Data Privacy Policy

Protecting your personal data is important to us. This data privacy policy describes in detail the personal data we collect from you and why we need to process this data.

1. Controller

The controller pursuant to Art. 4 (7) of the EU’s General Data Protection Regulation (GDPR) is

Eintracht Frankfurt Fußball AG Im Herzen von Europa 1 60528 Frankfurt am Main

Whenever reference is made below to “Eintracht Frankfurt”, “we” or “us”, this always means Eintracht Frankfurt Fußball AG. You can contact our data protection officer at datenschutz@eintrachtfrankfurt.de or via our postal address (please add “The data protection officer”).

2. General information on processing personal data

2.1 Purpose of the data privacy policy This privacy policy provides fans, members, season ticket holders, the contacts of an organisation or company, event participants, users of our online media and customers purchasing or using the products and services of Eintracht Frankfurt with information on how their personal data is processed by us.

2.2 Subject matter According to Art. 4 (1) GDPR, personal data is any information that allows conclusions to be drawn about a person’s identity. This includes a person’s name, address (incl. billing and delivery address), telephone number, email address, payment information such as the IBAN and number of a credit card, and date of birth.

2.3 Definition of the term “data processing” Data processing within the meaning of Art. 4 (2) GDPR refers to any operation carried out on personal data with or without automated means.

2.4 Data processing in business transactions We process your data in the course of various business transactions. Business transactions are conducted in areas such as:

Event ticketing
Accreditation
Merchandising
Memberships
Events
Advertising
Online media
Accreditation
Video surveillance in fan shops

Each business transaction is carried out for a specific purpose. We process your personal data for the purposes listed in this privacy policy. We will process your personal data only if there is a basis in law for doing so, e.g. we need to process your data in order to prepare or comply with the terms of a contract (Art. 6 (1), sentence 1, lit. b) GDPR), to comply with a legal obligation incumbent on us (Art. 6 (1), sentence 1, lit. c) GDPR), for the purpose of a legitimate interest after weighing up the interests concerned (Art. 6 (1), sentence 1, lit. f) GDPR), or if you have given us your consent to do so (Art. 6 (1), sentence 1, lit. a) GDPR).

2.5 How long do we store your personal data for? We process and store your personal data for as long as is necessary for us to fulfil the purposes pursued by us or to comply with our contractual and statutory obligations. Data that is no longer required to comply with a contractual or statutory obligation is regularly deleted, except when it has to be processed further for a limited period on the following grounds:

to comply with retention requirements set down in commercial and fiscal law. This includes the German Commercial Code (HGB), the German Fiscal Code (AO) and the German Money Laundering Act (GwG). The retention or documentation periods specified therein are between two and ten years,
to preserve evidence under statutory limitation periods. According to sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, although the standard limitation period is three (3).

If we do need to process your data for a longer period, we will ensure that your data is no longer accessible for other processing purposes.

3. Operations/transactions during which personal data is processed

We process personal data in the context of the following business operations, then explain for what purpose and on what basis in law we have done this:

Tickets and merchandising articles, EintrachtTV subscription
Accreditation
Events and activities
Services for fans and customers
Payment procedures
Online media
Visits to the website and personalised advertising
Video surveillance

3.1. Tickets and merchandising articles

3.1.1 Match/season tickets and merchandise

When you purchase a match and/or season ticket for public and VIP areas or purchase fan merchandise, and when you buy a subscription for EintrachtTV, as your contract partner, we will collect your name, billing and shipping address, email address, your gender in order to identify and address you correctly, and – where applicable – your customer number (optionally, also your telephone number), as well as your payment information for this transaction. Further details on payment information can be found in section 3.3 below. If the buyer/subscriber and ticket holder are different people (e.g. if you are buying tickets for a third party), we will collect the above data for the ticket holder too unless he or she is a corporate customer. In that case, we will collect data on the season ticket holder only at the corporate customer’s request, i.e. if they wish to personalise a ticket. We require this data in order to produce and deliver the tickets, and for payment of the goods. Data collection is necessary, therefore, so that the purchase contract concluded can be processed properly, and this includes season ticket subscription contracts and sponsorship contracts where a ticket or fan merchandise quota/allocation has been agreed. We will also inform you of any changes relevant to the contract, such as the price of season tickets for the new season. We will store your data in our system and record you as a contact there, including a personal customer number that we will communicate to you.

In order to grant discounts and ensure that children are appropriately supervised, for concessionary tickets for children up to the age of six we will also request the date of birth of the ticket holder/user. Further concessionary rates may also be claimed according to the ticket price list. Here, we will merely register an entitlement to a concessionary rate and not the precise reason for this.

When you purchase match tickets through our ticket office or fan merchandise through our fan shops on a matchday, your data will normally only be verified if you wish to claim a discount as a member. This information will not, however, be stored.

We use a service provider to print football shirts on our behalf. If you would like your name printed on the back of your shirt, we will send the shirt to our service provider for printing. The basis in law for the data processing mentioned above is Art. 6 (1), sentence 1, lit. b) GDPR if you yourself are our contractual partner. Otherwise, we will process your data on the basis of our legitimate interest in fulfilling the contract with our contractual partner (Art. 6 (1), sentence 1, lit. f) GDPR), for example if you are a season ticket holder but not a season ticket subscriber. You must provide this information to order tickets, season tickets or merchandise, or to take out a subscription to EintrachtTV. However, you are neither contractually nor legally bound to place an order and thus provide this data. You are also not obliged to provide information on discounts. However, this data is required in order to benefit from such discounts.

3.1.2 Transfer of tickets via Eintracht’s ticket exchange service

If a season ticket seat for a specific matchday is successfully transferred through Eintracht’s ticket exchange service within the scope of fulfilment of a season ticket subscription contract, the ticket holder will be credited a portion of the overall price in the form of a voucher, or the corresponding amount will be credited to the ticket holder’s bank account. Depending on the preferred form of reimbursement, the payment information of the season ticket holder will also be collected for this transaction. Art. 6 (1), sentence 1, lit. b) GDPR constitutes the basis in law for processing this data. You are neither contractually nor legally obliged to provide this data. Not doing so, however, could mean that you will not be able to select every refund option available.

