address of the content visited, an identifier will also be transmitted which enables a direct connection to be made between the User and his/her profile on the respective platform.

The platform operators do not pass on any specific details pertaining to what other data is transmitted. The platform operators are moreover constantly developing their services and make available information as to how the accompanying data is used. The currently valid data protection regulations of the platform providers can be found here: Facebook, Twitter, WhatsApp, and LinkedIn.

In order to prevent any unwanted transmission of Users’ data to Facebook, Twitter, WhatsApp and LinkedIn and to give Users a choice as to whether they wish to use such services, DFL only offers social sharing links. This ensures no data will be transferred to third parties without the permission of the User. Only when the User activates the services, therefore consenting to connect with Facebook, Twitter, WhatsApp and LinkedIn, the connection with their services will be established and the social sharing links be provided.

8.2 Email forwarding

The User can also share content of the Website via email by clicking on the email logo button or recommend this content. The email addresses of the recipients entered in by the User will not be used, processed or stored by DFL.

8.3 Cache

Furthermore, the User can cache links to content on the Website on his/her end device and further process them via selected services by him/her (e.g. sending the link to one of his/her contacts). 

9. Cookies

DFL uses different cookies on the Website. Cookies are small text files that are stored on the User’s end device and allow to recognize this end device. The Users have the option to adjust their browser’s settings to prevent it from accepting the storage of cookies. Please note that in that case that certain parts of the Website may not work. 

The following sections describes which categories of cookies are used on the Website and which cookies belong to each category:

9.1 Strictly Necessary Cookies

Strictly necessary cookies are necessary for the Website to function and cannot be switched off by the Users. The legal basis for the use of these cookies are the legitimate interests of DFL pursuant to Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest of DFL results from the fact that DFL wants to ensure a secure and most efficient operation of the Website.

DFL uses the following strictly necessary cookies on the Website: 

Name Domain First Party / Third Party Lifespan Description
AWSELB dfl.de First Party Session This cookie from Amazon Web Services (AWS) is necessary for the operation of the Website via AWS. The cookie enables AWS to direct requests from a specific session to the same server whenever possible (so-called sticky session). This is mainly used to ensure that a session is not lost as a result of requests for a session being routed to different servers.
AWSELBCORS dfl.de First Party Session This cookie from Amazon Web Services (AWS) is necessary for the operation of the Website via AWS. The cookie enables AWS to direct requests from a specific session to the same server whenever possible (so-called sticky session). This is mainly used to ensure that a session is not lost as a result of requests for a session being routed to different servers.
laralevel_session postmansubs.com First Party Session We use this cookie for security functions (CSRF protection, bot/flooding detection) when users register for our newsletters / or forms. It is hosted by our processor Webstrategy GmbH.
PHPSESSID dfl.de First Party Session Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number that can be used to maintain a certain status of a User between pages (for example if the User is logged in).
OptanonAlertBoxClosed dfl.de First Party 1 year This cookie is set by us regarding the use of the cookie law compliance solution from OneTrust. It is set after Users have seen a cookie information notice and in some cases only when they actively close the notice down. It enables us not to show the message more than once to a User.
OptanonConsent dfl.de First Party 1 year This cookie is set by us regarding the use of the cookie law compliance solution from OneTrust. It is set after Users have seen a cookie information notice and in some cases only when they actively close the notice down. It enables us not to show the message more than once to a User.

9.2 Performance Cookies

These cookies enable DFL to analyse the use of the Website and to optimize the Website based on the User behaviour. DFL does not share information obtained from these cookies with third parties and does not use it for individual advertising. 

The legal basis for the use of these cookies are the legitimate interests of DFL pursuant to Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest of DFL results from the fact that DFL wants to analyse the use of the Website in order to make it as pleasant as possible for users.

DFL uses the following performance cookies on the Website:

Name Domain First Party / Third Party Lifespan Description
_pk_id* dfl.de First Party 13 months This cookie from Matomo (formerly: Piwik) provided by InnoCraft Ltd. (New Zealand) is used to help us track user behaviour and measure site performance. The cookie is used to store a few details about the User such as the unique visitor ID to distinguish unique returning Users and merge the data from previous visits. The cookie records statistics about User visits to the Website, such as the number of visits, average time spent on the Website and which pages were read. We do not share any information generated by this cookie with Matomo or any other third party.
_pk_ses* dfl.de First Party 30 minutes This cookie from Matomo (formerly: Piwik) provided by InnoCraft Ltd. (New Zealand) is used to help us track User behaviour and to track page requests of the User during the session. The cookie is used to temporarily store data for the visit. We do not share any information generated by this cookie with Matomo or any other third party.
AWSALB mt.dfl.de First Party 7 days This cookie from Amazon Web Services (AWS) is related to the integration of Matomo via AWS on the Website. The cookie enables AWS to direct requests from a specific session to the same server whenever possible (so-called sticky session). This is mainly used to ensure that a session is not lost as a result of requests for a session being routed to different servers.
AWSALBCORS mt.dfl.de First Party 7 days This cookie from Amazon Web Services (AWS) is related to the integration of Matomo via AWS on the Website. The cookie enables AWS to direct requests from a specific session to the same server whenever possible (so-called sticky session). This is mainly used to ensure that a session is not lost as a result of requests for a session being routed to different servers.
test dfl.de First Party Session This cookie from Matomo (formerly: Piwik) provided by InnoCraft Ltd. (New Zealand) is used to check if the User’s browser supports party cookies. 

