Privacy Policy

The protection of your personal data is important to 1. FC Köln. This privacy policy explains how we process personal data when you use FC.de, the integrated online store, and the associated digital services and features.

Personal data refers to any information relating to an identified or identifiable natural person. This includes, for example, name, email address, mailing address, customer number, or online identifiers.

We process personal data exclusively in accordance with applicable data protection regulations, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

This privacy policy applies exclusively to the use of FC.de, including its integrated online store and the digital services provided there.

Additional or separate privacy notices may apply to certain services offered by 1. FC Köln. This applies in particular to:

If separate privacy notices apply to these services, they will be provided within the respective service.

The controller, as defined in Article 4(7) of the GDPR, for the processing of personal data in connection with the use of FC.de, the integrated online store, and the associated digital services is:

Phone: +49 221 99 1948 0 Email: service@fc.de

If you have any questions about data protection or the processing of your personal data, you can contact our Data Protection Officer at any time:

INTEGRITY GmbH for Data Protection, Information Security, and Compliance Bischof-Hemmerle-Weg 9 52076 Aachen

Email: datenschutz@fc-koeln.de

We process personal data only to the extent that there is a legal basis for doing so and the processing is necessary for the respective purposes.

In particular, the processing is carried out:

To the extent that individual processing operations require the storage of information on your device or access to information already stored on your device, this is carried out in accordance with the Telecommunications and Digital Services Data Protection Act (TDDDG). We explain the relevant legal basis for each processing operation in the respective sections.

The legal basis applicable to each individual processing operation is explained in more detail in the following privacy notices.

Every time you visit our website, your device’s browser automatically transmits information to our servers and to the technical service providers we use.

In particular, the following personal data may be processed:

This data is processed to provide the website, ensure the stability and security of our systems, analyze errors, and detect and prevent attempts at misuse and attacks.

The legal basis is Article 6(1)(f) of the GDPR. Our legitimate interest lies in providing our online services in a secure, stable, and user-friendly manner.

We use technical service providers specializing in hosting, content management, security, and infrastructure services to ensure the technical setup and delivery of the website.[SW4]

We use the Contentful content management system to manage and deliver content. In doing so, we may process connection data required for technical purposes to the extent necessary to provide the content.

To secure and optimize the website, we use technical infrastructure and security services designed specifically to protect against attacks, distribute traffic, and ensure the availability of our systems.

The log and connection data collected in this process is generally stored only for as long as is necessary to achieve the aforementioned purposes. The data is then deleted or anonymized, unless there are legal retention requirements or legitimate reasons for storing it for a longer period.

To the extent that personal data is transferred to countries outside the European Union or the European Economic Area in connection with the aforementioned services, such transfers are made exclusively in compliance with the legal requirements set forth in Articles 44 et seq. of the GDPR.

On our website, we use a consent management system to obtain, manage, and document your consent for specific data processing activities, as well as for the storage and retrieval of information on your device.

To this end, we use the Usercentrics service provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany.

The consent management system allows us to save and document your preferences regarding technologies and services that require consent, and to take them into account during future visits. In addition, the system enables you to manage and withdraw consent you have already provided.

In particular, the following data may be processed:

This processing is carried out to fulfill our legal obligations to maintain records of consent granted in accordance with Article 7 of the GDPR, as well as to manage the services used in compliance with data protection regulations.

The legal basis for the processing of personal data is Article 6(1)(c) of the GDPR in conjunction with Article 7 of the GDPR.

To the extent that information is stored on or retrieved from your device by the consent management system, this is done in accordance with § 25(2)(2) of the TDDDG.

The stored records of consent will be retained for the duration of the applicable legal record-keeping and documentation requirements and will then be deleted.

For more information about data processing by Usercentrics, please refer to Usercentrics' privacy policy.

Through our online store, you can purchase 1. FC Köln merchandise and other products.

In order to process and fulfill orders, we process the following personal data in particular:

The data is processed for the purpose of concluding and fulfilling sales contracts, processing orders, delivering ordered goods, handling returns and complaints, communicating with customers, and complying with legal retention and documentation requirements.

The legal basis is Article 6(1)(b) of the GDPR. To the extent that statutory retention or record-keeping obligations apply, the processing is also based on Article 6(1)(c) of the GDPR.

We use the Shopify e-commerce platform to operate our online store. Shopify provides the technical infrastructure for hosting and managing the online store. In particular, customer, order, shipping, payment, and communication data may be processed to the extent necessary for the operation of the store and the fulfillment of orders.

In order to fulfill your order, personal data may also be transferred to shipping providers, payment service providers, IT service providers, and other recipients involved in the processing of the contract.

We generally store order and contract data for the duration of the contract. Where statutory retention periods apply, the data is stored for the duration of the respective statutory periods, in particular in accordance with commercial and tax law requirements.

You can register and use an FC-ID for certain features of our digital services.[SW1] [HB2]

The FC-ID serves as 1. FC Köln’s central user account and enables authentication as well as access to various digital services via a unified single sign-on (SSO) process. This allows you to access various digital services offered by 1. FC Köln with a single user account, without having to log in separately for each service. These include, in particular, the fan shop, ticketing services, the FC app, and the member portal.