3.1.3 Free signed tickets

We will register your name and address as the recipient for any order of free signed tickets (three tickets per person per season). We process this data so that we can send you your signed tickets without any problems. Moreover, during data processing, we will document the date on which we received your request, the date on which we sent the relevant signed ticket to you, and which signed tickets (i.e. which players) you have been sent. This is to avoid duplicate orders that exceed the quota to which each fan is entitled and to ensure that each fan is able to receive signed tickets free of charge once a year. Art. 6 (1), sentence 1, lit. b) GDPR constitutes the basis in law for processing this data. You must provide us with this information to order signed tickets. However, you are neither contractually nor legally obliged to order the signed tickets and thus to provide the data.

3.1.4 Subscription to/shipping of our magazine “Eintracht vom Main”

In order to take out a subscription to our monthly magazine “Eintracht vom Main” (subscription for the whole season or the second half only), you must complete the prepared order form. We will record your name and address and the payment information you provided (see section 3.4), including your consent to the subscription fee chargeable on a one-off basis. You may also provide your email address. If you provide us with your email address, we will notify you before the start of a season of the price of a repeat subscription to the magazine. All these details are thus required for the preparation and fulfilment of the subscription contract pursuant to Art. 6 (1), sentence 1, lit. b) GDPR. You must provide us with this information in order to subscribe to the magazine. However, you are neither contractually nor legally obliged to provide the data. Your name and address will be forwarded to our authorised mail order company to ensure you receive your “Eintracht vom Main” magazine.

3.2 Events and activities

Eintracht Frankfurt organises a wide range of events and activities, such as events in the Eintracht Museum, home matchday experiences, training camps for the Eintracht Frankfurt Football School, guided tours of the arena and other events that require registration.

3.2.1 Personal data that we process

During the registration process, we will collect – for the purpose of accurate identification and addressing and, if necessary, to plan the event (e.g. allocate changing rooms) – your child’s name, address and gender, or your own name, address and gender as a participant, or as the contact of a participating organisation (e.g. a company, school, nursery) or group and – where necessary for events for which a fee is charged – your payment information for this transaction (see section 3.4 for more details). In the case of minors, we will also request the name, address and, where applicable, the payment information of a parent or legal guardian. We will also request contact details such as your telephone number and email address. We will indicate mandatory fields and information that can be provided voluntarily on the registration forms. For certain events, we will request other details from the participant, such as:

Date of birth
Clothing size and lettering to be printed on the back of a football shirt
Name of home club and, where applicable, playing position
Food intolerances/current medication/other issues

In the “Other information” section on our registration form, you may voluntarily provide us with information you consider important for you, your child, or for us during staging of the event. For example, some events include meals taken together, or guided tours of the arena. For example, if you are a vegetarian, if your child has a specific food intolerance, if your mobility is limited or there are other issues of relevance, we can take this into account when putting together a meal or a programme of events.

3.2.2 Processing data for a specific purpose and basis in law

Eintracht Frankfurt requires the aforementioned data so as to be able to conclude a contract with you for the purpose of planning, implementing, billing and evaluating an event. We will register the aforementioned contact details so as to be able to confirm your registration, answer any queries, or provide you with further information on the programme or any last- minute changes. Particularly in the case of children’s events at which a parent or legal guardian is not present, we record a telephone number so that the latter can be contacted immediately in the event of an emergency. Some events are for members only, are discounted for members or other groups of people, or are intended for certain age groups. For some events, you or your child will receive clothing such as a t-shirt or football shirt that should fit properly. During enrolment for an Eintracht Frankfurt Football School camp, we will request your child’s playing position so that we can take this into account when putting together teams and planning training sessions. We will also register the name of your child’s football club in order to obtain an overview of the catchment areas of participants and to be able to scout the players for our youth academy afterwards, if necessary.

Art. 6 (1), sentence 1, lit. b) GDPR constitutes the basis in law for processing this data. In order to participate in the respective event, you must provide the information marked as mandatory. However, you are neither contractually nor legally obliged to participate in an event and thus to provide the data.

In order to process the health data described above, we require your consent in accordance with Art. 9 (2), lit. a) GDPR. You will be given the opportunity to give your consent during registration. You may withdraw this consent at any time, as described in section 6. Where an event involves an overnight stay at an outside location or a tour, we will forward the names of participants to the hosting establishment or to the tour location so that these places can register names for billing purposes.

3.3 Services for fans and customers

3.3.1 Data processing in connection with Eintracht Frankfurt fan clubs (EFCs) Official Eintracht Frankfurt fan clubs (EFCs) and EFC members have a special status with us and may enjoy special benefits (e.g. first refusal on match tickets). To simplify communication with EFCs, it is necessary for us to register the name and email address of each EFC chairperson and, where applicable, of the deputy chair or treasurer. In addition, members of EFCs can apply for so-called fan club cards, which serve as proof of membership. To apply for a fan club card, you will need to provide us with the name of your EFC, your name, address, telephone number and email address of the EFC chairperson, as well as the names and addresses of the EFC members for whom a fan club card is being applied.

Processing of this data is necessary for the purpose of issuing the fan club card and is carried out on the basis of Art. 6 (1), sentence 1, lit. b) GDPR. In order to benefit from special offers for EFCs and EFC members, you must provide us with this information. However, you are neither contractually nor legally obliged to provide the data.

3.3.2 Fan and member service

When you contact our fan and member service centre, our staff will ask for and store your name and, possibly, also your telephone number and/or email address in order to process your enquiry (service contract within the meaning of Art. 6 (1), sentence 1, lit. b) GDPR). This data is collected when you contact our fan liaison department for communication and/or information purposes, e.g. as part of the fan movement for our teams’ home and away matches and when issuing flag passes. Once a year, staff at fan liaison department will check whether your details are required for the above purpose. If this is no longer the case, your data will be deleted.

