Header Logo

Data protection

Data protection

Privacy policy – BVB online shop

I. General information on data processing

Your privacy and the handling of your personal data are of paramount importance to all of us at Borussia Dortmund GmbH & Co. KGaA and our affiliates (BVB Merchandising GmbH, BVB Stadionmanagement GmbH, BVB Event & Catering GmbH, BVB Stiftung, besttravel Dortmund GmbH, Fußballakademie GmbH, BVB Asia Pacific Pte. Ltd.) and BV. Borussia 09 e.V. Dortmund. We process your data solely in accordance with the requirements of the EU General Data Protection Regulation (GDPR) in conjunction with the German Federal Data Protection Act (BDSG). Personal data that is required by all departments (referred to as "master data") is available to the entire Group. If data is only needed to provide specific services in individual departments, it is only available to the employees there and then only to the extent they are responsible for performing the respective tasks.

II. Name and address of the controller

For Borussia Dortmund GmbH & Co. KGaA and its affiliates, the controller within the meaning of the GDPR is firstly

Borussia Dortmund GmbH & Co. KGaA

Rheinlanddamm 207–209

44137 Dortmund

Germany

Tel.: +49(0)231 - 90 20 0

E-mail: [email protected]

Website: www.bvb.de

and secondly

LEGENDS International GmbH

Winterstraße 2

22765 Hamburg

Germany

Borussia Dortmund GmbH & Co. KGaA and LEGENDS International GmbH are joint controllers with respect to the processing of personal data.

III. Contact details for the data protection officer

You can contact the data protection officer at:

Ulf Haumann, RA, LL.M.

c/o Borussia Dortmund GmbH & Co. KGaA

Rheinlanddamm 207–209

44137 Dortmund

Germany

Tel.: +49(0)231 - 90 20 0

E-mail: [email protected]

Website: www.bvb.de

IV. Data transfer

1. Under data processing agreements

As a rule, your data will not be transferred. However, in special cases (e.g., credit checks), this may be necessary and contractually stipulated in our Standard Terms and Conditions. We transfer data to our service providers (e.g., shipping and payment service providers; provision of shipping updates) on the basis of data processing agreements in accordance with Article 28 GDPR.

2. Conditions for transferring personal data to third countries

Your personal data may be transferred or disclosed to third-party companies in the context of our business relationships. These may also be located outside the European Economic Area (EEA), in other words in third countries. Such processing takes place for the sole purpose of meeting contractual and business obligations and maintaining your business relationship with us. Please see the relevant points below for the respective details of the transfer. For some third countries, the European Commission adopts an adequacy decision certifying that their level of data protection is comparable to the EEA standard (a list of these countries and a copy of the adequacy decisions can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. However, other third countries, to which personal data may be transferred, may lack a consistently high level of data protection due to the absence of legal provisions. In this case, we make sure that data protection is adequately guaranteed. This can be done by means of binding corporate rules, the European Commission's standard contractual clauses, certificates, or recognised codes of conduct.

V. Making the website available and creation of log files

Every time you visit our website, our system automatically collects data and information concerning your computer system. The data collected includes the following:

(1) Information on the browser type and the version used

(2) Your operating system

(3) Your IP address

(4) Date and time of access

(5) Websites from which your system accesses our website

This data is saved in our system's log files. The data referred to above is not saved together with other personal data.

Our system has to save your IP address temporarily so that the website can be displayed on your computer. Your IP address has to remain saved for the duration of your visit to the website. This means that storage in log files enhances the functionality of the website. We also use this data to optimise our website and protect our IT systems. The data is not used for marketing purposes within this context. The legal basis for the temporary storage of the data and the log files is Article 6(1)(f) GDPR.

The data is stored for as long as is necessary to achieve the purpose for which it was collected. If data is required to make the website available, this data is deemed to no longer be required when the session in question ends. The data is then deleted automatically. As far as the storage of data in log files is concerned, this data is no longer required after seven days at the latest. If, however, we continue to save the data referred to above, your IP address will be erased or modified so that it can no longer be matched with the Internet connection that accessed the site.

The recording of data to make the website available and the storage of data in log files are absolutely essential for the operation of the website.

2. LEGENDS International GmbH processes your data for the following purposes only:

To provide the service requested by customers and users, which also includes:

· Registering on our website (if you decide to do so) in order to save your data for future transactions.

· Managing orders: editing orders already placed, shipping the order and managing invoicing and payment. This is all based on compliance with the Standard Terms and Conditions of the online shop.

To manage the relationship with the customer and users, which comprises:

1. Customer service and processing of messages required for the provision of products and enquiries from customers and users.

2. Management of complaints and requests for information connected with products purchased via the online shop.

3. Customer loyalty activities, including sending customer satisfaction surveys and reminders about online sales not yet finalised.

4. Statistical analysis of transactions and complaints as part of the process of continually improving our services.

This is all based on the legitimate interest of LEGENDS International GmbH in ensuring the continuity of its business activities and maintaining a relationship with our customers and users that is as satisfactory as possible for them. This also applies to the accounting and tax management of the business activities, as this is necessary to fulfil the statutory obligations incumbent on the owner of the online shop.

V. Use of cookies and other technologies (web analytics/tracking)

If, and only if, you have given your consent, we will also process your data to send marketing communications about the online shop and associated products, including by electronic means and using profiling, and to conduct subsequent statistical analysis. The data is also processed to analyse the usage of and web traffic in the online shop, since this is required for the purpose of our legitimate interest in improving the online shop, the user experience and the products and services on offer. In addition, and in exceptional cases only, Borussia Dortmund GmbH & Co. KGaA and LEGENDS International GmbH may also, either individually or jointly, process your data for monitoring and security purposes, for legal counsel and to comply with the law, since this is required for the purpose of our legitimate interest in defending our interests and rights and to comply with the legal obligations incumbent on us. If you have consented to the use of cookies via the website, please also note that your data will be processed for the purposes stated in our cookie policy for each type of cookie.

