PRIVACY POLICY (Advertising Insertion Order)

In this Privacy Policy, the OneFootball GmbH (“OneFootball”, “we” or “us”) informs you about the processing of personal data in connection with advertising insertion orders (“IOs”) between us and our clients (“You”) in accordance with applicable data protection laws, in particular the EU General Data Protection Regulation (“GDPR”).

Content of this Privacy Policy:

1. Controller and Contact Person

2. Data Processing by OneFootball

3. Use of External Tools

4. Purpose of the Processing

5. Legal Basis

6. Recipients of the Personal Data

7. Retention of Personal Data

8. Your Rights

9. Changes to the Privacy Policy

1. CONTROLLER AND CONTACT PERSON

The contact person and so-called controller for the processing of your Personal Data (as defined below) when entering into an IO within the meaning of the GDPR is

OneFootball GmbH

Donaustraße 44 

12043 Berlin

Germany.

If you have any questions about data protection in connection with the use of data related to IOs, you can also contact our external data protection officer at any time at the above postal address and by email at privacy@onefootball.com (keyword: “Attn: Data Protection Officer”). We expressly point out that when using this e-mail address, the contents are not exclusively taken note of by our data protection officer. If you wish to exchange confidential information, we therefore ask that you first contact us directly via this e-mail address before sharing such confidential information. 

2. DATA PROCESSING BY ONEFOOTBALL

In the context of IOs, we may collect the following categories of personal data (the “Personal Data”):

  • Full name of the designated contact person within the client’s company;

  • Business telephone number of the contact person;

  • Business email address of the contact person;

  • Position / role in the client’s company.

This data may be collected during the initiation, negotiation, or performance of IOs.

3. USE OF EXTERNAL TOOLS

We use Salesforce.com Germany GmbH, located Erika-Mann-Straße 31-37, 80636 München, Germany  (“Salesforce”), as our Customer Relationship Management platform, to store and manage client data. Salesforce processes the Personal Data you submit as part of an IO on our behalf, in accordance with your written instructions and with applicable data protection laws (GDPR, BDSG). Salesforce acts solely as a data processor and does not use your personal data for its own purposes.

4. PURPOSE OF THE PROCESSING

We process the Personal Data of our business partners’ representatives, contact persons, and other relevant individuals for the following purposes:

  • Communicating with you in the context of the business relationship, including responding to inquiries, coordinating meetings, sending updates regarding projects or commercial matters, and facilitating day-to-day correspondence via email, telephone, or other channels.

  • Initiating, negotiating, drafting, signing, executing, managing, and terminating contracts, including due diligence checks, identity verification, document handling, signature tracking, and contract archiving.

  • Administering customer and partner accounts, such as managing user credentials for any portals or systems, processing orders, handling invoices and payments, resolving service issues, and maintaining a history of transactions and interactions.

  • Fulfilling legal, regulatory, and compliance obligations, including tax reporting, export control checks, anti-corruption due diligence, and documentation retention under commercial or financial laws

  • Sending service-related notifications and marketing communications via E-Mail , including invitations to events, product updates, partner newsletters, satisfaction surveys, or other promotional content relevant to our business relationship, where allowed by applicable law and subject to your communication preferences.

5. Legal Basis

The processing of Your Personal Data is carried out on the following legal bases in accordance with  Art. 6 (1) GDPR:

  • Article 6 (1) (b) GDPR – for the performance of a contract or to take steps at your request prior to entering into a contract;

  • Article 6 (1) (c) GDPR – to comply with legal obligations to which we are subject;

  • Article 6 (1) (f) GDPR – based on our legitimate interests, such as ensuring effective communication and collaboration in the context of our business relationship.

Where Personal Data is processed for marketing purposes, this is done on the basis of our legitimate interest under Art. 6 (1) (f) GDPR. Our legitimate interest in this context is to maintain and develop business relationships and to inform business contacts about relevant products and services. 

You have the right to object to the use of your Personal Data for marketing purposes at any time. 

