for the Official Bundesliga Fantasy Manager app ('App') for DFL Deutsche Fußball Liga GmbH, Guiollettstrasse 44-46, 60325 Frankfurt am Main, Germany ('the DFL').

The DFL processes and uses personal data collected and stored during the installation and use of the App in compliance with the data privacy regulations applicable in the Federal Republic of Germany. This privacy statement (hereinafter referred to as 'the Statement') sets out which personal data regarding users (hereinafter collectively referred to as 'the User') is collected and how this data is processed and used.

1. Permissions

For the App to work correctly, it is necessary for the User to grant the App access to certain functions and data on the user's device. During installation, the User will be asked once to grant the relevant permissions. The way in which permissions are granted varies depending on the device manufacturer. In some cases, access per-missions have different names, while individual permission categories are some-times combined, meaning that the User can approve only the entire permission category. By granting permission, the User consents to his/her data being processed accordingly

Note that if you do not grant one or more of the permissions requested, some functions of the App may not be usable. If the User nonetheless attempts to activate such a function, the App will again ask the User to grant permission. The User can at any time use the device settings to revoke permission that has previously been granted.

If the User has granted permission, the DFL will use it as follows:

• Files and media: The App requires access to files and media when creating user feedback so that it can access screenshots taken by the User to show problems occurring in the App.

• Camera: The App requires access to the camera when creating user feedback so that it can access screenshots taken by the User to show problems occurring in the App.

• Background app refresh: This function is used to run the App regularly in the background to ensure that its content is kept up to date and, if it is not, that it can update the content. On iOS devices, these functions can be disabled in the device settings.

• Cellular data: This function is used to check that the device is connected to the internet, if the User is not logged on to a Wi-Fi network. On iOS devices, these functions can be disabled in the device settings.

2. Data collection and processing during use of the App

2.1 Installation and use of the App

The following data will automatically be logged on the DFL server when the App is installed and used:

• IP address of the requesting device

• Date and time of installation

• Date and time of access

• Quantity of data transferred

• Access status (file transferred, file not found etc.)

• Name and version of operating system used

• Time zone settings

• Identification data of device used

• Name of the User's internet service provider and information about the mobile network used

The collection, processing and use of this data occur for the purposes of enabling the use of the App, system security and the technical administration of the network infrastructure. The data will not be compared with other sets of data or passed on to third parties either in whole or in part.

The legal basis for processing is Art. 6 para. 1 sentence 1 f) of the EU General Data Protection Regulation ('GDPR'). The DFL's legitimate interest is based on the aim of providing the User with a secure and functioning App.

2.2 Crashlytics

In the App, the DFL uses Crashlytics, a service of Google LLC (USA) ('Crashlytics') that collects information about user behaviour and the devices used so as to diagnose and resolve potential problems with the App. This data is stored anonymously. However, data may be transferred to the USA as part of the process. More detailed information about Firebase Crashlytics can be found via the following link and in the privacy information from Firebase Crashlytics.

The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR. The DFL's legitimate interest is based on the aim of providing the User with the most stable App possible.

2.3 Analysis of the use of the App and its content

Additional reference is made to Clause 5 with regard to the collection and processing of data for analysing the use of the App and its content as well as optimisation of the App through analytical services.

3. Data collection and processing in the context of registration, login and use of the App

3.1 Registration and login

3.1.1 A Bundesliga account enables access to digital products from the DFL and/or individual services offered therein (e.g. Official Bundesliga Fantasy Manager, Bundesliga Newsletter) as well as to content (e.g. certain editorial content) that is only accessible to registered users. Insofar as a Bundesliga account is required for such usage, the DFL uses the customer identity management platform provided by Okta, Inc., 101 1st Street, San Francisco, CA 94105, USA ('Okta'), for such registrations and the associated login.

During registration of a Bundesliga account and the further onboarding process, the DFL asks the Users for the following data:

• Full name

• E-mail address

• Username

• Country

• Team name

• Favourite club

• Gender (optional)

• Date of birth (optional)

• Password

Okta stores and manages this data in Germany but may refer some support queries to international support teams in Australia, Canada, Singapore, Japan and the USA. Insofar as any of these countries does not have the same level of data privacy as the EU and, particularly in the USA, it is possible for security agencies to access personal data stored there to a considerable extent, Okta safeguards this transfer of data by means of EU standard contractual clauses. Further information can be found in Okta's privacy policy.

Okta assigns each User a randomly generated Okta ID, which is linked to the User’s Bundesliga account and enables the Bundesliga account and the associated regis-tration and usage data to be matched across products.