We use what are known as "cookies" on our website. Cookies are text files that are stored in/by your Internet browser on your computer system. When you access our website, a cookie may be stored on your system.

This streamlines navigation and improves the user experience. Cookies also help us identify particularly popular areas of our website. Cookies are text files that are stored in/by your Internet browser on your computer system. When you access our website, a cookie may be stored on your system. These contain a custom character string that enables information to be stored for a specific period of time and to identify your end device.

Sections 1 ("Necessary cookies"), 2 ("Statistical technologies") and 3 ("Marketing technologies") below provide details on the types of cookies that we use and the data processed in each case. Unless the sections below refer to different deletion periods, the following applies in summary to the storage period, irrespective of the type and purpose of the cookies:

You have full control over the use of cookies. They are saved on your computer and the data is then transmitted from your computer to us. While most browsers are configured to accept cookies by default, you can change your browser settings to deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. You can also change your browser settings so that cookies are deleted automatically. If cookies are generally deactivated for our website, you may no longer be able to use all of the website functions in full. When you visit our website, an information banner will draw your attention to the aforementioned use of cookies and to this privacy policy. We would ask you to consent to the use of cookies by clicking on the "I agree" button. You can object to the use of cookies at any time. You can do this either by not agreeing to the use of cookies when the banner is displayed in the first place, or by changing your browser settings accordingly.

1. Necessary cookies

These services, technologies and cookies are necessary to guarantee the core functions of the website and to perform contracts with customers and cooperation partners. The cookies save and transmit the following data:

(1) Session ID

(2) Login ID

(3) Shopping basket ID

Cookies are a technical requirement for the following purposes:

(1) Personalised salutation

(2) To keep items in your shopping basket across multiple browser sessions. The data collected by technically necessary cookies is not used to create user profiles.

The legal basis for their use is Article 6(1) sentence 1(b) (steps prior to entering into/performance of a contract), (c) (if there is a legal obligation) and/or (f) GDPR (overriding legitimate interest). The legitimate interest referred to above lies in particular in monitoring the technical performance of the website and our interest in the cost-effective use of partner sales channels. As such, they cannot be deactivated via our consent management system or by you as a website user. If you object to the use of these cookies or configure your browser accordingly, our website will not recognise your browser and you may not be able to access certain content, or data (e.g. from an input mask) may be lost. The information set out in section II. applies with regard to the storage period for technically necessary cookies.

1.1 Tag management system

The processing operations within this category control the delivery of services, technologies and cookies, without storing the data collected in the context of those services. At the same time, the tag management systems themselves do not collect or store data. The system is used to implement your choice of privacy settings. The following technologies and service providers are used:

– easy Marketing Tag Manager

1.2 Technically necessary website technologies

The processing operations within this category are used to ensure smooth use of the website and its functions. Without them, it is not possible to use functions such as the shopping basket summary.

The following technologies and service providers are used:

– Own website cookies

1.3 Consent management platform (CMP)

We have integrated the "consentmanager" consent management tool (www.consentmanager.net) developed by consentmanager AB (Håltgelvågen 1b, 72348 Västerås, Sweden, [email protected]) into our website to request consent for data processing and the use of cookies and comparable functions. You can use "consentmanager" to grant or refuse to grant your consent for specific functions of our website, e.g., for the purposes of integrating external elements, integrating streaming content, statistical analysis, audience measurement and personalised ads. You can use "consentmanager" to grant or refuse to grant your consent for all functions or to grant your consent for individual purposes or individual functions. You can also change these settings at a later date. The purpose of integrating "consentmanager" is to enable website users to decide on the above matters and to change settings during subsequent use of the website. The use of "consentmanager" involves processing personal data and information on the end device used (IP address, language, browser, etc.) and sending these to consentmanager AB. In addition, the information about your settings is stored on your end device.

The legal basis for processing is Article 6(1) sentence 1(c) GDPR in conjunction with Article 7(1) GDPR, to the extent the processing serves the statutory duty to demonstrate that consent has been given. Otherwise, Article 6(1) sentence 1(f) GDPR is the relevant legal basis. Our legitimate interest in the processing lies in storing user settings and preferences in relation to the use of cookies, and analysing consent rates. Another request for consent is made at the latest 24 months after the settings are selected. The user settings selected are then stored again for this period unless you delete the information on user settings on your end device at an earlier date.

You can object to the processing, to the extent it is based on Article 6(1) sentence 1(f) GDPR. Your right to object is based on grounds relating to your particular situation. To object, please e-mail [email protected].

1.4 Payment settlement with cooperation/affiliate partners

The processing operations within this category enable an exchange of information with cooperation partners for the purposes of settling payments and fees. Statistical transaction data is collected and processed for this purpose.

The following technologies and service providers are used:

– e.g., AWIN (https://www.awin.com/de/rechtliches/privacy-policy)

1.5 Basic web analytics (excl. customer IDs)

The processing operations within this category are used for the following purposes: for non-personal traffic analysis, incident monitoring and alerts, fraud detection, IT management, audience measurement, product development and improvement, and navigation tracking.

The following technologies and service providers are used:

– Google Analytics – https://policies.google.com/technologies/partner-sites?hl=de

– easy Marketing – https://easy-m.de/datenschutz

2. Statistical technologies

Our website also uses cookies that allow your browsing behaviour to be analysed. Technical measures are in place to pseudonymise the data collected by these cookies. This means that the data can no longer be traced back to you. This data is not saved together with your other personal data.

The following data can be transmitted within this context:

(1) Frequency of page views

(2) Use of website functions

We use analysis cookies to improve the quality of our website and its content. The analysis cookies show us how the website is being used, allowing us to optimise the products and services we offer on an ongoing basis. These purposes also establish our legitimate interest in the processing of the personal data pursuant to Article 6(1)(f) GDPR.

If you object to the use of these cookies or configure your browser accordingly, this will not have any disadvantages for you. All of the website functions will remain available.

The information set out in section II. applies with regard to the storage period for cookies to analyse browsing behaviour.