6. RECIPIENTS OF THE PERSONAL DATA

Your Personal Data may be shared only to the extent necessary for the purposes outlined in this policy and in accordance with applicable data protection laws. Specifically, we may share your data with the following recipients:

  • Internal Departments involved in managing the business relationship, such as Sales, Account Management, Finance, or Legal;

  • External professional advisors, including auditors, tax consultants, and legal counsel, where necessary for compliance, contract performance, or legal defense;

  • Public authorities or regulators, where required by law or in response to lawful requests;

  • Service providers, such as Salesforce.com Germany GmbH (see Section 3), who act as data processors on our behalf and under our instructions.

Apart from the service provider referenced above, we do not share your personal data with any third parties for unrelated purposes.

7. RETENTION OF PERSONAL DATA

In principle, we retain only your Personal Data for as long as necessary to fulfill the purposes for which we collected it. Once those purposes have been archived, the data is deleted unless continued storage is required for one of the following reasons:

(i) Statutory limitation periods – We may retain Personal Data until the expiry of applicable statutory limitation periods under civil law, in order to preserve evidence in the event of legal disputes. In particular, we retain relevant data for a period of three (3) years from the end of the calendar year in which the business relationship with the data subject ends, as civil claims generally expire at the earliest after this time., 

(ii) Statutory retention obligations – Certain laws require us to retain data for longer periods, particularly for accounting, auditing, and regulatory compliance. These obligations may arise under the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Money Laundering Act (GwG), and the German Securities Trading Act (WpHG). Depending on the specific legal requirement, retention periods can range from two (2) to ten (10) years.

(iii) For evidence purposes in particular, we must retain the Personal Data for three (3) years from the end of the year in which the business relationship with a data subject ends. Any claims expire at the earliest at this time in accordance with the statutory limitation period. 

(iv) We regularly review the necessity of retaining Personal Data and ensure that it is deleted or anonymized when no longer required for the stated purposes.

8. YOUR RIGHTS

You have the following rights under Articles 15 to 21 of the GDPR, provided the relevant legal conditions are met::

  • Right to object to the processing of personal data (Art. 21 GDPR)

  • Right to access personal data processed by OneFootball (Art. 15 GDPR)

  • Right to rectification of incorrect personal data stored by OneFootball (Art. 16 GDPR)

  • Right to erasure of personal data (Art. 17 GDPR)

  • Right to restriction of processing (Art. 18 GDPR)

  • Right to data portability (Art. 20 GDPR)

To exercise any of these rights, you may contact OneFootball at any time through OneFootball’s Customer Support page or contact details above. Where the requirements are fulfilled, OneFootball will comply with your request in accordance with the applicable data protection laws. 

For documentation and compliance purposes, any requests relating to the above rights—as well as OneFootball’s responses will be retained for a period of up to three (3) years. In individual cases, this retention period may be extended if necessary for the establishment, exercise, or defense of legal claims. The legal basis for such retention is Art. 6 (1) (f) GDPR, based on OneFootballs legitimate interest in defending against potential civil claims (Art. 82 GDPR), avoiding administrative fines (Art. 83 GDPR), and fulfilling its accountability obligations under Art. 5 (2) GDPR.

Direct Marketing Objection Right - Where Personal Data is processed for the purpose of B2B direct marketing (e.g. in the context of Insertion Orders or other commercial interactions), the legal  basis is our  legitimate interest pursuant to Art. 6 (1) (f) GDPR. In accordance with Art. 21 GDPR, you have the right to object to such processing at any time, based on grounds relating to your particular situation. 

Right to Lodge a Complaint - You also have the right to file a complaint with a data protection supervisory authority under Art. 77 GDPR. This may be the supervisory authority of your habitual residence, place of work, or the location of the alleged data protection violation.

For OneFootball, the competent authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61, 10555 Berlin, Germany

9. CHANGES TO THE PRIVACY POLICY

OneFootball occasionally updates this privacy policy, for example if the legal or regulatory requirements change. 

Version: 1/2025

Status: July 2025