This data will be used for the operation and management of the services subject to registration and to establish, implement, or terminate the underlying agreement with the User on participation in the service(s) he/she has selected. The legal basis for processing is Art. 6 para. 1 sentence 1 a) GDPR, provided the User has given his/her consent to the processing (which can be revoked with future effect at any time), and Art. 6 para. 1 sentence 1 b) GDPR.

Insofar as the User has agreed to the use of Amplitude, by means of a customer data platform, the Okta ID and the other registration and usage data associated with a Bundesliga account will also be combined with the data collected in accordance with Clause 5.1, analysed and used to show the User tailored content and market-ing in order to improve and personalise the user experience (for further details see Clause 5.2).

3.1.2 From the start of the second leg of the 2024/2025 season, the DFL is entitled to set up an inactive Bundesliga Fantasy Manager profile for Bundesliga account holders. In this case, Users will be automatically assigned a username and a (below-average) squad; they can change the username at any time in their settings.

If a User logs into the App with their Bundesliga account and makes a transfer, the Bundesliga Fantasy Manager profile becomes active. Inactive profiles are not eligi-ble for prizes. The inactive participants can follow their team's performance in the App.

If a User wishes to delete an inactive Bundesliga Fantasy Manager profile that has been set up for them, they can do via the App or by contacting DFL via the contact details provided in the imprint.

The legal basis for the processing is Art. 6 para. 1 sentence 1 b) GDPR.

3.2 Social logins

The social login function, which is also provided via Okta (see Clause 3.1), allows the User to log in to the Official Bundesliga Fantasy Manager with his/her (social media) account with Facebook, Google or Apple. If the User chooses to use one of these social logins, the relevant social media provider will establish the User's identity and transfer the data about the User outlined below to the DFL.

No usage data (pages visited, fields activated) is transferred to the respective provider, since the DFL has implemented the social logins using OAuth (Open Authorization).

The legal basis for the transmission of data is the User's consent according to Art. 6 para. 1 sentence 1 a) GDPR, which the User grants by choosing to use a social login. The User can revoke this consent at any time with future effect. The DFL will then process the transferred data for the purposes of establishing, implementing and terminating the user agreement in accordance with Art. 6 para. 1 sentence 1 b) GDPR.

The following privacy information regarding data transfer apply to social logins; see also Clause 8 on sharing content.

3.2.1 Facebook

If the User logs in via Facebook, the following types of data transmission from Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, ('Facebook') to the DFL will be initiated:

• The transmission of certain information from the User's Facebook account to the DFL with the consequence that in addition to the usage data outlined in this Statement (e.g. IP address), the following information will be transmitted to the DFL:

  • Profile picture

  • Full name, as well as

  • E-mail address

IF THE USER DOES NOT WISH DATA TO BE SYNCHRONISED IN THIS WAY, THE USER MUST USE ONE OF THE OTHER AVAILABLE LOGIN OPTIONS.

3.2.2 Google

If the User logs in via Google, the following types of data transmission from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, ('Google') to the DFL will be initiated:

• The transmission of certain information from the User's Google account to the DFL with the consequence that in addition to the usage data outlined in this Statement (e.g. IP address), the following information will be transmitted to the DFL:

  • Profile picture

  • Full name, as well as

  • E-mail address

IF THE USER DOES NOT WISH DATA TO BE SYNCHRONISED IN THIS WAY, THE USER MUST USE ONE OF THE OTHER AVAILABLE LOGIN OPTIONS.

3.2.3 Apple

If the User logs in via Apple, the following types of data transmission from Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA, ('Apple') to the DFL will be initiated:

• The transmission of certain information from the User's Apple account to the DFL with the consequence that in addition to the usage data outlined in this Statement (e.g. IP address), the following information will be transmitted to the DFL:

  • Full name, as well as

  • E-mail address

IF THE USER DOES NOT WISH DATA TO BE SYNCHRONISED IN THIS WAY, THE USER MUST USE ONE OF THE OTHER AVAILABLE LOGIN OPTIONS.

3.3 Login status

When the User logs into his/her account in the App, the User’s login details (e-mail address and password) will be saved. Only once the session has expired (because the User has either logged out, deleted the browser history or cleared the cache), after 14 days of inactivity or after six months at the latest will the User have to log in again. The User's login status is stored by means of refresh tokens and deleted after the periods outlined above as soon as the User has to log in again. If the User logs into the App on a device used by more than one person, he/she should make sure to log out again accordingly at the end of the session.

