General information on data protection
We generally process your personal data only where this is required to provide our content and services. The processing of your personal data regularly takes place only subject to consent or where the processing of the data is permitted at law.
If we ask you for consent, please note the following: You may refuse your consent without needing to provide any reasons for this and any consent granted may be revoked at any time. Where consent is revoked, the data that are covered by this consent will be erased immediately. The processing of data remains legal up until the revocation of consent. Your matters cannot be processed further where you do not provide us with consent or where you revoke such consent.
We usually receive your data directly from you. Where we ourselves do not collect personal data, data is also made available to us in part by third parties (e.g. fan clubs, initial purchasers of tickets). These respective third parties are responsible for the collection and transmission of this personal data. We use the data transmitted to us by third parties only to fulfil the purpose for which the data was transmitted (e.g. to grant discounts for members of certain fan clubs or to change the contracting party in an audience contract).
We process your personal data for various purposes in accordance with the terms of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). The specific purposes of the data processing are primarily governed by the services used.
The processing of your personal data must be based on one of the following legal grounds:
- You have granted your consent (Art. 6 (1) (a) GDPR).
- The processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract (Art. 6 (1) (b) GDPR).
- The processing is necessary for compliance with a legal obligation under EU laws or the laws of an EU Member State to which we are subject (Art. 6 (1) (c) GDPR).
- The processing is necessary in order to protect your vital interests or those of another natural person (Art. 6 (1) (d) GDPR).
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Art. 6 (1) (e) GDPR).
- The processing is necessary to protect our legitimate interests or those of a third party except where these are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child (Art. 6 (1) (f) GDPR).
To the extent that, in exceptional cases, we process special categories of personal data concerning you (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or where we process genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation), one of the following legal grounds must apply.
- You have given your explicit consent (Art. 9 (2) (a) GDPR).
- The processing is necessary to protect your vital interests or those of another natural person where the data subject is physically or legally incapable of giving consent (Art. 9 (2) (c) GDPR).
- The processing relates to personal data which you have manifestly made public (Art. 9 (2) (e) GDPR).
- The processing is necessary for the establishment, exercise or defence of legal claims (Art. 9 (2) (f) GDPR).
- The processing is necessary for reasons of substantial public interest on the basis of EU laws or the laws of a Member State which shall be proportionate to the aims pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard your fundamental rights and interests (Art. 9 (2) (g) GDPR).
Further details on the purpose of the processing are contained below.
We generally do not transmit any personal data to third parties without your consent. Where we nonetheless disclose your data to third parties in the processing of your data, transmit it to third parties or otherwise permit third parties to access such data, this takes place exclusively on the basis of one of the foregoing legal grounds. We transmit data e.g. to payment services providers where this is necessary for the performance of a contract. We must transmit your data to authorities where we are obliged to at law or on the basis of a court order.
In certain cases we use service providers to process your data. Where data are transmitted in the context of such processing, this takes place on the basis of Art. 28 GDPR.
The GDPR ensures equally high data protection standards within the European Union. In selecting our service providers and cooperation partners we therefore make use of European partners where possible if your personal data are to be processed. Where that is not possible, we will allow data processing to occur outside of the European Union or the European Economic Community in making use of the services of third parties.
Data transmission to a non-Member State occurs only where the special conditions contained in Art. 44 et seq. GDPR are met. This means that the processing of your data may take place only on the basis of special warranties, such as for instance the determination of data protection standards matching those of the EU as officially recognised by the EU Commission or compliance with officially recognised contractual obligations, namely so-called “standard contract clauses” or, in individual cases, your consent. Where data are transferred to the USA or to another country which does not have equivalent data protection standards, we note that a theoretical risk is posed that your data may be processed by US authorities for assessment and monitoring purposes and that you may not be entitled to opportunities for legal remedies against this.