2.1 Website statistics and analytics

Expanding on the basic web analytics, subject to your consent the advanced web analytics also involves collecting pseudonymised usage profiles. These are profiles, pseudonymised by means of IP anonymisation, that can be linked with online transaction data from the online shop in a way that can identify natural persons.

2.1.1 Google Analytics

We use Google Analytics, a web analytics service provided by Google, 1600 Amphitheatre Parkway , Mountain View, CA 94043, USA (hereinafter referred to as: "Google"). This service uses cookies. Data generated by the cookie about your use of the website is usually transmitted to a Google server in the USA and stored there.

Google will use this information on our behalf to evaluate the use of our website, to compile reports on the activities within this website and to provide us with further services relating to the use of this website and the use of the Internet. Pseudonymous user profiles can be created using the data that is processed within this context.

We only use Google Analytics with IP anonymisation enabled. This means that Google truncates your IP address within Member States of the European Union or other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. The IP address transmitted from your browser is not merged with other data from Google.

You can prevent the storage of cookies by configuring your browser software accordingly; you can also prevent Google from storing the data relating to your use of the website generated by the cookie and from processing this data by downloading and installing the browser plug-in that is available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

You can find further information on how Google uses data for advertising purposes, as well as on your options for configuring your settings and for raising objections, on Google's website: https://www.google.com/intl/de/policies/privacy/partners/ ("How Google uses information from sites or apps that use our services"), http://www.google.com/policies/technologies/ads ("How Google uses cookies in advertising"), http://www.google.de/settings/ads ("Manage the information Google uses to show you ads") and http://www.google.com/ads/preferences/ ("Choose which ads Google shows you").

As an alternative to the browser add-on or within browsers on mobile devices, please follow this link http://tools.google.com/dlpage/gaoptout?hl=de to prevent Google Analytics from collecting data on this website in the future. This will store an opt-out cookie on your device. The opt-out cookie stores the information that we are not allowed to use your data for Google Analytics. If you delete the cookies you have saved, you will need to click on this link again.

The information set out in section II. applies with regard to the storage period for the cookies.

2.1.2 easy Marketing

This site uses tracking technology from easy Marketing GmbH, Asselner Hellweg 124, 44319 Dortmund, Germany, to measure and visualise insights into partnerships and advertising channels. This is a function to measure the efficiency of the corresponding advertising activities. Furthermore, the information enables us to categorise advertising effectiveness for the purpose of settling payments with advertising partners. When you click on an embedded ad, cookies are set in your browser that are accessed in the event of a transaction. For each touchpoint, your browser sends an HTTP request transmitting specific information to an easy Marketing server. This information includes the URL of the website where the advertising resource is placed (referrer URL), the browser identifier (user agent) of your end device (including information on the device type and operating system), the IP address of the end device (this IP address is anonymised and hashed before being stored), HTTP header (data packet with various technical information automatically transmitted by your browser), the date and time of the request and, if already saved on your end device, the cookie and its content. A cookie is a small data package exchanged between your browser and the server. It can be used to store and transmit information relevant for the web application, e.g., the content of a virtual shopping basket.

The tracking technology saves cookies on your end device to document actions. A 24-digit anonymous ID is saved in the cookie. The data linked to this ID is stored in encrypted form in a database on our server. It contains information about the most recent touchpoints (i.e., when and from what end device a defined advertising resource was displayed or clicked on). The stored touchpoints may enable a user journey to be compiled. On an action request, in the majority of cases the order number and shopping basket value of your order will also be transmitted and stored by us. In addition, the following data can be transmitted and stored: your customer number, new customer identifier, your age and sex, and your responses to a customer survey.

The cookies stored by easy Marketing are deleted after 30 days at the latest. The information transmitted to us and the cookies serve the sole purpose of correctly categorising the effectiveness of an advertising resource and settling the corresponding payments, and is justified by our legitimate interest in accordance with Article 6(1) sentence 1(f) GDPR.

You can change your browser settings to stop cookies from being stored in your browser. You can deactivate cookies under extras/Internet options in your respective browser, restrict them to certain websites or configure your browser to notify you if a cookie is sent. However, please note that this may limit the online offers displayed to you and adversely affect your user experience. You can also delete cookies at any time. In this case, the information stored will be removed from your end device.

You can also click on the following tracking opt-out link to deactivate the collection and processing of tracking data:

https://trck.easy-m.de/privacy-optout.do

Access to your data:

https://trck.easy-m.de/privacy-mydata.do

The following section gives a detailed overview of the cookies our tracking technology uses:

TRS: unique, 24-digit identifier (ID) to track partnerships. This cookie is stored in the client browser and identifies database records that contain touchpoint data.

TRSCJ: fallback cookie containing rudimentary touchpoint data to track partnerships. This cookie contains all touchpoint data in the client browser (on an encrypted basis).

trs_db_optout: when you click on the tracking opt-out link, a special cookie is set that deactivates tracking in the current browser on the end device. However, tracking is reactivated if you delete the tracking opt-out cookie.

2.1.3 ABlyft

Provider:

ABlyft is a service provided by Conversion Expert GmbH, Zeppelinring 52c, 24146 Kiel, Germany

Purpose of tracking:

ABlyft collects information on user behaviour to enhance the website user experience.

Processing of personal data:

No personal data is stored. The data is anonymised and stored on an aggregate basis.

Storage period:

User data (ID, actions, etc.) is not stored.

Legal basis:

to be clarified with Legal/Data Protection (occasionally conceivable: legitimate interest (Article 6(1)(f) GDPR))

Opportunity to opt out of processing:

You can object to the use of ABlyft at any time by clicking on the following link:

https://shop.bvb.de/?ablyft_opt_out=true

2.1.5 Microsoft Clarity

We work with Microsoft Clarity and Microsoft Advertising to understand how you use and interact with our website. We do so using behavioural matrices, heatmaps and session recordings for the purpose of improving and marketing our products and services. Microsoft Clarity collects data on website users' behaviour that may potentially contain personal data. This includes IP addresses, click paths, mouse movements, etc. Data about the use of the website is collected using cookies provided by initial and third-party providers and other tracking technologies for the purpose of determining the popularity of products/services and online activities. We also use this information to optimise our website, to prevent fraud/for security purposes, and for advertising. Please refer to the Microsoft privacy policy for further information on how Microsoft collects and uses your data: https://privacy.microsoft.com/de-DE/privacystatement.