3.4 Publication of information

3.4.1 The ranking lists of the Official Bundesliga Fantasy Manager with the username of the User’s profile are publicly accessible in the App; this applies to both active and inactive profiles. The legal basis for the processing is Art. 6 para. 1 sentence 1 b) GDPR.

3.4.2 In the event of a win, the first name, the first letter of the last name and the country of origin of the respective winner will be published at the DFL's discretion in the official telemedia and/or social media sites of the DFL. The corresponding pro-cessing is justified under Art. 6 para. 1 sentence 1 b) GDPR for the fulfilment of the contractual relationship between the DFL and the respective User as established by the user agreement.

3.5 Friendly Captcha (anti-bot/spam protection)

To ensure adequate data security in the submission of forms, the DFL has incorpo-rated Friendly Captcha, a service from Friendly Captcha GmbH, into its registration process. Friendly Captcha is used to check whether inputs are being carried out by a real person or whether the system is being abused by automated processes.

In connection with this, the DFL has integrated Friendly Captcha code allowing a User's device to connect to the Friendly Captcha servers so that Friendly Captcha can send a mathematical problem. The User's device will solve the problem by using certain system resources and send the solution back to the DFL server. The latter will then contact the Friendly Captcha server via an interface and receive an answer telling it whether the device has correctly solved the puzzle. Depending on the out-come, the DFL can apply security rules to requests and thus either process them or deny them, for example.

Overall, the following technical information is processed: HTTP request header data (particularly User-Agent, Origin and Referer), date/time of request, version of widget used, DFL customer account ID, hash value (one-way encryption) of the IP address, number of requests from the (hashed) IP address per period, answer to the mathe-matical problem solved by the User's device. All this information is used exclusively for the aforementioned purpose of protection against spam and bots. Friendly Cap-tcha does not store or read cookies on the User's device. IP addresses are stored only in hashed (one-way-encrypted) form and do not enable the DFL or Friendly Captcha to identify individuals. Further information on privacy can be found here.

The legal basis for this processing is Art. 6 para. 1 sentence 1 f) GDPR, according to which the DFL's legitimate interest in the processing is protecting the App against unauthorised access by bots and thus against spam and attacks (e.g. those that flood the system with requests)

4. Push notifications

The DFL uses Amazon Pinpoint, a technology from Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA, and its European subsidiary Amazon Web Services EMEA Sàrl, Rue Plaetis 5, 2338 Luxembourg, Luxembourg, ('AWS') to send push notifications to the User. This will take place only if the User has consented to corresponding push notifications during the registration process or later in the App settings. The only pieces of information that the DFL processes about the User for the purpose of delivering push notifications are whether the User has consented to push notifications and which language has been selected.

The legal basis for processing is the User's consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR. The User can revoke this consent at any time by disabling push notifications again in the App or device settings.

5. Data collection and processing in the context of analysis of use of the App and its contents

5.1 Analysis of use of the App and its contents by means of Amplitude

For its App, the DFL uses Amplitude, an analytical service provided by Amplitude, Inc., 201 3rd Street, Suite 200, San Francisco, CA 94103 (USA) (“Amplitude”).

The following data is collected and stored using the SDK (software development kit) provided by Amplitude:

• Pseudonymised visitor ID
• App page accessed
• Sub-pages accessed within the App
• Time spent on individual App pages
• Frequency and timing of App page access
• Interactions with the App, such using buttons or watching videos
• Geolocation information based on the IP address (country, region, town or city)
• Device-related information (e.g. device type, model, operating system, type and version of the browser used, and selected language)

Amplitude will use this information on behalf of the DFL to evaluate the use of the App and its content by Users, compile reports on App activities and provide the DFL with additional services relating to App and internet usage. Amplitude also uses artificial intelligence and machine learning to recognise patterns and predict future behaviour. The DFL will use the analyses to optimise and further develop the App and its content.

In addition, the DFL will, by means of a customer data platform, combine the above data with the Okta ID and the other registration and usage data associated with a Bundesliga account, analyse this data and use it to show the User tailored content and marketing in order to improve and personalise the user experience (for further details see Clause 3.1 and Clause 5.2).

Amplitude stores and manages the information generated in Germany but may refer some support queries to international support teams in Canada, Singapore, the USA and the United Kingdom. Insofar as any of these countries does not have the same level of data privacy as the EU, Amplitude safeguards this transfer of data by means of EU standard contractual clauses. Further information can be found via the following link and in Amplitude’s privacy policy.