Duties to make data available may be imposed at law (e.g. by tax regulations) or may arise from the terms of contracts (e.g. information on a contracting party). You are e.g. obliged to make personal data available to us when you enter into a contract with us. A refusal to make personal data available would mean that the contract would not be able to be entered into.
Right to revoke consents granted
You have the right to revoke your data protection law consent declarations provided to us at any time by sending a simple notice of this to the email address email@example.com or by mail. The revocation of the consent will not affect the legitimacy of the processing undertaken on the basis of the consent up until the revocation.
You may object at any time to the use, processing and transmission of your personal data for marketing purposes, advertising purposes or market and opinion research purposes by sending a simple notice to the email address firstname.lastname@example.org or by mail. We will inform you of this objection right again in each advertising communication.
The foregoing, however, does not apply to data required for the settlement of your order. Upon receiving your objection we will not make use of, process or transmit the relevant data for purposes other than for the settlement of your order and will cease further sending of advertising (including our catalogue) to you.
Irrespective of the use, processing and transmission of your personal data for marketing purposes, you are also entitled to object at any time to the processing of your personal data for other purposes that takes place under Art. 6 (1) (e) or (f) GDPR based on grounds that are based on your special situation. Upon receiving this objection we will no longer process your personal data unless compelling grounds for the processing that are worthy of protection are raised that override your interests, rights and freedoms or where the processing serves the establishment, exercise or defence of legal claims.
Disclosure right/right to erasure, rectification or blocking
Legal requirements mean that you have the right to the cost-free disclosure of your stored data as well as potentially the right to have this data rectified, blocked or erased. If you wish further information on this or where the rectification, blocking or erasure of the customer data is desired, you may send an email to email@example.com.
Where legal requirements prevent us from erasing data, your data will be stored instead such that this is accessible only for the purposes required at law.
Right to restrict processing
You may request the restriction of the processing of your personal data where you contest the correctness of the personal data for a certain period that allows us to assess the correctness or where the processing is illegitimate and you reject the erasure of the personal data or where we no longer need this personal data for processing purposes but you require this to establish, exercise or defend against legal claims or where you have filed an objection against processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether our legitimate interests outweigh yours.
Where the processing of your personal data has been restricted, this data – apart from storage – may be processed only with your consent or for the establishment, exercise or defence of legal claims or in order to protect the rights of another natural person or legal entity or based on a substantial public interest of the European Union or a Member State.
Where processing has been restricted you will be notified before the restriction is lifted.
Right to information
Where you have asserted your right to rectification, erasure or the restriction of processing towards us, we shall be obliged to notify all of the recipients to whom your personal data was disclosed of this rectification or erasure of the data or processing restriction unless this is proven impossible or is tied to disproportionate efforts. You have the right to be informed of these recipients.
Right to data portability
You have the right to receive your personal data provided to us in a structured, common and machine-readable format. In addition, you have the right to transfer this data provided to us to another controller without us preventing it, provided that the processing is based on consent or a contract in accordance with Art. 6 (1) (b) GDPR and the processing is undertaken using automatic processes.
In exercising this right, you further have the right to bring about that your personal data will be transferred directly from one controller to another controller provided that this is technically feasible and provided that the freedoms and rights of other persons are not prejudiced by this.
Right to complain to a supervisory authority
Irrespective of other legal remedies, if you take the view that the processing of your personal data violates the GDPR you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are situated, in which you are employed or in which the alleged violation occurred.
We store your data for the duration required to provide our services to you and for such time as we have a legitimate interest in continuing to store it. In addition, we are subject to various retention and documentation duties (e.g. under the German Commercial Code and the German Fiscal Code). The retention and documentation periods set out in these run for up to ten years. Finally, the storage duration is also governed by limitation periods at law which may, for example, amount to up to thirty years (§ 195 et seq. of the German Civil Code – BGB), whereby the standard limitation period is three years. Under certain circumstances your data may need to be stored for longer periods, e.g. where this is required by an authority or a court.
We waive the use of automatic decision-making or profiling.