3. Marketing technologies

We use third-party cookies to learn more about your browsing behaviour (web tracking), so that we only show you the advertisements that you actually want to see. Within this context, the processing of your data is based on a legitimate interest and on Article 6(1)(f) GDPR.

When you access our website, you will see a banner asking for your permission. This means that Article 6(1)(a) GDPR is an additional legal basis.

3.1 Personalised advertising and remarketing on third-party sites, social media, search engines or the websites of cooperation partners

The processing operations within this category are used to display advertising on third-party websites, social media, search engines or the websites of cooperation partners that is personalised to users' specific interests. This is aimed at increasing the relevance of the advertising to our users.

3.1.1 Google Ads

Our website uses Google AdWords, an online advertising tool developed by Google that enables what is known as "remarketing". This enables customised advertising based on your browsing habits on other websites in the Google Display Network (Google, "Google Ads" and other websites).

Your browsing behaviour on our website is analysed so that ads matching your interests can be displayed on other websites. In order to achieve this, Google uses cookies to identify your browser on a specific computer, but not a specific individual or user. No personal data is stored.

We only use Google AdWords with IP anonymisation enabled. This means that Google truncates your IP address within Member States of the European Union or other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. The IP address transmitted from your browser is not merged with other data from Google.

Google Consent Mode v2 is a significant update aimed at improving user privacy and data conformity. It is an interface that notifies Google what consent the website user had given for the use of cookies. This interface will only be active if the user has refused cookies on your website. If they consent, Google will use its cookies as usual for tracking purposes.

You can prevent the storage of cookies by configuring your browser software accordingly; you can also prevent Google from storing the data relating to your use of the website generated by the cookie and from processing this data by downloading and installing the browser plug-in that is available at the following link: https://policies.google.com/technologies/ads?hl=de.

We also use what is known as "conversion tracking", which is also part of Google AdWords. When you click on an ad placed by Google, a corresponding cookie is stored on your system. Once again, this does not involve the processing of any personal data or other data that can be used to identify the specific user or an individual.

The cookie is used to generate statistics on "conversion rates", which, to put it simply, show how visits to a page relate to successful sales.

Cookies for conversion tracking by Google AdWords become inactive after 30 days. You can find information on how to disable personalised advertising and conversion tracking by Google here: https://support.google.com/google-ads/answer/9606827?hl=en&sjid=9500828998095096209-EU

3.1.2 Facebook

We use Facebook Pixel, a service provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, as a further conversion tracking and remarketing tool to evaluate our advertising activities on Facebook.

This service enables us and also Facebook to track user behaviour once they have clicked on an ad on Facebook. This makes it possible for us to model and assess the effectiveness of ads for statistical and market research purposes so that we can optimise future advertising methods.

The data collected is anonymous for us, and as such provides no means of identifying the user. However, the data is stored and processed by Facebook, meaning that a link to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook privacy policy (https://www.facebook.com/about/privacy/). They may therefore enable Facebook and its partners to activate ads on Facebook and elsewhere. Furthermore, a cookie can be stored on your computer for these purposes.

We use Facebook Pixel if, and only if, you have given us your express consent to do so. Consent for the use of Pixel can only be given by users aged 13 or older. If you are younger, please ask your parent or guardian for permission. If you grant your consent, the legal basis for data processing is Article 6(1)(a) GDPR.

You have the right to withdraw your consent at any time with effect for the future.

3.1.3 FAT Media

Our websites use the re- and pre-targeting function of fatmedia.io (an ad-shot LLC brand).

It enables us to target visitors to our website with personalised ads customised to their specific interests.

fatmedia.io uses cookies to analyse website usage, which forms the basis for displaying personalised ads.

Website visitors' personal data is not stored. If users visit another website, they will be displayed ads that are highly likely to take into account product and information content previously viewed or are highly relevant to them.

__

Opt-out link: http://analytics.fatmedia.io/opt-out

3.1.4 Microsoft Bing Ads

Our website uses Bing Ads technology to collect and store data from which usage profiles are then created using pseudonyms. This is a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. It enables us to track the activities of users who have been redirected to our website from ads displayed by Bing Ads. If you are redirected to our website by such an ad, a cookie will be placed on your device. A Bing UET tag is integrated into our website. This is a code used together with the cookie to store some non-personal data about how our website is used, including time spent on the website, the areas of the website accessed and the ad that redirected the user to the website. No information about your identity is collected.

The information collected is transmitted to a Microsoft server in the USA and stored there in principle for a maximum of 180 days. You can prevent the collection and processing of the data generated by the cookie concerning your use of the website by disabling cookies. Doing so may limit the functionality of the website, however.

In addition, Microsoft may be able to track your usage behaviour across multiple devices by means of cross-device tracing, enabling it to place personalised ads on or in Microsoft websites and apps. You can deactivate this at http://choice.microsoft.com/de-de/opt-out.

Please visit the Bing Ads website for further information on Bing analysis services (https://help.bingads.microsoft.com/#apex/3/de/53056/2). Please refer to the Microsoft privacy policy for further information on data protection at Microsoft and Bing (https://privacy.microsoft.com/de-de/privacystatement).

3.1.5 TikTok Ads

We use another conversion-tracking and remarketing tool to assess the ads we place on TikTok: TikTok Pixel. The service provider is the Chinese company TikTok. TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland) is responsible for activities in Europe.

This service enables us and TikTok to track user behaviour once they have clicked on an ad in TikTok. This makes it possible for us to model and assess the effectiveness of ads for statistical and market research purposes so that we can optimise future advertising methods.