For fans with limited mobility, we can facilitate access to the stadium on request. Tickets for unrestricted areas of the stadium can be purchased only by submitting the form provided by our fan liaison department on request. This form requires the entry of a name, email address, telephone number, membership and EF number. In addition, fans must submit a copy of their medical certificate either by post or as an email attachment (scanned), which will be destroyed immediately after it has been verified by our fan liaison department. We require your consent under Art. 9 (2), lit. a) GDPR to process this health data. You will be given the opportunity to give your consent in the form provided. You may withdraw this consent at any time as described in section 6.

In order to issue personalised car parking and wheelchair access tickets at the stadium on home matchdays, we process the name and address of the person making the request. Only in exceptional cases is it possible to drive right up to the stadium beyond the security gates. We therefore require a vehicle registration number to issue a security pass. On the day of the home match, a medical certificate must be carried, which we may inspect if necessary. Health or other personal data from the certificate presented will not be processed.

3.3.3 Support for away fans

As part of our support for the away team and their fans on home matchdays, staff from our fan liaison department require the contact details of officials/contacts for handling various fan-related issues. The following data is required to communicate with the football network: function, name, telephone number and email address. Vehicle registration numbers may need to be collected for the purpose of controlling access by away fans. As part of our effort to balance interests within the meaning of Art. 6 (1), sentence 1, lit. f) GDPR, it is necessary for us to process your data to safeguard our own legitimate interests as well as those of third parties. For security reasons and to provide transparency for the police in terms of how away fans arrive at the stadium, we are obliged to ensure that fan groups remain separated. The football network must be able to plan fans’ arrival and make arrangements quickly should any incidents occur on the day of the match. Data collected on external partners will be stored for future collaborations. If partners change or after three years at the latest, the data will be deleted. Data collected on away fans is deleted at the end of the event.

3.3.4 Using our forum

You may use our forum without registering. If you wish to play a more active role in the forum, you will need to log in with an account. There is no obligation to use your real name in the forum; you may also use a pseudonym. You will be given the opportunity to enter a pseudonym when you register in the forum. We store your activity in the forum (i.e. public posts, pinboard entries, friendships, private messages, etc.) for the purpose of operating the forum pursuant to Art. 6 (1), sentence 1, lit. b) GDPR. If you delete your account, your public statements, in particular contributions to the forum, will remain visible to all readers, but your account will no longer be accessible and will be flagged “[Deleted user]”. All other data will be deleted or anonymised. We store your public statements on the basis of our legitimate interest to operate the forum, pursuant to Art. 6 (1), sentence 1, lit. f) GDPR. As a user of the forum, you may subscribe to threads and/or comments after registering, pursuant to Art. 6 (1), sentence 1, lit. b) GDPR. You will receive a confirmation email to verify whether you are the owner of the email address given. You can unsubscribe from this function at any time via the link in any of the info mails.

3.3.5 Management of enquiries

Our customer service team will register and categorise any enquiries received and evaluate them to improve the quality of our operations. Art. 6 (1), sentence 1, lit. f) GDPR constitutes the basis in law for processing this data.

3.4 Payment procedures

Please refer to the relevant information in the privacy policy of the Eintracht Tech GmbH marketplace for information on how we process your payment details.

3.5 Marketplace presence

We operate as partners on the marketplace of Eintracht Tech GmbH. Within this collaboration, we are jointly responsible with Eintracht Tech GmbH as the marketplace operator for the individual processing operations. Please note the relevant information in the privacy policy of the Eintracht Tech GmbH marketplace.

We may publish editorial content and services, among other things, on the marketplace. These may contain personal data of third parties, for example, who form the subject matter of this content or who are mentioned by us in this content. They may also contain the personal data of editors. The basis in law for processing this data is our legitimate interest in publishing the corresponding editorial content and the fact that the legitimate interests of the data subjects do not outweigh this (Art. 6 (1), sentence 1, lit. f) GDPR. Should any editorial content require a data subject’s consent to the processing thereof, we will obtain such consent (Art. 6 (1), sentence 1, lit. a) GDPR. In individual cases, for example when processing the personal data of editors, the grounds for data processing may also be based on the contract with the relevant data subject (Art. 6 (1), sentence 1, lit. b) GDPR). For the purpose of publishing this editorial content, Eintracht Tech GmbH processes this personal data on our behalf (Art. 28 GDPR).

Should you have any queries about our marketplace presence, we will process the information you give us in order to manage your enquiry and respond to it. Art. 6 (1), sentence 1, lit. f) GDPR constitutes the basis in law for processing this data.

3.4.4 Visiting the website and personalised advertising

You may use our forum without registering an account. If you wish to play a more active role in the forum, however, you will need to log in with your account details. There is no obligation to use your real name in the forum; you may also use a pseudonym. You will be given the opportunity to enter a pseudonym when you register in the forum. We store your activity in the forum (i.e. public posts, pinboard entries, friendships, private messages, etc.) for the purpose of operating it, pursuant to Art. 6 (1), sentence 1, lit. b) GDPR. If you delete your account, your public statements, in particular contributions to the forum, will remain visible to all readers, but your account will no longer be accessible and will be flagged “[Deleted user]” in the forum. All other data will be deleted or anonymised. We store your public statements on the basis of our legitimate interest to operate the forum, pursuant to

Art. 6 (1), sentence 1, lit. f) GDPR. As a user of the forum, you have the option of subscribing to threads and/or comments after registering, pursuant to Art. 6 (1), sentence 1, lit. b) GDPR. You will receive a confirmation email to verify whether you are the owner of the email address given. You can unsubscribe from this function at any time via any link in the info mails.

3.6 Visiting the website and personalised advertising

3.6.1 Automated data processing on the website

When you access our website, your device automatically transfers certain items of data for technical reasons. The following data is stored separately from any other data that you may transfer to us:

The pages you visited on our website
The website from which you are visiting us
The operating system and web browser you are using and the screen resolution you have set
The date and time of your visit

This data cannot be used to identify you. In particular, we do not store your IP address. However, we do reserve the right to store IP addresses in specific cases if this is deemed necessary for the following purposes:

Load balancing, i.e. to spread accesses to the marketplace across several devices to give you the fastest possible loading times
Ensuring that our IT systems remain secure, e.g. to defend against specific attacks on our systems and recognise patterns of attack
Ensuring that our IT systems run properly
In the event of a specific indication of a criminal offence having taken place, this in order to aid criminal prosecution, avert risk or bring an action before court
In this case, data processing is carried out to ensure the security of processing in

accordance with Art. 32 GDPR and on the basis of our legitimate interest in protecting ourselves against the misuse of our marketplace (Art. 6 (1), sentence 1, lit. f) GDPR).