The User can also prevent such an analysis by declining the use of marketing and analytics SDKs when initially launching the App or by later revoking his or her consent by declining these SDKs in the App settings.

However, the DFL hereby informs the User that, in this case, it is possible that the User may not be able to use all functions of the App to their fullest extent.

The legal basis for processing is the User's consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR. The User may revoke consent at any time (such as by opting out by changing the App settings), effective from that point onwards, without affect-ing the lawfulness of processing based on consent before its withdrawal.

5.2 Combination and analysis of the User’s data via a customer data platform

Insofar as the User has agreed to the use of Amplitude, the DFL will combine the Okta ID and the other registration and usage data associated with the Bundesliga account (see Clause 3.1) with the data collected by Amplitude (see Clause 5.1) and analyse this data via a customer data platform. Because the Bundesliga account can be used across various products, the data contained on the customer data plat-form can also include data from other digital products from the DFL (e.g. bun-desliga.com, Official Bundesliga App); for further details, see the privacy policy of the product in question.

The DFL uses the customer data platform provided by Tealium, Inc., 9605 Scranton Rd., Suite 600, San Diego, CA 92121, USA, (“Tealium”).

Tealium stores and manages this data in Germany but may refer some support queries to international support teams in Australia, Hong Kong, Japan, Singapore and the United Kingdom. Insofar as any of these countries does not have the same level of data privacy as the EU, Tealium safeguards these transfers of data by means of EU standard contractual clauses. Further information can be found in Tealium’s privacy policy.

By means of the data processed via the customer data platform, the DFL will show the User tailored content and marketing in order to improve and personalise the us-er experience.

Insofar as the User has consented to the collection of the analysis data used for this purpose, the legal basis is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR, which may be revoked at any time with future effect. The data is linked with other user information from the registration of the User’s Bundesliga ac-count in order to safeguard the DFL’s legitimate interests in accordance with Art. 6 para. 1 sentence 1 f) GDPR. The DFL’s legitimate interest is to present Users with the most tailored offering possible. If Users do not wish their data to be linked in this way or be shown tailored content and marketing, they can change this in their account settings under “Profile” (personalized fan profile).

5.3 Analysis of promotional measures for the APP by Adjust

Furthermore, the DFL uses an analysis service provided by adjust GmbH, Saarbrücker Str. 38a, 10405 Berlin, Germany (“Adjust”) in its APP. This analysis service helps the DFL to measure the success of promotional measures for the APP across platforms and to improve them as a result.

Insofar as the User has agreed to the use of marketing and analytics SDKs, the SDK from Adjust is used to collect certain usage data in the App (e.g. the time of installation, the time the App was first opened, and information about further interactions of the Users in the App). Adjust combines this data with data from other media on which the DFL publishes banners or advertisements. Adjust uses this data on behalf of the DFL to create analyses of the success of individual DFL promotional measures (e.g. which link Users clicked on before downloading and installing the App).

Users of iOS end devices are tracked by Adjust via the advertising ID of their device, provided they have consented to the Apple Tracking Transparency (‘ATT’). If these Users have not given such consent, Adjust identifies them via probabilistic model-ling using persistent device metadata (e.g. operating system, version, model and IP address). Users of Android end devices, on the other hand, are identified via the referrer parameter provided by the Google Play Store. If the Google Play Store does not provide a referrer parameter, the advertising ID of the Android end device is used. For Users who have blocked access to these IDs, probabilistic modelling also takes place via persistent device metadata.

Further information on the processing of personal data by Adjust can be found in Adjust's privacy policy. If Users wish to object to tracking by Adjust on other media, they can do so here.

The User can also prevent such an analysis by declining the use of marketing and analysis SDKs when initially launching the App or by later revoking his or her consent by declining these SDKs in the App settings.

However, the DFL hereby informs the User that, in this case, it is possible that the User may not be able to use all functions of the App to their fullest extent.

The legal basis for processing is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR. The User may revoke consent at any time (such as by opting out by changing the App settings), effective from that point onwards, without affect-ing the lawfulness of processing based on consent before its withdrawal.

6. Special terms and conditions for newsletters

During registration and, later, in the account settings, the User will have the option to subscribe to newsletters (Bundesliga Newsletter, Game Updates).

If the User chooses to subscribe during the registration for the Official Bundesliga Fantasy Manager, the registration for the subscription is processed via Okta. The DFL uses the service of Mapp Digital Germany GmbH (Germany) for the dispatch of newsletters and the associated management of User data.