The use of the website is generally possible without providing any personal data. Where you wish to make use of special services through our website, however, the processing of personal data may be necessary. Primarily for these instances please find below detailed information on processing and your rights.
When you access our website, your browser automatically transfers information. These are e.g. browser type/browser version, operating system used, referrer URL, sites accessed, length of stay, times of the server requests. This data cannot be assigned to specific persons. This data will not be aggregated with other data sources. We reserve the right to check this data retrospectively if we become aware of specific indications of illegal use.
We collect and process personal data (e.g. name, address, email) only if you have provided it to us upon registration, when ordering products and services or when making inquiries, and only to the extent required to found and structure (in content) or change our legal relationship.
If consent has been given, the legal basis for processing the data is Art. 6 (1)(a) GDPR.
If the registration serves to fulfil a contract with us to which you are a party, the additional legal basis for processing the data is Art. 6 (1) (b) GDPR. Potential contracts may include contracts for merchandise in our shop, contracts for the purchase of tickets to our home games (audience contract) or for subscriptions to HerthaTV. In addition, we may broker memberships in Hertha BSC e. V. In performing and settling such contracts we may need your personal data (surname, given name, date of birth, professional status, membership in Hertha BSC e. V., referral association), your address data (address, city of residence, postal code, country) and payment data (IBAN, PayPal, direct debit). Where needed, e.g. to grant discounts, we compare the data provide by you in entering into the contract (e.g. ticket purchase) with the membership lists provided to us by fan clubs and other third parties. After the contract has been fully settled, your data will be deleted subject to the statutory retention requirements unless you have expressly consented to further use.
When you set up a customer account using the "Registration" function, the data you enter will be permanently stored in our database. As a user, you have the option to terminate the registration at any time. You can also have the data stored about you changed at any time. Inquiries, changes and erasures of registrations and data can be submitted or applied for for the relevant areas at firstname.lastname@example.org (merchandising), email@example.com (ticket shop) and firstname.lastname@example.org (membership in Hertha BSC e.V.). If the data is required to perform a contract, the personal data required to process the order can be deleted prematurely only if there are no contractual or legal obligations that oppose the deletion.
If you have also given your consent to receiving advertising information when you set up your profile / account, we or service providers commissioned by us will use the data you provided for advertising purposes.
We need your email address for the email newsletter that we offer; further information is voluntary. Your data will be stored for such time as you subscribe to our newsletter. We use the so-called double opt-in procedure for sending the newsletter. We will then send you a newsletter only if you click on a link in our notification email to confirm that we should actually activate the newsletter service. We use the resulting data exclusively for sending the requested information and offers. We use Mailjet newsletter software for the provision, processing and sending of the newsletter. In order to use the newsletter service, it is therefore necessary to transfer your data to Mailjet GmbH. Mailjet is prohibited from disclosing your data to third parties without authorisation or using it for purposes other than sending newsletters. Mailjet is a French certified provider selected according to legal requirements. More information can be found here.
The legal basis is your consent under Art. 6 (1) (a) GDPR.
As a customer of our online offer (merchandising and ticket shop) you will regularly receive product recommendations from us by email. You will receive these product recommendations from us regardless of whether you have subscribed to a newsletter. We use the email address you provided during the purchase to advertise our own goods and/or services that are similar to those that you have purchased from us based on an order that you have already placed.
The legal basis for processing the data is Art. 6 (1) (f) GDPR. We use your data for marketing purposes (flyers, catalogues and all advertising sent by post) if we are convinced that we have attractive offers for you. This is a legitimate interest.
You may object to the use of your address data for product recommendations at any time using the link provided at the end of the product recommendation, by writing to Hertha BSC GmbH & Co. KGaA Hanns-Braun-Straße, Friesenhaus 2, 14053 Berlin or by email to email@example.com or firstname.lastname@example.org. After receiving your objection, we will immediately stop sending you marketing information and will block the data immediately, erase it within a period of six months and will also not forward it on for marketing purposes.