3.6.2 Cookies

We store “cookies” in order to be able to offer certain functions on our website and to optimise user experience with the site. Cookies are small files that are stored on your device with the help of your internet browser. Specifically, we use the following cookies (unless other cookies are specified elsewhere in this privacy policy or in our cookie consent):

Session cookies: these are required to store certain technical data during your visit to our website, e.g. to determine whether you have logged in or not.

The basis in law for using these cookies is Section 15 (1) TMG (German Telemedia Act) or Art. 6 (1), sentence 1, lit. b) GDPR, insofar as the cookies are needed to utilise our website and the functions you call up. Otherwise, we use cookies – as listed in this privacy policy – on the basis of consent given by you, pursuant to Art. 6 (1), sentence 1, lit. a) GDPR. Unless otherwise stated in this privacy policy, data is processed exclusively by Eintracht Frankfurt. Individual cookies are listed by name. Further information can be found in our cookie information at www.eintracht.de.

3.6.3 Analysis of your activity on the website

Subject to your consent, we use the cookies and tools provided by Eintracht Tech GmbH to analyse your activity on our website so that we can better understand the conduct of visitors to the website and continuously improve the user experience. To this end, Eintracht Tech GmbH creates pseudonymised user profiles for us. Your IP address is not stored. Data processing in this regard is based on your consent (Art. 6 (1), sentence 1, lit. a) GDPR).

You may revoke your consent at any time via our Cookie Consent Manager. Doing so will not affect the lawfulness of any processing carried out with your consent prior to you revoking your consent.

3.6.4 Use of Google Analytics

Subject to your consent, we will use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Please note that this may also entail data processing by Google LLC, which is based in the USA. As the EU Commission has yet to provide an adequacy decision in respect of the USA, we have agreed standard data privacy clauses pursuant to Art. 46 (2), lit. c) GDPR with Google as approved by the EU Commission.

Google Analytics collects pseudonymised data from you about the use of our website including your shortened IP address, and also uses cookies. This data is transferred to a Google server in the USA and stored there. Google will use this information for the purpose of evaluating your activity on the website, compiling reports on website activity, and providing other services relating to website activity and internet usage. Google may transmit this information to third parties where there is a legal requirement to do so or where third parties process this data on behalf of Google.

Your data will be stored by Google Analytics for a period of 14 months, after which the data is deleted and only aggregated statistics kept.

You can find more information on how Google Analytics handles user data in Google’s privacy policy at https://support.google.com/analytics/answer/6004245?hl=de The use of Google Analytics is based on your consent (Art. 6 (1), sentence 1, lit. a) GDPR). You can revoke your consent at any time and deactivate Google Analytics using a browser add-on. You can download this add-on here http://tools.google.com/dlpage/gaoptout?hl=de. Alternatively, you can revoke your consent by clicking here. You can also revoke your consent via our Cookie Consent Manager. Revocation does not affect the lawfulness of any processing carried out prior to you revoking consent.

3.6.5 Marketing and retargeting technologies

If you agree, Eintracht Frankfurt will create pseudonymised user profiles using cookies for the purpose of targeted advertising. This enables online campaigns to be initiated and managed in a targeted way. Pseudonymisation refers to the replacement of the user’s name and other identifying features with an indicator in order to make it considerably more difficult or even impossible for third parties to identify the person concerned. For further information on cookies, please refer to the cookie information at www.eintracht.de.

Eintracht Frankfurt uses the following cookies for these purposes:

3.6.5.1 Google remarketing and personalisation of advertising in the Google network

Subject to your consent, we use the remarketing services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Please note that this may also entail data processing by Google LLC, which is based in the USA. As the EU Commission has yet to provide an adequacy decision in respect of the USA, we have agreed standard data privacy clauses pursuant to Art. 46 (2), lit. c) GDPR with Google as approved by the EU Commission.

Google uses cookies to record your activity on our website in order to show you interest- based advertising for our products across devices on other pages within the Google advertising network. This includes Google Search and other sites operated by Google and its subsidiaries, as well as sites operated by Google’s advertising partners. The information is transmitted to Google and Google’s partners accordingly. Any further data processing will only take place if you have consented to Google linking your browser history to your Google account and to using information from your Google account to personalise ads that you see on the Internet. In this case, if you are logged in to Google while visiting our website, Google will use your data together with Google Analytics data to create and define target group lists for cross-device remarketing. For this purpose, Google temporarily links your personal data with Google Analytics data in order to create target groups.

The use of these services is based on your consent (Art. 6 (1), sentence 1, lit. a) GDPR). You may revoke your consent via our Cookie Consent Manager. Doing so will not affect the lawfulness of any processing carried out with your consent prior to you revoking consent. What is more, the remarketing cookie is automatically deleted after 14 months. Basic information on the processing of your personal data by Google can be found here: https://policies.google.com/privacy?hl=de.

You also have the following setting options with Google:

You can deactivate personalised advertising from Google: www.google.com/ads/preferences
You can deactivate personalised advertising based on your device: (https://support.google.com/ads/answer/1660762#mob)
You can deactivate personalised advertising via your browser: (http://optout.networkadvertising.org/?c=1)

3.6.5.2 Microsoft Ads

Subject to your consent, we use Microsoft Ads, a service provided by Microsoft Ireland Operations, Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (“Microsoft”). Please note that this may also entail processing by Microsoft Inc. based in the USA. As the EU Commission has yet to provide an adequacy decision in respect of the USA, Microsoft uses the standard data privacy clauses approved by the EU Commission, which constitute a suitable guarantee within the meaning of Art. 46 (2), lit. c) GDPR for transferring data to third countries.