9.3 Social Media Cookies

These cookies are used by social media providers whose content DFL embeds into the Website. Among other things, they enable Users to distribute our content on social media. These cookies can track the Users’ browser across other sites and building up a profile of their interests. This may affect content and messages that Users see on other websites. So these cookies also serve marketing purposes. 

Social media cookies will only be used upon the User’s consent to the respective processing and use of the cookies. The legal basis for the use of these cookies is Art. 6 para. 1 sentence 1 a) GDPR. Users can withdraw their consent at any time with effect to the future by changing their cookie settings. 

DFL uses the following social media cookies on the Website: 

Name Domain First Party / Third Party Lifespan Description
GPS youtube.com Third Party 30 minutes The cookie is set by YouTube, a platform owned by Google LLC (USA) for hosting and sharing videos. It registers a unique ID on mobile devices to enable tracking based on geographical GPS location. YouTube combines such data with other information from Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. More information can be found here.
Lang cdn.syndication.twimg.com Third Party Session This cookie is set by Twitter and stores the language version of a website selected by the User to display the social media content accordingly. More information can be found here.
VISITOR_INFO1_ LIVE youtube.com Third Party 180 days
The cookie is set by YouTube, a platform owned by Google LLC (USA) for hosting and sharing videos. The cookie is used to estimate the Users’ bandwidth on pages with integrated YouTube videos to determine which version of the YouTube player is displayed. More information can be found here.
YSC youtube.com Third Party Session The cookie is set by YouTube, a platform owned by Google LLC (USA) for hosting and sharing videos. The cookie registers a unique ID to keep statistics of the videos from YouTube that the user has seen. More information can be found here.

10. Limited purpose for processing and using personal data

All processing or use of personal data of the User occurs only for the purposes mentioned in this Statement and to the extent necessary to achieve the respective purpose.

Personal data are not published by DFL or disclosed to unauthorized third parties.

Transmissions of personal data to government agencies and public authorities occur only in accordance with mandatory national provisions in the law or if the disclosure is necessary in the case of attacks on the network infrastructure in order to pursue rights and for purposes of criminal prosecution. The legal basis for this processing is Art. 6 para. 1 sentence 1 c) GDPR in conjunction with § 24 para. 1 no. 1 b) German Data Protection Act [Bundesdatenschutzgesetz, “BDSG”].

11. Storage and deletion of personal data

All stored personal data and pseudonymized usage data are deleted immediately and permanently as soon as the data are no longer needed for the purposes for which they were collected or the User demands this unless DFL is required or entitled by law to do preserve the data. If DFL is required or entitled on the basis of provisions in the law to preserve the data, the stored personal data and pseudonymized usage data will be permanently deleted upon expiration of the time periods for preserving data required by law.

12. Security

DFL uses technical and organizational security measures in order to protect the personal data of the Users against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security measures are continuously adapted in accordance with technological developments.

13. Links to other websites

The Website may contain links to other websites. This Statement applies solely to the Website of DFL. DFL has no influence over, and does not control whether other providers comply with applicable data privacy provisions.

14. Rights of the User

The User has several rights under the GDPR. In particular, the User has 

  • a right to information with regard to the stored personal data of the User (Art. 15 GDPR);
  • a right to have incorrect data corrected (Art. 16 GDPR);
  • a right to erasure under the prerequisites described in Art. 17 GDPR;
  • a right to restriction of the processing (Art. 18 GDPR);
  • a right for data transferability (Art. 20 GDPR); and
  • a right to object against the processing, if such processing safeguards Our legitimate interests (Art. 21 GDPR). 

The User can assert his/her rights by using the contact form which is available under this following link or a letter to the abovementioned address. The data protection officer of DFL can be contacted at dataprivacy@dfl.de. Please note that only data privacy-related messages will be answered at this email address.

Furthermore, the User can submit a complaint about the data processing to the responsible supervisory authority. The Hessian Commissioner for Data Protection and Freedom of Information [Hessischer Beauftragter für Datenschutz und Informationsfreiheit] is responsible for DFL and the User can submit a complaint via the following link

15. Where can the User find the relevant legal texts?

The GDPR can be found under the following link, the BDSG and other relevant German legal texts under the following link.

16. Applicability, validity and timeliness of the Statement

The provisions in this Statement on collection, processing and use of the User’s data apply for the User when using the Website. This Statement is current valid and is dated as of 19 August 2020. DFL reserves the right to amend this Statement at any time as needed with effect for the future, especially for the purposes of adaption to a further development of the Website or the implementation of new technologies.