The information collected is processed by TikTok in the United States, among other locations. We note that in the opinion of the European Court of Justice, data transfers to the United States currently do not enjoy an appropriate level of protection. You can prevent the collection and processing of the data generated by the cookie concerning your use of the website by disabling cookies. Doing so may limit the functionality of the website, however.

TikTok uses standard contractual clauses (Article 46(2) and (3) GDPR) as the basis for processing the data of recipients domiciled in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e., the United States in particular) or the transfer of data to such countries. Standard contractual clauses are templates provided by the European Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to and stored in third countries (such as the United States). Through these clauses, TikTok undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the United States. These clauses are based on an implementing decision of the European Commission. You can find the decision and the corresponding standard contractual clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

You can find out more about the standard contractual clauses and the data that is processed when TikTok Pixel is used in the privacy policy at https://www.tiktok.com/legal/privacy-policy-eea?lang=de or https://ads.tiktok.com/i18n/official/policy/controller-to-controller.

3.1.6 AWIN – affiliate marketing

We use Awin to process your data in the context of affiliate marketing. This enables us to track which third party providers of websites, apps and other technologies ("referrers") referred potential customers to our websites and apps and pay them a commission for making these referrals. In doing so, we are acting in our legitimate interest of conducting an online advertising campaign which is remunerated based on performance. We work with Awin, which helps us to conduct these affiliate marketing campaigns. Awin's privacy policy is available at: https://www.awin.com/de/rechtliches/privacy-policy-DACH. It contains information about your rights in relation to data processing by Awin. In certain cases, Awin may maintain a limited profile about you. However, this profile does not disclose your identity, your online behaviour or any other personal characteristics or features. It merely serves to track whether a referral began on one device and concluded on another. In some cases, Awin and the referrer of the potential customer may receive and process your personal data in order to implement the affiliate marketing campaign together with us. We also receive personal data of potential customers from Awin and the referrers, which can be divided into the following categories: cookie data, data relating to the website, app or technology from which a potential customer was referred to us and technical information about the device you are using.

3.1.7 Pinterest tracking

Our website uses the conversion tracking technology of the social network Pinterest (Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland), which enables us to show our website visitors who have already shown an interest in our website and our content/offers and who are Pinterest members relevant advertisements and offers on Pinterest. For this purpose, a conversion tracking pixel from Pinterest is integrated on our pages, via which Pinterest is notified when you visit our website that you have accessed our website and which parts of our offering you were interested in. For example, if you have shown an interest in our subscriptions on our website, you may be shown an advertisement for our subscriptions on Pinterest.

You can deactivate the collection of data for the display of interest-based advertising on Pinterest at any time in your Pinterest account settings at https://www.pinterest.de/settings (under "Customisation" the button "Use information from our partners to better tailor the recommendations and ads on Pinterest to you") or at https://help.pinterest.com/de/article/personalization-and-data#info-ad (deactivate the checkbox under "Disable customisation").

The legal basis for the processing of personal data is Article 6(1)(a) and (f) GDPR.

3.1.8 Outbrain Inc.

This website uses the technology of Outbrain Inc. ("Outbrain"). Outbrain provides recommendations in its publisher network that can be paid for by an advertiser. If you give your consent, Outbrain will make recommendations based on how you interact with content on which Outbrain is installed. These recommendations and advertisements will only appear on Outbrain advertising spaces, either on Outbrain Engage advertising spaces or on the Outbrain Extended Network. If you would like to know what information Outbrain has about your interests, you can view your interest profile here and edit your choices (such as revoking your consent). You can also visit the Network Advertising Alliance or YourOnlineChoices to learn more about other organisations, track your online interactions, and either consent to or opt out of such tracking.

Outbrain's privacy policy also explains how Outbrain collects, uses and shares your personal information. Outbrain may share some of your personal information with third-party companies to serve ads that are more likely to match your interests. Visit your interest profile to opt-out of behavioural advertising and/or to opt-out of Outbrain sharing your personal information with third parties.

3.1.9 Bounce Commerce GmbH

This website uses the plug-in developed by the professional bounce management service provider Bounce Commerce GmbH, Lindenallee 39, 47608 Geldern, Germany.

No personal or personally identifiable data is transferred to the technical service provider.

Technically necessary cookies are used, which contain purely technical information, but no personal data.

Further information on data protection at Bounce Commerce GmbH can be found at https://www.bounce-commerce.de/datenschutz.

3.1.10 Adition

We use conversion tracking from Adition on our website. The service provider is Virtual Minds GmbH, Ellen-Gottlieb-Straße 16, 79106 Freiburg im Breisgau, Germany.

Adition processes data such as the IP address and other behavioural data to measure the success of campaigns.

You can find out more about the data processed through the use of Adition conversion tracking in the privacy policy at https://www.adition.com/datenschutz-plattform/.

You can opt out from tracking at the following link: Opt-Out

3.2 Links to social media services

On our website you will find links to the social media services Facebook, Twitter, Google+, YouTube, Pinterest and Instagram. You can recognise links to the websites of the social media services by the respective corporate logo. If you follow these links, you will reach Borussia Dortmund's corporate presence on the respective social media service. When you click on a link to a social media service, a connection to the servers of the social media service is established. This tells the social media service's servers that you have visited our website. In addition, further data is transmitted to the provider of the social media service. This includes, for example:

- the address of the website where the activated link is located

- the date and time the website was accessed or the link activated

- information about your browser and operating system

- your IP address

If you are already logged in to the relevant social media service when you activate the link, the provider of the social media service may be able to determine your user name and possibly even your real name from the transmitted data and assign this information to your personal user account with the social media service. You can prevent this information from being associated with your personal user account if you log out of your user account beforehand.

The servers of the social media services are located in the United States and other countries outside the European Union. The data may therefore also be processed by the provider of the social media service in countries outside the European Union. Please note that companies in these countries are subject to data protection laws that do not generally protect personal data to the same extent as is the case in the member states of the European Union.