Microsoft uses cookies to record your activity on our website in order to show you interest- based advertising for our products across devices on other pages within the Microsoft advertising network. This includes Bing search and other sites operated by Microsoft and Microsoft subsidiaries, as well as sites belonging to Microsoft’s advertising partners. As such, the information is transferred to Microsoft and Microsoft’s partners. Any further data processing will take place only if you have consented to Microsoft linking your browser history to your Microsoft account and using information from your Microsoft account to personalise advertisements that you see on the Internet. In this case, if you are logged in to Microsoft while visiting our website, Microsoft will use your data to create and define target group lists for cross-device remarketing.

The use of these services is based on your consent (Art. 6 (1), sentence 1, lit. a) GDPR). You may revoke your consent via our Cookie Consent Manager. Doing so will not affect the lawfulness of any processing carried out with your consent prior to consent being revoked. What is more, the remarketing cookie is automatically deleted after 14 months. Basic information on the processing of your personal data by Microsoft can be found here: https://privacy.microsoft.com/de-de/privacystatement.

3.6.5.3 Use of Facebook Pixel

Subject to your consent, we use “Facebook Pixel” (Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, and in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, “Facebook”). As the EU Commission has yet to provide an adequacy decision in respect of the USA, Microsoft uses the standard data privacy clauses approved by the EU Commission, which constitute a suitable guarantee within the meaning of Art. 46 (2), lit. c) GDPR for transferring data to third countries.

The Facebook pixel allows target groups for Facebook adverts (so-called Facebook ads) to be determined. The pixel is activated the moment a user accesses our website. If the user is logged into their Facebook account at the same time or decides to visit Facebook pages after perusing our website, Facebook can establish a connection with the visit to our website. A pixel is used to analyse the visitor’s actions on our website. Data obtained in this way can be used to create user profiles that are used to display adverts of interest to the user, both inside and outside Facebook. Basic information on how Facebook processes and uses your data, along with settings options for protecting your privacy when using Facebook are contained in Facebook’s privacy guidelines at https://de- de.facebook.com/privacy/explanation.

We use Facebook Pixel on the basis of your consent (Art. 6 (1), sentence 1, lit. a) GDPR). You can revoke your consent at any time via our Cookie Consent Manager. Doing so will not affect the lawfulness of any processing carried out with your consent prior to you revoking consent.

3.6.6 Use of social media links

If you wish, you can share content from our website on social networks via social plugins. To this end, we have provided a two-click solution. If you wish to share content via a plugin, you must first click on the icon of the corresponding social network. This click then activates the respective plugin.

Only then will various data be transferred to the respective social network. This may include:

The date and time of your visit to the website
The URL of the website you are on
The URL of the website you visited previously (“referrer”)
The browser you are using
The operating system you are using
Your IP address

If you are logged in to a social network at the same time as visiting our website, it is possible that the provider will associate the visit with your account. When you use a plugin function (e.g. clicking the “Like” button, posting a comment, etc.), this information is transferred directly from your browser to the respective social network and may be stored there. Information on the purpose and scope of data collection and how the social networks process and use your data can be found in the data privacy policies of the respective network.

3.6.6.1 YouTube

Our website uses plugins from the YouTube website operated by Google. The operator of the pages is Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. When you visit one of our pages equipped with a YouTube plugin, a connection to the YouTube servers is established. The YouTube server is informed which of our pages you have visited. We use the integrated functions to safeguard our legitimate interests in analysing and optimising our online offer (Art. 6 (1), sentence 1, lit. f). When you are logged into your YouTube account, you are enabling YouTube to associate your surfing activities directly with your personal profile. You can prevent this by logging out of your YouTube account.

Further information on how user data is handled can be found in YouTube’s privacy policy at: https://www.google.de/intl/de/policies/privacy

3.6.6.2 Vimeo

Our website uses plugins of the Vimeo website. The operator of these pages is Vimeo, 555 West 18th Street, New York, NY 10011, USA. When you visit one of our pages equipped with a Vimeo plugin, a connection to the Vimeo servers is established. The Vimeo servers are then informed which of our pages you have been to. When you are logged into your Vimeo account, you are enabling Vimeo to associate your surfing activities directly with your personal profile. You can prevent this by logging out of your Vimeo account.

Please consult the data privacy policy of Vimeo at https://vimeo.com/privacy for details on how the company manages user data.

3.6.6.3 Pinterest tags

Our website uses Pinterest tags from the site www.pinterest.de. The operator of the pages is Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. We use the Pinterest tag to place a “base code” on every website. This is the basis for tracking your activities on a website. We also integrate an “event code” into the pages on which we record certain conversions. In this way, we can ensure that you are shown customised advertising based on your interests and can track the actions you take on a website after clicking on a Pinterest ad. When you access a page with a Pinterest tag, your browser establishes a direct connection to the Pinterest servers. The Pinterest tag then transfers the following personal data to Pinterest:

The date and time of your visit to the website
The URL of the website you are on
Information on the device you are using
The operating system you are using
The IP address
Your activity on the corresponding website

Further information on how Pinterest manages user data can be found in the company’s privacy policy at: https://policy.pinterest.com/de/privacy-policy.

3.6.7 Data processing on our Facebook fan page

We maintain an online presence (“Facebook fan page”) on the social network Facebook, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter: “Facebook”). If you visit or “like” our Facebook page as a registered Facebook user, Facebook will collect personal data from you. Even if you are not registered with Facebook and visit our Facebook page, Facebook may collect pseudonymised usage data from you.

As part of this fan page, Facebook conducts a statistical analysis that provides information on the activities of the fan page (known as “Facebook Insights”). As a result, we have access to far-reaching statistics that tell us how our Facebook pages are being used. The analysis allows us to see which activities on our fan page have generated a particularly high level of interest. The statistics are anonymous and do not allow any conclusions to be drawn about your person. As the operator of the fan page, we have no means of obtaining information about you personally via Facebook. The analysis is carried out automatically by Facebook and cannot be deactivated.