The DFL will place what is known as a tracking pixel in the HTML code of the relevant newsletter and assign a user ID to the User to determine the time at which the newsletter in question was opened and which links or functions were activated from that newsletter. This tracking takes place for the purpose of internal optimisation of the applicable newsletter. This data will not be passed on.

The legal basis for this data processing is Art. 6 para. 1 sentence 1 a) GDPR. If the User does not want this tracking to take place, they can unsubscribe from the newsletter in question (e.g. via the unsubscribe link in each newsletter or through the account settings).

7. SDKs used

With the App, the DFL has implemented some services using SDKs (software development kits). Some of the various SDKs process personal User data by establishing a direct link between the device and the SDK provider when the User uses the App. Users may decline the use of SDKs used for statistical purposes or individual App functions.

For technical reasons, the DFL cannot remove the SDKs in such cases but will merely configure settings to prevent further data being retrieved via the SDKs. However, as the provider of the App, the DFL cannot control which data the SDK providers retrieve (even if settings to that effect forbid data retrieval).

The App incorporates the following SDKs:

Provider/name of SDK	Description	Category
Okta	This SDK is associated with customer identity management used for registration for the DFL services (such as the Official Fantasy Manager) and for both the normal login and the social logins with Facebook, Google and Apple. This customer identity management service is provided by the processor, Okta, Inc. (USA). Further information can be found in Okta's privacy statement.	Strictly necessary
React Native	This SDK is required for programming the App for iOS and Android devices. Further information can be found here.	Strictly necessary
AWS Amplify	This SDK is used for sending push notifications and other notifications in the App via Amazon Pinpoint. The SDK is provided by Amazon Web Services, Inc. (USA) and its European subsidiary Amazon Web Services EMEA Sàrl (‘AWS’). The AWS privacy statement can be found here. The User may disable push notifications via Amazon Pinpoint at any time in the App or device settings.	Functional
Firebase Crashlytics (Google)	This SDK is used to collect data on crashes in the App to enable the most stable product possible to be provided. This involves gathering information about user behaviour and the devices used so as to diagnose and resolve potential problems with the App. This data is stored anonymously. However, data may be transferred to the USA as part of the process. More detailed information about Firebase Crashlytics can be found via the following link and in the privacy information from Firebase Crashlytics.	Functional
GetFeedback	This SDK enables users to give the DFL feedback about the App. In addition, the DFL can invite users to take part in surveys and send in-app messages to inform users about important news. Further information can be found in the SurveyMonkey privacy notice.	Functional
Firebase (Google), used for Crashlytics	This SDK is used to collect information for Crashlytics. Further information can be found in Google's privacy policy. A User can prevent such information from being collected by declining the use of performance SDKs when initially launching the App or later in the App settings.	Performance
Adjust	With this SDK, the DFL is able to analyse the success of promotional activities for the App, i.e. which published ban-ners and ads drew Users' attention to the App and which links they clicked on before installing the App. The DFL uses this information to make its promotional activities more targeted and efficient. Users can find more information about the SDK in Adjust's privacy policy.	Marketing and analysis
Amplitude SDK	The SDK is used to collect tracking events for Amplitude, to arrange these in the correct structure for Amplitude and to send them to Amplitude for analysis of the App and its content for the purposes described in Clause 5. Further information on the SDK can be found via the following link and in Amplitude’s privacy policy. The User can prevent such an analysis by declining the use of marketing and analytics SDKs when initially launching the App or later in the App settings or by opting out of Amplitude in the privacy section (Clause 5). The data collected by Amplitude from Bundesliga account owners is also stored on a customer data platform and used to display personalised content and marketing (see Clause 5.2). Users can decline this usage in their account settings under “Profile” (personalized fan profile).	Marketing and analysis

The DFL used other SDKs as tools during development of the app, not all of which are identified individually in the above list. The use of these SDKs is strictly necessary for the App to run and cannot be stopped.

8. Sharing content

The DFL provides users of the App with the opportunity to share the App's content as described in the following section.

8.1 Using the Facebook, X (formerly: Twitter), Google+, Instagram and WhatsApp social media services

Users can share content from this App on the social media services provided by Facebook, X (formerly: Twitter), Google+, Instagram and WhatsApp. To prevent User data being shared with the providers without the User's consent, the DFL offers only social sharing links in the App. This ensures that no data will be transferred to third parties without the permission of the User. Only when the User activates the social media services by clicking the relevant icon, thereby consenting to connect with Facebook, X (formerly: Twitter), Google+, Instagram and WhatsApp, will a connection to the applicable service be established and the social sharing links created, and the User can then publish these links through the service. Further information on data processing by the providers can be found in the applicable privacy statements: Facebook, X (formerly: Twitter), Google+, Instagram and WhatsApp.