Please note that we have no influence on the scope, type or purpose of data processing by the provider of the social media service. You can find more information on the use of your data by the social media services integrated on our website in the privacy policy of the respective social media service.

a. Type and purpose of processing

Social plug-ins from the providers listed below are used on our websites. You can recognise the plug-ins by the fact that they are marked with the corresponding logo.

Under certain circumstances, information – which may also include personal data – is sent to the service provider via these plug-ins and may be used by them. We prevent the unconscious and unwanted collection and transmission of data to the service provider by means of a "Shariff solution". Information is not collected and forwarded to the service provider until you click on the plug-in. We do not collect any personal data ourselves via the social plug-ins or the use thereof.

We have no influence on what data an activated plug-in collects or how it is used by the provider. At present, it must be assumed that a direct connection to the provider's services is established and that at least the IP address and device-related information is collected and used. It is also possible that the service providers may attempt to store cookies on the computer used.

b. Legal basis of the processing

The processing is carried out in accordance with Article 6(1)(f) GDPR on the basis of our legitimate interest in ensuring the functionality of our website.

c. Data categories

You can find out which specific data is collected and how it is used by accessing the privacy policy of the respective service provider:

Facebook: http://www.facebook.com/policy.php

Google: https://policies.google.com/privacy

Instagram: https://help.instagram.com/155833707900388

LinkedIn: https://www.linkedin.com/legal/privacy-policy

Pinterest: https://about.pinterest.com/de/privacy-policy

Twitter: https://twitter.com/privacy

WhatsApp: https://www.whatsapp.com/legal/#privacy-policy

Xing: https://www.xing.com/privacy

YouTube: https://policies.google.com/privacy

d. Recipients

Employees of the IT department

Facebook

Google

LinkedIn

Pinterest

Twitter

e. Storage periods

The data collected directly by us via the social media plug-ins is deleted from our systems as soon as the purpose for its storage no longer applies, you request us to delete it, you revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory provisions – in particular retention periods – remain unaffected.

We have no influence on how long the operators of social networks store your data for their own purposes. For details, please contact the operators of the social networks directly (e.g., in their privacy policy (see above)).

f. Statutory/contractual requirement

The provision of your personal data is voluntary. We cannot grant you access to the content and services we offer if you do not provide us with your data.

g. Transfer to third countries

Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Withdrawal of consent

You can withdraw your consent to the storage of your personal data at any time with effect for the future. You can inform us of your revocation at any time using the contact option provided at the beginning of this privacy policy.

i. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling when we process your data.

VI. Online shop (placing orders as a guest)

You can browse a significant portion of our fan shop and product range without registering or logging in, which makes access to our range as straightforward and simple as possible. You can buy our products without creating a customer account. For this purpose, you can check the box "I am a guest and do not wish to create a customer account" during the ordering process.

In order to process your order, we need your personal data, which you enter in the input mask provided for this purpose. Your personal data is transmitted to, and saved by, us. The following data is collected as part of the order process:

(1) Personal details (name, address, date of birth)

(2) E-mail address

(3) Telephone number

In addition, the following data is saved when you place an order:

(1) Your IP address

(2) Date and time at which your order was sent

The processing of your data serves the entry into and performance of purchase, work and work delivery contracts in connection with our fan merchandise. In this respect, the legal basis is Article 6(1)(b) GDPR.

In order for us to satisfy our obligations arising from the contracts entered into with you, the processing of the above-mentioned data is absolutely necessary. If you decide not to provide the aforementioned data, we will not be able to

- enter into contracts with you,

- send you goods or

- send you invoices for our services,

- send you customised offers,

- inform you of special offers and discounts.

Your data will be erased as soon as it is no longer required to achieve the purpose for which it was collected. This is the case for the performance of a contract or the implementation of pre-contractual measures if the data is no longer required for the performance of the contract. We may be under a contractual or statutory obligation to save data even after a contract has been terminated (e.g., for tax-related reasons). The storage periods that apply in this respect vary depending on the individual contracts and contracting parties.

VII. Online shop (with registration)

In addition to guest access without registration, we also offer you the option of voluntarily registering for the shop. Registering means you only have to enter your data once and can simply log on for subsequent purchases using your e-mail address and a password of your choosing.

In order to do so, you have to enter your data in the input mask provided. The data is transmitted to, and saved by, us. The data is not transmitted to third parties. The following data is collected as part of the registration process:

(3) Personal details (name, address, date of birth)

(4) E-mail address

In addition, the following data is saved when you register:

(3) Your IP address

(4) Date and time of registration

Your registration also registers you for

- the registered users section of www.bvb.de – operated by Borussia Dortmund GmbH & Co. KGaA, Rheinlanddamm 207–209, 44137 Dortmund, Germany, Tel.: +49 231 90200, Fax: +49 231 9020-3500, e-mail: [email protected] – (read the fan shop privacy policy at: https://www.bvb.de/datenschutz)

- the BVB Ticketshop, available at: https://www.eventimsports.de/ols/bvb/, operated by CTS EVENTIM Sports GmbH, Hohe Bleichen 11, 20354 Hamburg, Germany, fax: +49 40 380 788-598, e-mail: [email protected] – (read the BVB TicketShop privacy policy at: https://www.eventimsports.de/ols/bvb/de/bundesliga/channel/shop/index/privacy)

- BVB-TV available at tv.bvb.de, Rheinlanddamm 207–209, 44137 Dortmund, Germany – (read the BVB-TV privacy policy at: tv.bvb.de in the section entitled "Datenschutz" (Data protection))

Borussia Dortmund is seen as a single entity by its fans and customers and not as a collection of individual legal entities. This is why Borussia Dortmund offers you an integrated package when you register. From a fan's perspective, it does not make sense to register for several different services and have to remember several different login details simply because of the club and group structure.

Registering at our fan shop primarily serves the entry into and performance of purchase, work and work delivery contracts in connection with our fan merchandise. In this respect, the legal basis is also Article 6(1)(b) GDPR.