We store all data that you have made available to us during your order/registration and, if this is necessary for the performance of the contract, we forward this on to contractual partners as part of the order and registration and associated customer support, e.g. to our customer centre, the forwarding agent or the parcel delivery service that usually delivers our shipments to you. Our contractual partners may use the data transferred in this way only to fulfil the order and may not forward it on to third parties. The transfer of the data to our contractual partners is necessary for the performance of the contract.
The legal basis for processing the data is Art. 6 (1) (b) GDPR.
After the contract has been fully performed, your data will be deleted, taking statutory retention requirements into account, unless you have expressly consented to further use. When you set up a customer account using the "Registration" function, the data you enter will be permanently stored in our database.
As a user, you have the option to terminate the registration at any time. You can also have the data stored about you changed at any time. You can change or terminate your registration by sending an email making reference to yourself to email@example.com or firstname.lastname@example.org with the relevant request. However, the premature erasure of your personal data required for processing the order is only possible if there are no contractual or legal obligations that oppose the erasure.
When we hold contests we process the personal data of the respective participants and the winners in the context of the respective contest.
The data collected, in particular name, address, telephone number, date of birth and email address, as well as potentially additional information (e.g. clothing sizes) are used by us exclusively to ensure the resolution of the contest and to award winners. In addition, this data may be transferred to processors tasked with the performance of the legal relationship as well as to our affiliate Hertha BSC e.V. Any use of contributions to the contest for communications on the contest is covered by the foregoing to the extent that we have been permitted to make corresponding use of the contents provided by the winners.
The legal basis for processing the data is Art. 6 (1) (b) GDPR.
The provision of the foregoing personal data is necessary for the holding of the contest since it is possible to determine the winners and grant prizes only where we hold the competition properly, are able to identify each winner individually, have the contact information for these and can announce the respective winners. Without this data being provided the holding of the contest is not possible and no prizes can be awarded.
The data stored will be erased three months after the end of the contest and the settlement of all obligations under the legal relationship unless retention duties exist at law. In particular, data required for accounting purposes will be erased after 10 years.
On our website and for our services we use technologies that make using our website easier and are intended to increase user-friendliness or which make various functionalities available. These technologies may include e.g. cookies, pixels and scripts (Cookies).
Cookies are small quantities of data that your Internet browser stores on your computer. Information on your visit to our website may be stored in Cookies. With the help of this data, it is possible for us to (among other things) offer you our website, improve it and to display information on our website that is specially tailored to your interests.
The legal basis for the processing of personal data using Cookies is that these Cookies enable the operation and maintenance of our website: Art. 6 (1) (f) GDPR. For other Cookies, the legal basis for processing is Art. 6 (1) (a) GDPR.
You can find an overview of the Cookies used, descriptions of their purposes and supplementary information in our
On your first visit to our website and after that at any time you can use our Cookies solution to accept or reject individual or all Cookies by inputting a green checkmark beside the respective Cookie or removing it and then clicking on “Save Settings”.
The setting input by you in the Cookies consent solution will be saved only on the respective computer or mobile device. You must therefore select these again if you delete your browser history or use another device or Internet browser.
Our website uses so-called social plugins ("plugins") from the social network Facebook and the microblogging services Twitter and Instagram. These services are offered by the companies Facebook Inc., Twitter Inc. and Instagram LLC ("Providers").
