Privacy Statement and Cookie Policy
for the Official DFL app (‘App‘) for DFL Deutsche Fußball Liga GmbH, Guiollettstrasse 44-46, 60325 Frankfurt am Main, Germany (‘the DFL‘).
The DFL processes and uses personal data collected and stored during the installation and use of the App in compliance with the data privacy regulations applicable in the Federal Republic of Germany. This privacy statement and cookie policy (hereinafter collectively referred to as ‘the Statement‘) sets out which personal data regarding users (hereinafter collectively referred to as ‘the User‘) is collected and how this data is processed and used.
1. Permissions
For the App to work correctly, it is necessary for the User to grant the App access to certain functions and data on the user’s device. During installation, the User will be asked once to grant the relevant permissions. The way in which permissions are granted varies depending on the device manufacturer. In some cases, access permissions have different names, while individual permission categories are sometimes combined, meaning that the User can approve only the entire permission category. By granting permission, the User consents to his/her data being processed accordingly.
Note that if you do not grant one or more of the permissions requested, some functions of the App may not be usable. If the User nonetheless attempts to activate such a function, the App will again ask the User to grant permission. The User can at any time use the device settings to revoke permission that has previously been granted.
If the User has granted permission, the DFL will use it as follows:
- Push notifications: The App requires permission to send push notifications about press releases and news of DFL as well as the publication of new DFL Magazine editions.
- Files and media (Android only): The App requires access to photos/media/files to store DFL Magazine editions on the device.
2. Data collection and processing during use of the App
2.1 Installation and use of the App
The following data will automatically be logged on the DFL server when the App is installed and used:
- IP address of the requesting device
- Date and time of installation
- Date and time of access
- Quantity of data transferred
- Access status (file transferred, file not found etc.)
- Name and version of operating system used
- Type and version of browser used and browser plugins installed
- Time zone settings
- Identification data of device used
- Name of the User’s internet service provider and information about the mobile network used
The collection, processing and use of this data occur for the purposes of enabling the use of the App, system security and the technical administration of the network infrastructure. The data will not be compared with other sets of data or passed on to third parties either in whole or in part.
The legal basis for processing is Art. 6 para. 1 sentence 1 f) of the EU General Data Protection Regulation (‘GDPR‘). The DFL’s legitimate interest is based on the aim of providing the User with a secure and functioning App.
2.2 Crashlytics
In the App, the DFL uses Crashlytics, a service of Google LLC (USA) (‘Crashlytics‘) that collects information about user behaviour and the devices used so as to diagnose and resolve potential problems with the App. This data is stored anonymously. However, data may be transferred to the USA as part of the process. More detailed information about Firebase Crashlytics can be found via the following link and in Firebase Crashlytics’s privacy policy.
The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR. The DFL’s legitimate interest is based on the aim of providing the User with the most stable App possible.
2.3 Analysis of the use of the App and its content
Additional reference is made to Clause 3 and Clause 4 with regard to the collection and processing of data for analysing the use of the App and its content as well as optimisation of the App or the analysing promotion and marketing measures for the App through analytical services.
3. Data collection and processing in the context of analysis of use of the App and its contents by means of Matomo
For the App, the DFL uses Matomo, an open-source analytics application developed by InnoCraft Ltd, New Zealand, (‘Matomo‘) to analyse use of the App and its content. This application is installed locally on the DFL servers. The following data is collected and stored using the SDK (software development kit) provided by Matomo:
- Pseudonymised visitor ID
- App page accessed
- Sub-pages accessed within the App
- Time spent on individual App pages
- Frequency and timing of App page access
- Interactions with the App, such using buttons, watching videos or the opening of push notifications
Using the IP2Location™ IP-Country-Region-City-ISP Database [DB4] features from Hexasoft Development Sdn Bhd, Malaysia, (‘ip2location’) likewise installed locally on the DFL servers, additional geolocation information (country, region, town or city) is also collected and stored cumulatively on the basis of IP addresses.
Collection and storage take place only on the DFL servers. The data will not be passed on to Matomo or any other third parties.
Matomo and ip2location are set up to ensure that IP addresses are not stored in their entirety; instead, two bytes of each IP address are masked (e.g. 192.168.xxx.xxx). This renders it impossible to attribute the abbreviated IP address to the specific device used. A User can prevent such an analysis by choosing to opt out in this privacy section or in the App settings.
However, the DFL hereby informs the User that in this case, it is possible that the User may not be able to use all functions of this App to their fullest extent.
Further information on privacy can be found in Matomo’s privacy policy.
The legal basis for processing is Art. 6 para. 1 sentence 1 f) GDPR, with the DFL’s legitimate interest in processing being evaluating the App data for the purposes of optimising it.