If you decide not to provide the aforementioned data by registering, we will not be able to

- automatically fill in your data for subsequent purchases,

- send you customised offers,

- inform you of special offers and discounts.

Your data will be erased as soon as it is no longer required to achieve the purpose for which it was collected. As far as the data collected in connection with your registration is concerned, this is generally the case if you cancel your registration/delete your account.

If this data is also required for the performance of a contract or in order to take steps prior to entering into a contract, however, the data can only be erased prematurely if this is permitted on the basis of contractual or statutory obligations. We may be under a contractual or statutory obligation to save data even after a contract has been terminated (e.g., for tax-related reasons). The storage periods that apply in this respect vary depending on the individual contracts and contracting parties.

VIII. Credit check

In order to be able to correctly assess the economic risks of purchase and work contracts or certain payment terms, we carry out credit checks and, if necessary, also check changes in your creditworthiness. For this purpose, we exchange address and creditworthiness data with credit service providers.

For the purpose of deciding on the establishment, execution or termination of the contractual relationship, we use information on your previous payment behaviour and probability values on your future behaviour on the basis of mathematical-statistical procedures using address data.

We obtain this information from the following providers via creditPass: ConCardis GmbH, Solmsstraße 4, 60486 Frankfurt am Main; accumio finance service GmbH, Postfach 101229, 69002 Heidelberg; Bürgel Wirtschaftsinformationen GmbH & Co. KG, Gasstraße 18, 22761 Hamburg; CEG Creditreform Consumer GmbH, Hellersbergerstraße 11, 41460 Neuss; D&B Germany, Zippelhaus 3, 20457 Hamburg; easycash GmbH, Am Girath 20, 40885 Ratingen; infoscore Consumer Data GmbH, Rheinstraße 99, 76532 Baden-Baden; SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden.

In order to obtain this data, it is necessary for us to forward your personal details and order data to these companies.

The legal basis for the transmission and other processing of your data is our legitimate interest and thus Article 6(1)(f) GDPR.

You can object to the processing of your data on the basis of the legitimate interest in this respect. In order to do so, simply send us an informal message to this effect using the contact details set out on page 1.

In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.

If we no longer process your data, this may mean that we are unable to assess the economic risk of contracts with you and therefore refuse to conclude individual contracts or only offer payment terms that minimise the risk of non-payment.

Your data will be erased as soon as it is no longer required to achieve the purpose for which it was collected. This is the case for creditworthiness data when the decision on the establishment, execution or termination of the contractual relationship has been completed. In case of doubt, at a minimum the decision to terminate the contractual relationship is possible until its actual termination, which is why your creditworthiness data will remain stored until this time.

IX. Payment services

If you enter into contracts with us via our shop, we integrate third-party payment services, depending on which payment method you choose. Since the payment is related to the contractual relationship with you, the legal basis for all payment methods is Article 6(1)(b) GDPR.

Insert methods of payment

X. Contact form and e-mail contact

You can contact us using various contact forms on our website or by sending us an e-mail.

If you enter data in the input mask provided for this purpose on the contact form, this data will be transmitted to, and processed by, the department selected by you. This includes the following data:

(1) Name

(2) E-mail address

(3) Subject

(4) Message

As soon as your message is sent, the following other data is also saved:

(5) Your IP address

(6) Date and time of registration

To enable the processing of data for correspondence purposes, we ask for your consent before the message is sent and draw your attention to this privacy policy. In this respect, the legal basis for the data processing is Article 6(1)(a) GDPR.

The processing of other data (e.g. connection data) during the sending process is designed to prevent the misuse of the contact form and to ensure the security of our IT systems. In this respect, the legal basis is Article 6(1)(f) GDPR.

If you contact us using the e-mail address provided, the personal data transmitted along with your e-mail will be saved. In this respect, the legal basis for the processing of your data is Article 6(1)(f) GDPR, as we have a legitimate interest in this regard. If you contact us using the form or by e-mail in connection with the conclusion of a contract, Article 6(1)(b) GDPR also forms the basis for the processing.

We only process personal data from the input mask or e-mails in order to process your enquiry. The data is not transmitted to third parties.

Your data is erased as soon as it is no longer required to achieve the purpose for which it was collected. In cases involving personal data from the contact form input mask and data transmitted by e-mail, this applies when the correspondence with you has ended. The correspondence is deemed to have ended when the circumstances indicate that the matter in question has been resolved with definitive effect.

Additional personal data collected during the sending process is erased after a period of seven days at the latest.

You can withdraw your consent to the processing of the personal data at any time. If you contact us by e-mail, you can object to your personal data being saved at any time. In order to do so, simply send us an informal message to this effect using the contact details set out on page 1.

If you object, however, we will not be able to process your e-mail.

If the data is required for the performance of a contract or in order to take steps prior to entering into a contract, the data can only be erased prematurely if this is permitted on the basis of contractual or statutory obligations. The storage periods that apply in this respect vary depending on the individual contracts and contracting parties.

XI. Newsletter

You can sign up for our free newsletter. To do so, you enter your data in the input mask provided and your data is transmitted to us. Your e-mail address is recorded when you sign up for the newsletter.

As soon as your message is sent, the following other data is also saved:

(1) Date and time of registration

Before you submit your data, we ask you to consent to the processing of your data and draw your attention to this privacy policy. Your data is processed with your consent. In this respect, the legal basis is Article 6(1)(a) GDPR.

After you sign up, you will receive an e-mail asking you to confirm your subscription. This confirmation is necessary to ensure that nobody can subscribe using e-mail addresses that are not their own. Newsletter subscriptions are logged in order to be able to furnish evidence of the subscription process in accordance with the legal requirements. This includes saving the time of registration and confirmation.

Since the processing of the data is also necessary in order to deliver the newsletter you have subscribed to, Article 6(1)(b) and Article 6(1)(f) GDPR also serve as the legal basis.