Facebook is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). An overview of the Facebook plugins and their appearance can be found here: https://developers.facebook.com/docs/plugins
Twitter is operated by Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA ("Twitter"). An overview of the Twitter buttons and their appearance can be found here: https://about.twitter.com/en_us/company/brand-resources.html
Instagram is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram"). An overview of Instagram buttons and their appearance can be found here: http://blog.instagram.com/post/36222022872/introducing-instagram-badges
If you call up a page of our website that contains such a plugin, your browser will establish a direct connection to the servers of Facebook, Twitter or Instagram. The content of the plugin is transferred directly to your browser by the respective Provider and integrated into the page. Through the integration of the plugins, the Providers receive the information that your browser has called up the corresponding page of our website, even if you do not have a profile or are not logged in. This information (including your IP address) is transferred by your browser directly to a server of the respective Provider in the USA and stored there. If you are logged on to one of the services, the Providers can directly assign the visit to our website to your profile on Facebook, Twitter or Instagram. If you interact with the plugins, for example by clicking the "Like", "Tweet" or "Instagram" button, the corresponding information is also transferred directly to a server of the Provider and stored there. The information is also published on the social network or on your Twitter or Instagram account and displayed to your contacts. For the purpose and scope of data collection and the further processing and use of the data by the Providers as well as your rights and settings options for the protection of your privacy, please refer to the Providers' data protection policies.
The legal basis for the processing is Art. 6 (1) (f) GDPR. The forwarding of users' personal data to the foregoing Providers of social networks serves our integration into social networks and communication with users.
If you do not want Facebook, Twitter or Instagram to directly assign the data collected via our website to your profile in the respective service, you must log out of the respective service before visiting our website. You can also completely prevent the loading of the plugins with add-ons for your browser, e.g. with the script blocker "NoScript" (http://noscript.net/).
If you apply to work with us, we will process the data that we receive from you in the application process, e.g. in application documents, curriculum vitae, transcripts and evaluations, correspondence, and/or statements made by phone or orally. Along with your contact information, information on your education/training, qualifications, work experience and capabilities is relevant to us. The collection and processing of your personal application data takes place exclusively for the purpose of conducting an application process and, potentially, for founding, pursuing or ending an employment relationship within our corporate group pursuant to § 26 (1) sentence 1 BDSG. Hertha BSC supports its other corporate group members in personnel planning and hiring; your data will therefore be taken note of and potentially forwarded to affiliated businesses. Outside of that, we transfer your data to third parties only where this is necessary and a legal basis for this exists, e.g. to authorities to comply with legal notice requirements or to persons who are themselves subject to confidentiality duties (attorneys, tax advisors, auditors).
Where we are unable to offer you employment at present we will process your data for up to six months after rejecting your application in order to defend against any legal claims, in particular having regard to potential prejudice in the application proceedings. This will not apply where legal grounds oppose erasure (e.g. accounting or tax law reasons), which make further storage necessary or you have explicitly consented to a longer storage duration.
The legal basis for the data processing in application proceedings and for information stored in personnel files is founded on Art. 6 (1) (b) GDPR and Art. 88 GDPR, § 26 BDSG and, to the extent you have provided consent, for instance by sending information that is not necessary for the application process, Art. 6 (1) (a) GDPR. In the event of a rejection, the legal basis for data processing is Art. 6 (1) (f) GDPR. The legal basis for accounting and tax law retention is Art. 6 (1) (c) GDPR and § 147 of the German Fiscal Code. The legitimate interest in processing under Art. 6 (1) (f) GDPR is the defence against legal claims. We usually require no special categories of personal data for the application process in terms of Art. 9 GDPR. We would ask you not to send us any such information. If such information is relevant for the application process on an exceptional basis, we will process this together with your other application data. This may relate for example to information on a disability that you provide to us on a voluntary basis and that we would then need to process in order to fulfil our special duties regarding disabled persons. In these cases, the processing serves the exercise of rights or the fulfilment of legal duties under employment laws, social security and social protection laws. The legal basis for the processing is then Art. 9 (2) (b) GDPR and § 164 SGB IX (German Social Code).
Our data protection policy may change from time to time. This includes further developments due to changes in our business as well as adjustments due to a changed legal situation and/or due to the implementation of new web analysis and/or retargeting technologies. Corresponding updates of the data protection policy will be published by us on this site. In case of significant changes, we will point this out accordingly. If you have any further questions that are not answered by our data protection policy, please send an email to the following address: email@example.com.
Berlin, march 15th, 2021