4. Data collection and processing in the context of analysis of promotion and marketing measures for the App by means of Google Analytics and Dynamic Links
For the analysis of promotion and marketing measures for the App, the DFL also uses the analytical service Google Analytics (‘Google Analytics’) and Dynamic Links with regard to the source of the Users (e.g. which channels did they use to download and install the App) and their actual use of the App after the installation. Both services are provided by Google LLC (USA) (‘Google’).
The information that is generated by these SDKs is usually sent to a Google server in the USA and stored there. However, the DFL has expanded Google Analytics with the “gat._anonymizeIp();” code in order to ensure that IP addresses are recorded in anonymised form (“IP masking”). This means that the IP addresses of Google users inside European Union Member States or other countries which are signatories of the Agreement on the European Economic Area will be shortened. The full IP address is only transferred to Google servers in the US and shortened there in exceptional cases. When personal data is transferred to the USA, Google safeguards this by the use of EU standard contractual clauses.
On the DFL’s behalf, Google will use this information for the aforementioned purposes. In addition, Google will also use the transferred information for its own purposes as an independent data controller under data protection law and potentially aggregate it with other information. Further information on this subject as well as the terms of use and privacy can be found in the Google Analytics Terms of Use or Google Analytics Overview and the Dynamic Links Overview.
The User can also prevent the data generated by the SDKS relating to usage of the App and its content (including his/her IP address) from being transferred to and processed by Google by declining the use of marketing and analysis SDKs when initially launching the App or later in the App settings or by choosing to opt out in this privacy section.
However, the DFL hereby informs the User that in this case, it is possible that the User may not be able to use all functions of the App to their fullest extent.
The legal basis for processing is the User’s consent in accordance with Art. 6 (1) para. 1 a) of the GDPR. The User may revoke consent at any time, effective from that point onwards (such as by opting out or by changing the App settings), without affecting the lawfulness of processing based on consent before its withdrawal.
The legal basis for processing is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR. The User can revoke his/her consent with future effect at any time (e.g. by using the opt-out mentioned above or changing his/her App settings) without affecting the lawfulness of processing which has already taken place on the basis of this consent before its revocation.
5. Social media content
Some content that the DFL has published on its official social media accounts on Twitter and YouTube will be loaded in the App via WebView (e.g. in articles or the live ticker). Cookies will be used in the process. More details about the cookies used can be found in Clause 8.2 ‘Cookies’.
Further information on data processing by the providers can be found in the applicable privacy statements: Twitter and YouTube (the DFL embeds content from the latter in privacy-enhanced mode; find out more here).
6. Sharing content via Android and iOS
The DFL provides users of the App with the opportunity to share the App’s content as described in the following section.
If a User uses an Android or iOS device and clicks the Share button, the App will show all applications that are installed on the User’s device and that offer a share function. The DFL has no influence on which data is shared with the corresponding platforms and recommends referring to the respective privacy statements.
7. Additional services and functions
7.1 Push notifications
The DFL uses a technology of CleverPush GmbH (Germany) to send push notifications about press releases, current news and new DFL magazine editions to the User. For the delivery of the push notifications, the DFL only processes information about the Users in addition to end device information (device ID, device and operating system), whether they have agreed to the push notifications and which language they have selected. This will take place only if the User has consented to corresponding push notifications during the registration process or later in the App settings.
When using this functionality, a static evaluation of the push notifications also takes place as to whether and when the respective push notification was displayed and clicked on.
The legal basis for each processing is the User’s consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR.
The User can revoke this consent regarding the delivery of push notifications at any time by disabling push notifications again in the settings of the APP or the device settings. The User can opt out of the static evaluation by rejecting the use of functional SDKs (see Clause 8.1) in the privacy settings (in the menu under “More” and “Settings”). The User will then continue to receive push notifications unless he/she simultaneously makes the settings described above.
7.2 Scrollable preparation of the DFL Magazine
The DFL uses the solution “Smarticle” of the processor 3D-Zeitschrift GmbH (Germany) for the scrollable preparation of the DFL Magazine. In addition to collecting and processing the IP address of the users, the application sets cookies on the device of the Users (for more details on the cookies used, see Clause 8.2 “Cookies”). The legal basis for the processing is Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interests of the DFL is based goal of preparing and offering content for Users in the most user-friendly way possible.
7.3 Playing videos
The DFL embeds videos in the App using JW Player software from Longtail Ad Solutions, Inc. (USA). JW Player does not process any user data, and it records only the video play counts.