8.2 E-mail forwarding

The User can also share and recommend content from this App via e-mail by clicking the relevant button. The DFL will not use, process or store in any way the recipient e-mail addresses that the User enters in the e-mail application that opens when the User clicks the relevant icon.

8.3 Sharing via Android and iOS

If a User uses an Android or iOS device and clicks the Share button, the App will - in addition to the aforementioned social media platforms and e-mail forwarding function - show all applications that are installed on the User's device and that offer a share function. The DFL has no influence on which data is shared with the corresponding platforms and recommends referring to the respective privacy statements.

9. Feedback service

The DFL uses the feedback service “GetFeedback from SurveyMonkey Europe UC (Ireland) ('SurveyMonkey') to provide the User with the opportunity to provide feedback on the App and its functions and to participate in online surveys. The DFL uses the resultant feedback and surveys to improve the App and its functions in line with user requests. When a User uses the feedback form or the feedback button or participates in an online survey, the User’s device will establish a direct link to SurveyMonkey's server and the information entered by the User (e.g. full name, e-mail address), the User's IP address and other device-related information will be transmitted. Further details can be found in SurveyMonkey's privacy policy. The legal basis for processing is the User's consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR, which the User may revoke at any time with future effect.

10. Data forwarding to third parties

Aside from the cases outlined, the DFL will forward personal data to third parties only if it is authorised or obliged to do so. This is the case particularly if the DFL transfers personal data to government agencies and authorities in accordance with mandatory national legislation or if forwarding is necessary for the purpose of legal action or criminal prosecution in the event of attacks on network infrastructure. The legal basis for this processing is Art. 6 para. 1 sentence 1 c) GDPR in conjunction with Section 24 para. 1 no 1 of the German Federal Data Protection Act [Bundesdatenschutzgesetz, “BDSG”].

11. Storage and deletion of personal data

All stored personal data and pseudonymised usage data will be deleted immediately and permanently as soon as they are no longer needed for the purposes for which they were collected or if the User demands this, unless the DFL is required or entitled by law to preserve the data. If the DFL is required or entitled by law to preserve the data, the stored personal data and pseudonymised usage data will be permanently deleted upon expiry of the statutory retention periods.

12. Security

The DFL uses technical and organisational security measures to protect personal User data against accidental or intentional tampering, loss, destruction or access by unauthorised persons. These security measures are regularly adapted in accordance with technological developments. Nonetheless, the DFL advises the User that absolute security can never be guaranteed in online data transmission.

13. Links to other websites

The App may contain links to other websites. This Statement applies solely to this App. The DFL has no influence over content from other providers and does not control whether other providers comply with the applicable data protection regulations or other legal requirements. If a user alerts the DFL to the presence of unlawful content on linked websites, the DFL will remove the links from the App immediately.

14. Rights of the User

The GDPR grants a number of rights to the User. In particular, the User has

a right of access to personal data concerning themselves (Art. 15 GDPR)

a right to rectification of inaccurate data (Art. 16 GDPR)

a right to erasure of data under the conditions stipulated in Art. 17 GDPR

a right to restriction of processing (Art. 18 GDPR)

a right to data portability in accordance with Art. 20 GDPR

a right to object to processing, unless this takes place to protect the legitimate interests of the DFL (Art. 21 GDPR).

If data processing is based on the User's consent, the User may revoke this at any time with future effect.

The User can contact the DFL via e-mail to info@bundesliga.com. The DFL's privacy officer can be contacted at dataprivacy@bundesliga.com. This e-mail address is used to respond solely to enquiries pertaining to privacy.

Furthermore, the User can submit a complaint about the data processing to an appropriate supervisory authority. The authority responsible for the DFL is the Hessian Commissioner for Data Protection and Freedom of Information, and the User can submit a complaint via the following link.

15. Applicability, validity and up-to-date status of this Statement

The regulations in this Statement on collection, processing and use of the User's data apply to the User when the latter uses the App. This Statement is up to date as at 29 November 2024. The DFL reserves the right to amend this Statement at any time with future effect, especially for the purposes of adapting to later versions of the App or implementing new technologies. The User can view the current Statement in the App at any time by going to 'Privacy Statement' on the menu.