The collection of other personal data in the registration process serves to prevent misuse of the services or the e-mail address used. This processing is therefore also permissible on the basis of Article 6(1)(f) GDPR.

No data is transmitted to third parties in connection with the data processing for the purpose of sending newsletters. The data is used exclusively for the purpose of sending the newsletter.

You can cancel your subscription to the newsletter at any time or object to receiving further newsletters. Each newsletter contains a link to the form allowing you to unsubscribe. This means that we also allow you to withdraw your consent to the storage of your data at the same time. You can also, however, withdraw your consent by sending us an informal message to this effect using the contact details set out on page 1.

Your data is erased as soon as it is no longer required to achieve the purpose for which it was collected. Your e-mail address is stored for as long as you remain subscribed to the newsletter.

If the data is required for the performance of a contract or in order to take steps prior to entering into a contract, however, the data can only be erased prematurely if this is permitted on the basis of contractual or statutory obligations. We may be under a contractual or statutory obligation to save data even after a contract has been terminated (e.g., for tax-related reasons). The storage periods that apply in this respect vary depending on the individual contracts and contracting parties.

XII. Dissemination within the Group

Provided that you grant us your consent, address and order data will also be collected and processed for our own marketing purposes and for those of the group companies BVB Merchandising GmbH; BVB Event & Catering GmbH; besttravel Dortmund GmbH; BVB Fußballakademie GmbH, all based at Rheinlanddamm 207–209, 44137 Dortmund, and Ballspielverein Borussia 09 e.V. Dortmund, Strobelallee 50, 44139 Dortmund. The legal basis in this respect is Article 6(1)(a) GDPR.

In certain circumstances, we can also process your data within the Group based on a legitimate interest. In this respect, the legal basis is Article 6(1)(f) GDPR.

You can object to the data processing based on the legitimate interest and/or withdraw your consent to data processing. In order to do so, simply send us an informal message to this effect using the contact details set out on page 1.

Your data is erased as soon as it is no longer required to achieve the purpose for which it was collected.

XIII. Your rights

The information below summarises your rights under the General Data Protection Regulation.

1. Right to withdraw consent to data processing (Article 7(3) GDPR)

You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, you will be informed thereof.

2. Right of access (Article 15 GDPR)

Pursuant to Article 15 GDPR, you have the right to obtain confirmation from us as to whether or not personal data concerning you is being processed. If this is the case, you have the right to access the personal data and the following information:

- the purposes of the processing;

- the categories of personal data concerned;

- to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;

- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

- the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning you by us, or to object to such processing by us;

- the right to lodge a complaint with a supervisory authority;

- where the personal data is not collected from you, any available information as to its source;

- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and – in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

Where personal data is transferred to a third country or to an international organisation, you have the right to be informed of the appropriate safeguards to ensure that the provisions of the GDPR are adhered to at the level of these recipients as well.

3. Right to rectification (Article 16 GDPR)

You can request the immediate rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4. Right to erasure/"right to be forgotten" (Article 17 GDPR)

You have the right to ask us to erase data where one of the following grounds applies:

- The data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.

- You withdraw the consent on which the processing is based and there is no other legal ground for the processing.

- You object to the processing pursuant to Article 21(1) GDPR on grounds relating to your particular situation and there are no overriding legitimate grounds for the processing.

- You object to the process for direct marketing purposes pursuant to Article 21(2) GDPR.

- The data has been unlawfully processed.

- The erasure of the data is required to comply with a legal obligation under European or German law.

- The personal data was collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

If we have made your data public and are obliged to erase it, then, taking account of available technology and the cost of implementation, we shall take reasonable steps to inform the controllers that you have requested the erasure.

5. Right to restriction of processing (Article 18 GDPR)

Pursuant to Article 18 GDPR, we may only process data subject to restrictions in the following cases. This is the case if:

- you contest the accuracy of your data, for a period enabling us to verify the accuracy of the data;

- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;

- we no longer need the data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims; or

- you objected to processing pursuant to Article 21(1) GDPR on grounds relating to your particular situation pending the verification whether our legitimate grounds for processing override your interests.

If processing has been restricted, we may only save this data. Data may then only be processed further with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

You can withdraw your consent granted in this regard at any time.

We will inform you before the restriction is lifted.

6. Right to object (Article 19 GDPR)

We are obliged to communicate any rectification or erasure of your data or restriction of processing to all recipients to whom your data has been disclosed, unless this proves impossible or involves disproportionate effort.

We shall inform you about those recipients if you request this.

7. Right to data portability (Article 20 GDPR)

You have the right to receive the data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You also have the right to ask us to transmit this data to a third party where

- the processing is based on consent or on a contract and

- the processing is carried out by automated means.

You have the right to have the data transmitted directly to the third party where technically feasible. This right shall not adversely affect the rights and freedoms of others.

8. Automated individual decision-making, including profiling (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

This does not apply if:

- you have previously given your express consent to this; or

- the decision is necessary for the entry into or performance of a contract between us; or

- applicable legal provisions permit this and these provisions contain appropriate measures to safeguard your rights, freedoms and legitimate interests.

In the first two cases, we will take appropriate measures to safeguard your rights, freedoms and legitimate interests. This includes your right to explain your own position, challenge the automated decision and request the intervention of one of our persons.

9. Right to object (Article 21 GDPR)

If we process your data based on a legitimate interest (Article 6(1)(f) GDPR), you have the right to object to this on grounds relating to your particular situation. This also applies to profiling based on these provisions. In such cases, we will no longer process your data unless we demonstrate compelling legitimate grounds for doing so. These must override your interests, rights and freedoms, or the processing must serve the establishment, exercise or defence of legal claims.

Where we process your data for direct marketing purposes, you have the right to object to the processing of the data. This includes profiling to the extent that it is related to such direct marketing.

After you object, your data will no longer be processed for such purposes.

In order to object, simply send us an informal message to this effect using the contact details set out above.

10. Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of the data relating to you infringes the General Data Protection Regulation. This shall not affect any other administrative or judicial redress to which you may be entitled.