For legal reasons, the DFL is not permitted to make the videos shown in the App available in certain countries. To ensure this, when the User selects a video, the GeoLite2 feature from Maxmind, Inc. (USA) installed locally on DFL servers is used to determine the countries in which the relevant video may be played and to compare this list against the current location of the User’s device, identified via the IP address of the User’s device. On this basis, the App checks whether the video is permitted to be played in the country in which the User’s device is currently located or whether it must be disabled for legal reasons. In the latter case, the User will be shown only a notice to that effect instead of the video. This information will remain intact only for the duration of this check on the device and will then be deleted; furthermore, it will not be stored or transferred to a back-end system.
The legal basis for this processing is Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest of the DFL is based on compliance with the existing contractual agreements with its national and international licensees for the media rights to the matches of the Bundesliga and Bundesliga 2.
8. SDKs and cookies used
8.1 SDKs used
With the App, the DFL has implemented some services using SDKs (software development kits). Some of the various SDKs process personal User data by establishing a direct link between the device and the SDK provider when the User opens the App. Users may decline the use of SDKs used for statistical purposes or individual App functions.
For technical reasons, the DFL cannot remove the SDKs in such cases but will merely configure settings to prevent further data being retrieved via the SDKs. However, as the provider of the App, the DFL cannot control which data the SDK providers retrieve (even if settings to that effect forbid data retrieval).
The App incorporates the following SDKs:
Provider/name of SDK | Description | Category |
Firebase Remote Config | The SDK is used to configure App settings. This allows settings in the App to be changed without having to run an App update. Further information can be found via the following link and in Google’s privacy policy. | Strictly necessary |
CleverPush | The SDK is used to send push notifications about press releases and news of DFL as well as the publication of new DFL Magazine editions to the User. The SDK also performs a static evaluation of whether and when the respective push notification was displayed and clicked on. If the User rejects functional SDKs, no such static evaluation is performed. The User can nevertheless continue to receive the push notifications; he/she can deactivate such delivery at any time via ‘push notifications’ in the settings of the App or the device. Further information can be found in the privacy policy of CleverPush. | Functional |
Firebase Crashlytics (Google) | This SDK is used to collect data on crashes in the App to enable the most stable product possible to be provided. This involves gathering information about user behaviour and the devices used so as to diagnose and resolve potential problems with the App. This data is stored anonymously. However, data may be transferred to the USA as part of the process. More detailed information about Firebase Crashlytics can be found via the following link and in Firebase Crashlytics’ privacy policy. | Functional |
Matomo | This SDK is used to track the User’s interactions with the App in order to refine and improve the App in accordance with how it is actually used. The SDK is not used to send any data to servers outside the control of the DFL. If the User chooses to opt out from Matomo (see Clause 3), no further data will be processed via this SDK. | Performance |
Firebase (Google), used for Dynamic Links | This SDK is also used to analyse of promotion and marketing measures for the App with regard to the source of the Users (e.g. which channels did they use to download and install the App) and their actual use of the App after the installation. Further information can be found in Google’s privacy policy. The User can prevent such an analysis by declining the use of marketing and analytics SDKs when initially launching the App or later in the App settings, or by opting out in the privacy section (Clause 4). | Marketing and analysis |
Firebase (Google), used for Google Analytics | This SDK is also used to collect information on tracking events for Google Analytics for the purpose of the analysis of promotion and marketing measures for the App. The Analytics SDK uses SQLite for the purpose of persistence for events and other app-specific data. Further information can be found in Google’s privacy policy. The User can prevent such an analysis by declining the use of marketing and analytics SDKs when initially launching the App or later in the App settings, or by opting out in the privacy section (Clause 4). | Marketing and analysis |
The DFL used other SDKs as tools during development of the app, not all of which are identified individually in the above list. The use of these SDKs is strictly necessary for the App to run and cannot be stopped.
8.2 Cookies
Cookies are placed via the content of the DFL Magazine (see Clause 7.2) and social media content integrated via WebView (see Clause 5). Cookies are small text files that are stored on the User’s device and enable the device to be recognised.
The following sections describes which categories of cookies are used and which cookies belong to each category:
8.2.1 Functional cookies
Functional cookies enable the DFL to provide enhanced functionality and personalisation. These cookies can be set by the DFL or its processors whose services we have added to the App. If the User does not allow these cookies, then some or all of these services may not function properly. The legal basis for the use of these cookies are the legitimate interests of the DFL pursuant to Art. 6 para. 1 sentence 1 f) GDPR. The legitimate interest of the DFL results from the fact that the DFL wants to offer an App with as many functions and interesting content as possible.