With regard to how data is processed in the context of the “Facebook Insights” analysis function, Facebook and our company are considered joint controllers within the meaning of Art. 26 (1) GDPR. According to the GDPR, joint controllers are obliged to stipulate in an agreement which controller fulfils which obligations under the regulation. A corresponding agreement between Facebook and us can be found at: https://www.facebook.com/legal/terms/page_controller_addendum.

According to this agreement, Facebook assumes responsibility for the processing of Facebook Insights data and assumes all obligations under the GDPR with regard to this data. In particular, Facebook undertakes to discharge the information duties under Art. 13, 14 GDPR with regard to data subjects, and to act as a contact point for the assertion of rights of data subjects. Since only Facebook has access to the data it collects via Facebook Insights, we recommend that you direct any requests for information and any other rights, e.g. the right to rectification, erasure, restriction of processing, objection, or cancellation, directly to Facebook at https://www.facebook.com/about/privacy. However, you are welcome to contact us if you have any questions.

With regard to the basis in law for our processing of your personal data when you visit our Facebook fan page, we refer to the need to protect our legitimate interests in accordance with Art. 6 (1), lit. f) GDPR. Our legitimate interest lies in the wish to analyse and optimise our online offering. By accessing anonymised statistics, we can make the posts on our pages even more attractive and improve our communication with and the information we provide to our users. The statistics are also used for market research and advertising purposes, e.g. by displaying adverts that are tailored to the interests and habits of our customers. In order to support statistical evaluation, cookies are usually stored on your computer when you visit our Facebook fan page, which register your surfing and activity. We have no influence on how Facebook processes data. We also draw your attention to the fact that data processed through the use of Facebook is stored solely by Facebook. Your personal data may also be made available to other Facebook companies. This may result in personal data being transferred to the USA and other third countries for which the EU Commission has not provided adequacy decisions. In this case, Facebook will use the standard data privacy clauses approved by the EU Commission. Further information can be found in Facebook’s own data policy.

Further information on the processing and use of data by Facebook can be found at https://www.facebook.com/about/privacy/ and at https://www.facebook.com/legal/terms/information_about_page_insights_data. Settings for your Facebook account to protect your privacy, together with options for objecting to the use of data can be found at: https://www.facebook.com/settings?tab=ads.

3.7. Accreditation

Eintracht Frankfurt issues accreditation passes for access to matches at Deutsche Bank Park. The personal data listed below is processed in this context:

3.7.1 Personal data that we process

During the accreditation process, we will record the name, address, company and, if applicable, position of the applicant or contact person of the participating organisation (e.g. company), along with other personal data as the individual case requires. We will also request contact details such as your telephone number and email address. Please use the “Other details” section on the registration form to provide us with any optional information you consider important for the accreditation process.

3.7.2. Purpose of processing and basis in law

We require the above data in order to issue your accreditation pass, and to plan, execute and secure the event. We will register the aforementioned contact details so as to be able to confirm your registration, answer any queries, or provide you with further information on the programme or any last-minute changes. Art. 6 (1), sentence 1, lit. b) GDPR constitutes the basis in law for this data processing. In order to participate in the respective event, you must provide the information marked as mandatory. However, you are neither contractually nor legally obliged to participate in the events and thus to provide the data.

3.8. Video surveillance in Eintracht Frankfurt fan shops

This information applies exclusively to video surveillance conducted at Deutsche Bank Park and in designated car parks.

3.8.1 General information on video surveillance in Eintracht Frankfurt fan shops

Video surveillance in Eintracht Frankfurt fan shops covers the interior of the fan shop (“fan shop”). All entrances to fan shops are equipped with appropriate signs indicating that video surveillance is taking place.

Video surveillance is conducted exclusively to ensure your safety, the safety of Deutsche Bank Park, and to safeguard and enforce your and our rights.

Video surveillance records images but not sound. Different types of camera are used for video surveillance. Recording functions are reduced to the minimum required.

Video recordings may contain personal data in the form of images of natural persons. Special categories of person, such as minors or disabled persons, may be recorded on video as well.

3.8.2 Data, purposes and basis in law of data processing

The video recordings from the surveillance cameras are moving images that can also be saved as clips, if required. The video recordings could mean that individuals are identified in person. Special categories of person, such as minors or disabled persons, may be recorded on video as well. This is particularly the case if the recordings are enlarged either during recording or afterwards by zooming in on a clip. Video recordings may be combined with other items of personal data if this is deemed necessary for the purposes described below (for example, clips with the name of an injured person and a description of the incident may be compiled in a report if this is required to process the incident). The operation of video cameras and the processing of video recordings with surveillance cameras serves the purposes stated below:

Prevention and prosecution of criminal offences and misdemeanours
Assertion or defence of claims under civil law
Enforcement of domiciliary rights
Ensuring the safety/security of the fan shop

The basis in law for conducting and processing video recordings is the pursuit of our legitimate interests pursuant to Art. 6 (1), sentence 1, lits. f) and b) GDPR, together with Section 4 (1) BDSG (German Federal Data Protection Act). These interests are: protection of the life, health and freedom of persons in the fan shop, protection of property, prosecution and prevention of criminal offences and misdemeanours.

3.8.3 Duration of storage and criteria for determining the duration

The video surveillance cameras are in operation every day and, in some cases, continuously, i.e. 24 hours a day, seven (7) days a week. The images recorded by the video surveillance cameras are stored on our servers in Germany. As a rule, the video recordings from the surveillance cameras are stored for a maximum of 72 hours. Above and beyond this, we store video recordings and any associated personal data solely in order to assert or defend against legal claims and to comply with legal obligations, or if the law requires us to store the images for longer periods. After the period has expired – and provided that the video recordings do not require further storage for other reasons mentioned – they will be deleted and the corresponding storage space overwritten with a new recording.