The DFL uses the following functional cookies in the App:
Name | Domain | First-party/third-party | Lifetime | Description |
3dz_clientapi_sid_ingress | app.smarticle.com | First Party | 42 hours | This cookie is related to the “Smarticle” solution used for the scrollable preparation of the DFL Magazine by the processor 3D-Zeitschrift GmbH. It is used for the internal communication of two system modules. |
3dz_clientapi_sid | app.smarticle.com | First Party | Session | This cookie is related to the “Smarticle” solution used for the scrollable preparation of the DFL Magazine by the processor 3D-Zeitschrift GmbH. It is used for the internal communication of two system modules or storing user data and for further processing by the system. |
3dz_uber_sid_ingress | app.smarticle.com | First Party | 42 hours | This cookie is related to the “Smarticle” solution used for the scrollable preparation of the DFL Magazine by the processor 3D-Zeitschrift GmbH. It is used for the internal communication of two system modules. |
8.2.2 Social media cookies
Social media cookies are capable of tracking the User’s browser across multiple visited websites and to create a profile of his/her interests. This may have an impact on content and news that the User sees on other websites. Cookies are thus used for purposes including marketing.
Social media cookies are placed only if the User has consented to the corresponding processing and placement of cookies. The legal basis for the use of these cookies is Art. 6 para. 1 sentence 1 a) GDPR. Users may revoke their consent at any time in the App settings, effective from that point onwards.
The DFL uses the following social media cookies in the App:
Name | Domain | First-party/third-party | Lifetime | Description |
CONSENT | .youtube-nocookie.com | Third-party | 37 years | The DFL embeds videos via YouTube in ‘privacy-enhanced mode’. This cookie is intended to ensure that YouTube does not place any further cookies. Further information can be found here. |
lang | cdn.syndication.twimg.com | Third-party | Session | This cookie is placed by Twitter and saves the language that the User has chosen for the website to display the social media content in the appropriate language. Further information can be found here. |
9. Data forwarding to third parties
Aside from the cases outlined, the DFL will forward personal data to third parties only if it is authorised or obliged to do so. This is the case particularly if the DFL transfers personal data to government agencies and authorities in accordance with mandatory national legislation or if forwarding is necessary for the purpose of legal action or criminal prosecution in the event of attacks on network infrastructure. The legal basis for this processing is Art. 6 para. 1 sentence 1 c) GDPR in conjunction with Section 24 para. 1 no 1 of the German Federal Data Protection Act [Bundesdatenschutzgesetz, “BDSG”].
10. Storage and deletion of personal data
All stored personal data and pseudonymised usage data will be deleted immediately and permanently as soon as they are no longer needed for the purposes for which they were collected or if the User demands this, unless the DFL is required or entitled by law to preserve the data. If the DFL is required or entitled by law to preserve the data, the stored personal data and pseudonymised usage data will be permanently deleted upon expiry of the statutory retention periods.
11. Security
The DFL uses technical and organisational security measures to protect personal User data against accidental or intentional tampering, loss, destruction or access by unauthorised persons. These security measures are regularly adapted in accordance with technological developments. Nonetheless, the DFL advises the User that absolute security can never be guaranteed in online data transmission.
12. Links to other websites
The App may contain links to other websites. This Statement applies solely to this App. DFL has no influence over content from other providers and does not control whether other providers comply with the applicable data protection regulations or other legal requirements. If a user alerts the DFL to the presence of unlawful content on linked websites, the DFL will remove the links from the App immediately.
13. Rights of the User
The GDPR grants a number of rights to the User. In particular, the User has
- a right of access to personal data concerning themselves (Art. 15 GDPR)
- a right to rectification of inaccurate data (Art. 16 GDPR)
- a right to erasure of data under the conditions stipulated in Art. 17 GDPR
- a right to restriction of processing (Art. 18 GDPR)
- a right to data portability in accordance with Art. 20 GDPR
- a right to object to processing, unless this takes place to protect the legitimate interests of the DFL (Art. 21 GDPR).
If data processing is based on the User’s consent, the User may revoke this at any time with future effect.
The User can contact the DFL via e-mail to info@dfl.de. The DFL’s privacy officer can be contacted at dataprivacy@dfl.de. This e-mail address is used to respond solely to enquiries pertaining to privacy.
Furthermore, the User can submit a complaint about the data processing to an appropriate supervisory authority. The authority responsible for the DFL is the Hessian Commissioner for Data Protection and Freedom of Information, and the User can submit a complaint via the following link.
14. Applicability, validity and up-to-date status of this Statement
The regulations in this Statement on collection, processing and use of the User’s data apply to the User when the latter uses the App. This Statement is up to date as at 15 May 2023. The DFL reserves the right to amend this Statement at any time with future effect, especially for the purposes of adapting to later versions of the App or implementing new technologies. The User can view the current Statement in the App at any time by going to ‘Privacy’ under ‘More’ on the menu.