3.9. Newsletter and other mailshots

You can sign up to the marketplace of Eintracht Tech GmbH to receive topical newsletters of Eintracht Frankfurt Fußball AG. To register, we need your email address. As an option, you may also provide us with your title and name. If you do so, we will use this information to address you personally in correspondence. After submitting the registration form, you will receive a confirmation email from us. Your registration only takes effect when you click on the link in the confirmation email. You will then receive the regular newsletter(s) you have ordered. We carry out the above processing based on the consent you gave us in accordance with Art. 6 (1), sentence 1, lit. a) GDPR. By signing up for our newsletter, you consent to us processing your email address to dispatch the newsletter, and also the data we have stored on your email address to personalise the newsletter and, with the aid of cookies, analyse your reading and usage habits when using the newsletter and our website. When you sign up for the newsletter, we store your device’s IP address as well as the date and time of registration. We need to process this data in order to be able to prove that consent has been given. The basis in law arises from our legal obligation to provide evidence of your consent (Art. 6 (1), sentence 1, lit. c) in conjunction with Art. 7 (1) GDPR).

Unsubscribing from the newsletter

Receipt of our newsletter is subject to the criteria mentioned above. If you would prefer us not to process this data in this way, please do not sign up for the newsletter or, if you have already signed up, please unsubscribe. A link to unsubscribe from the newsletter is included in each email. You can also unsubscribe by sending an email to info@eintrachtfrankfurt.de with the subject line “Unsubscribe newsletter”, or by notifying us of your desire to cancel using the contact details provided in the legal notice or in this privacy policy. You can revoke your consent to receive future topic-related newsletters and promotional emails at any time. In that case, your email address will be deleted immediately from the respective mailing system.

Other mailshots

In addition to newsletters, we may also send you other email notifications and process your email address for this purpose. If we already have your email address from a previous agreement and you have not objected to our using this address, we may send you promotional information on similar products (Art. 6 (1), sentence 1, lit. f) GDPR and Section 7 (3) UWG (Unfair Competition Act). In all other cases, you will only receive promotional emails if you have given your consent (Art. 6 (1), sentence 1, lit. a) GDPR – see above information on newsletters).

Mailshots necessary in the context of our business relationship, such as contract confirmation mails, contact management, processing of enquiries and the like, and which have no promotional content, are sent to you for the purpose of fulfilling our contract or pre- contractual enquiries (Art. 6 (1), sentence 1, lit. b) GDPR) or on the basis of the legitimate interest we have in communicating with you in the context of our existing business relationship (Art. 6 (1), sentence 1, lit. f) GDPR).

We use a system from Eintracht Tech GmbH, an Eintracht company, for dispatching our newsletters and other mailshots. This company processes the personal data needed to dispatch the newsletter and other mailings on our behalf (Art. 28 GDPR).

3.10 Enquiries

We process the personal data listed below to respond to your enquiries: Name, email address, content of your message. We process your personal data in order to fulfil the contract (Art. 6 (1), sentence 1, lit. b GDPR).

If your enquiry concerns other Eintracht Frankfurt companies, we will coordinate with them in order to process your enquiry (Art. 6 (1), sentence 1, lit. b) GDPR). We will process your personal data only for as long as is necessary to answer your enquiry. We will only store your personal data beyond this period if we are obliged to assert or defend against legal claims, or if there is a legal requirement for us to retain the data for a longer period.

3.11 Use of customer databases with other Eintracht companies

We share centralised customer databases with other Eintracht companies. Access to customer data is regulated by a documented access concept. The data is stored so that we can avoid duplicate storage, effectively manage our business contacts, and manage our contracts (Art. 6 (1), sentence 1, lit. f) GDPR). In addition, for marketing purposes, the Eintracht companies automatically enrich the data of users identified as customers of the respective Eintracht company with data from various areas of the customer database (Art. 6 (1), sentence 1, lit. f) GDPR). This may include information from surveys you can complete in the marketplace. Provided we have notified you in a separate communication, if you take part in surveys, we will save your answers to your user account and use them to suggest products tailored to your interests or, if we have your consent to write to you, send these to you. In this case, the need to process your data is founded on our legitimate interest and that of Eintracht companies in efficiently advertising products of relevance to you (Art. 6 (1), sentence 1, lit. f) GDPR). In addition, we use our current access concept to synchronise the central customer databases in respect of any changes you communicate to one of the Eintracht companies participating in these databases that affect other Eintracht companies. This processing is founded on our legitimate interest to maintain correct, up-to-date and uniform customer data records (Art. 6 (1), sentence 1, lit. f) GDPR. We are jointly responsible with the other Eintracht companies for processing data in the context of our customer databases (Art. 26 GDPR). Details of the joint processing procedures, along with key excerpts from our joint accountability agreement can be found here.

3.12. Use of Alexa Skill

We collect and process your data when you use the voice recognition software Alexa Skill of Amazon (the operator is Amazon.com, Inc., 440 Terry Avenue North, Seattle, WA 98109, USA) (“the Eintracht Frankfurt Skill”). The data is stored exclusively as a pseudonym. Your pseudonymised user ID from Amazon serves as the basis for storing the data. The items of data recorded are:

The date and duration of use of the Eintracht Frankfurt Skill
Queries submitted to the Eintracht Frankfurt Skill
Answers provided by the Eintracht Frankfurt Skill
Error messages provided when using the Eintracht Frankfurt Skill

Data is processed as follows: Once you have opened the Eintracht Frankfurt Skill, you can submit a query by making a voice input. To process the query, we receive an individual, pseudonymised user ID from Amazon the moment the Eintracht Frankfurt Skill is activated. Amazon also converts your voice query into text and forwards it to us for processing. If the Eintracht Frankfurt Skill has a suitable response to your query, we will forward the answer to Amazon so that it can be output to you. The way in which data is processed before Amazon sends us one of your queries or requests, and what happens to this data after we have sent an answer for you to Amazon is beyond our sphere of influence and responsibility. Our responsibility for processing your data begins from the time we receive the data from Amazon and ends when we submit a response to Amazon for transfer back to you.

The queries and requests you send us are anonymised the moment we issue a response to Amazon, and cannot be associated with you from then on. We store your processed data for as long as you keep the skill activated. Your unique ID is deleted every time you deactivate the skill; user-specific tracking does not take place. We delete data stored for the purpose of maintaining and improving the skill after a period of 30 days (date and duration of use, queries issued to the voice assistant, error messages). Insofar as we process your data to the extent described above, we are authorised to do so in accordance with Art. 6 (1), lit. b) GDPR, as this processing is absolutely necessary to fulfil your request.

4 Automated individual decision-making and profiling

We do not use fully automated decision-making processes, or profiling.

5 Sharing of data with third parties

Above and beyond the scenarios described, your personal data will only be shared with a third party without your express prior consent in the cases described below.

If it is necessary to clarify the unlawful use of our services or an action is being brought before court, personal data will be shared with the prosecuting authorities
and, if necessary, to the injured third parties. However, this will happen only if there are specific indications that unlawful or improper conduct has taken place. Data may
also be shared if doing so serves to assert agreed terms of use or other arrangements. Moreover, we are legally obliged to provide information to certain public authorities on request. These are law enforcement authorities, authorities that prosecute administrative misdemeanours subject to fines, and the tax authorities.

We share this data on the basis of our legitimate interest in combating misuse, prosecuting criminal offences and securing, asserting and enforcing claims, as your rights and interests in protecting your personal data do not outweigh this interest (Art. 6 (1), sentence 1, lit. f) GDPR, or on the basis of a legal obligation on our part pursuant to Art. 6 (1), sentence 1, lit. c) GDPR.

We share personal data with auditors, accountancy service providers, lawyers, banks, tax consultants and other such bodies insofar as this is necessary in order for us either to provide services (Art. 6 (1), sentence 1, lit. b) GDPR), conduct our business properly (Art. 6 (1), sentence 1, lit. f) GDPR), or due to a legal obligation incumbent on us (Art. 6 (1), sentence 1, lit. c) GDPR).
In certain cases, we need to use contractually affiliated third-party companies and external service providers (“processors”) in order to provide our services. Here, we share personal data with these processors to enable them to continue processing this data. We carefully select and regularly review these processors to ensure that your rights and freedoms are protected. Processors may only use the data for the purposes specified by us and are also contractually obliged by us to handle your data exclusively as stipulated in this privacy policy and in the German data protection laws.

Besides the processors already mentioned, we use the following organisations:

Web hoster (YUM GmbH, Lindleystraße 8A, 60314 Frankfurt am Main);
CRM System (Salesforce.com Germany GmbH, Wiesenhüttenplatz 25, 60329 Frankfurt am Main).

Data is shared with processors on the basis of Art. 28 (1) GDPR.

In the course of developing our business, the structure of Eintracht Frankfurt Fußball AG may change due to an amendment of legal form, or due to our establishing or buying/selling subsidiaries or parts of companies. When such transactions occur, customer information is passed on with the part of the company being transferred. Whenever personal data is passed on to third parties to the extent described above, we ensure that this is conducted in accordance with this data privacy policy and the pertinent data protection laws.

Any disclosure of personal data is justified by the fact that we have a legitimate interest in changing the legal form of our company to suit the current economic and legal circumstances (Art. 6 (1), sentence 1, lit. f) GDPR).

6 Your rights

You may exercise the following rights in relation to Eintracht Frankfurt at any time and free of charge:

Right of access under Art. 15 GDPR in conjunction with sections 29 and 34 of the German Federal Data Protection Act (BDSG): you are entitled to receive information from us on the processing of your personal data.

Right to rectification under Art. 16 GDPR: you are entitled to insist that we rectify personal data pertaining to yourself that is incorrect or incomplete.

Right to erasure (“right to be forgotten”) under Art. 17 GDPR in conjunction with section 35 BDSG: you are entitled to insist on the erasure of your data, subject to the preconditions indicated in Art. 17 GDPR. For example, you may demand that your data be deleted if it is no longer required for the purposes for which it was collected. You may also request that your data be erased if we process your data on the basis of your consent and you subsequently revoke this consent.

Right to restriction of processing under Art. 18 GDPR in conjunction with section 35 BDSG: you are entitled to demand that processing of your data be restricted subject to the preconditions contained in Art. 18 GDPR. For example, these preconditions will be fulfilled if you dispute the correctness of your data. You may then demand that processing of your data be restricted while the correctness of the data in question is reviewed.

Right to object under Art. 21 GDPR: you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning yourself which is based on Art. 6 (1), sentence 1, lit. e) or (f). This applies also to any profiling based on these provisions.

We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for said processing which override your interests, rights and freedoms, or which are required to establish, exercise or defend against legal claims. If your personal data is being used for direct marketing, you have the right to object at any time to your data being processed for this purpose. The same applies to profiling, provided that it is related to direct marketing.

Right to data portability under Art. 20 GDPR: you have the right to receive your data in a structured, commonly used and machine-readable format and to transfer this data to another data processor, provided that data processing is based on consent or contract fulfilment and that automated processing methods are used.

Right to revoke consent: if data processing is based on your consent, you are entitled to revoke your consent at any time with future effect and free of charge, by contacting datenschutz@eintrachtfrankfurt.de or using the contact details provided in the legal notice. Please note that, even if you revoke your consent, your data may still be processed if this is required by law.

Right to lodge a complaint under Art. 77 GDPR: you may lodge a complaint with a supervisory authority (e.g. with the Officer for Data Protection and Freedom of Information of the state of Hesse) regarding our processing of your data.

Data processing when exercising your rights. Finally, we point out that we process your personal data also in order to exercise your rights under Arts. 15 to 22 GDPR, i.e. for the purpose of implementing these rights and providing evidence that we have done so. The basis in law for this data processing is Art. 6 (1), sentence 1, lit. c) GDPR in conjunction with Arts. 15 to 22 GDPR and Section 34 (2) BDSG.

7 Changes to this privacy policy

We reserve the right to update this data privacy policy from time to time. We will publish any updates to the policy on our website. Any amendments will come into effect following their publication on the website. We therefore advise you to visit this website regularly to see whether the privacy policy has been updated in the meantime.

8 Your contacts in data privacy matters

Should you have any privacy-related concerns or wish to exercise your data protection rights, please contact Eintracht Frankfurt in the first instance at the following address:

Eintracht Frankfurt Fußball AG Data Protection Officer Im Herzen von Europa 1 60528 Frankfurt am Main datenschutz@eintrachtfrankfurt.de