We use the services of Unidy GmbH, Spitalerstraße 10, 20095 Hamburg, to provide the FC-ID and the single sign-on process. Unidy GmbH processes personal data exclusively on our behalf based on a data processing agreement in accordance with Article 28 of the GDPR.

The following personal data, in particular, may be processed in connection with the registration, login, and use of the FC-ID:

This data is processed to set up and manage your user account, to authenticate you when accessing restricted areas, to manage access rights, and to provide the single sign-on process for the connected digital services.

As part of the single sign-on process, authentication and account information may be shared among the various digital services offered by 1. FC Köln, to the extent necessary to provide the respective feature or service.

The legal basis for the registration, provision, and use of the FC-ID is Article 6(1)(b) of the GDPR.

To the extent that data is processed to detect and prevent misuse, to ensure system security, or to investigate security incidents, this is done on the basis of Article 6(1)(f) of the GDPR. Our legitimate interest lies in the secure provision and protection of our digital services and user accounts.

The data is generally stored for as long as the user account remains active. Once the FC-ID is deleted, the data will be deleted unless there are legal retention requirements or legitimate reasons for further storage.

We work with external payment service providers to process payments for orders placed in our online store.

Depending on the payment method selected, the personal data required for payment processing will be transmitted to the respective payment service provider. In particular, the following data may be processed for this purpose:

Your data is processed solely for the purpose of processing payments and fulfilling the purchase agreement entered into with you.

The legal basis is Article 6(1)(b) of the GDPR.

The payment service providers used will be displayed during the ordering process. Their own privacy policies also apply to the processing of personal data by these providers.

To the extent that payment service providers act independently, the processing of personal data is carried out under their own responsibility under data protection law.

In order to comply with legal retention and record-keeping requirements, payment-related data may also be stored pursuant to Article 6(1)(c) of the GDPR.

To detect and prevent misuse, attempted fraud, and other security incidents, we may conduct risk-based checks in connection with orders, transactions, and the use of our online store.

In particular, the following personal data may be processed:

This data is processed to protect our online store and our customers, as well as to prevent fraudulent activities, misuse, and other security risks.

The legal basis is Article 6(1)(f) of the GDPR.

Our legitimate interest lies in ensuring the secure and efficient operation of our online store, protecting our customers, and preventing fraud, misuse, and security incidents.

To the extent that external service providers are used for fraud prevention or risk assessment, they receive personal data only to the extent necessary to provide the respective service.

No decisions are made solely by automated means within the meaning of Article 22 of the GDPR that produce legal effects on data subjects or similarly significantly affect them. Any unusual occurrences are reviewed and assessed by the appropriate staff members before a decision is made.

If you have given your consent, we use analytics and statistics services to better understand how our website and online store are used, to optimize content and features, to identify technical errors, and to evaluate the reach and usage of our digital offerings.

In particular, this may involve the processing of information regarding the use of our website and online store, content accessed, interactions with features and offers, technical device and browser information, as well as statistical usage data.

The storage and retrieval of information on your device are carried out—where necessary—based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

If you have given your consent, we use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics allows us to analyze how our website and online store are used. This helps us understand how visitors interact with our content, which pages are viewed most frequently, and how we can optimize our digital offerings in terms of both technology and content.

In particular, the following information may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

We have enabled IP anonymization. This means that your IP address will be truncated within the member states of the European Union or in other signatory states of the European Economic Area before further processing.

The information collected through Google Analytics may be transmitted to Google’s servers and processed there. To the extent that personal data is transferred to the United States in this context, this is done on the basis of the European Commission’s adequacy decision for certified companies under the EU-U.S. Data Privacy Framework, as well as any supplementary appropriate safeguards pursuant to Art. 44 et seq. of the GDPR.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about Google's data processing practices, please see Google's Privacy Policy.

If you have given your consent, we use dymatrix Web Analytics provided by DYMATRIX GmbH, Lautenschlagerstraße 2, 70173 Stuttgart, Germany.

Dymatrix Web Analytics allows us to analyze how our website and online store are used. The information we gather helps us make our content, features, and processes more user-friendly and supports the technical and content-related development of our digital offerings.

In particular, the following data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

Data is generally processed in a pseudonymized form. Web analytics is not intended to directly identify you personally.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

If you have consented to this, we use the analytics and reporting features of the Shopify platform. The provider is Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland.

Shopify Analytics helps us analyze the usage of our online store, measure the performance of specific content and products, and support the technical and business growth of our store.

In particular, the following data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

The information collected is used to analyze user behavior, optimize our online store, enhance the shopping experience, and measure the effectiveness of specific content and offers.

To the extent that personal data is processed outside the European Union or the European Economic Area in connection with Shopify Analytics, such processing is carried out in compliance with the legal requirements of Articles 44 et seq. of the GDPR. In particular, adequacy decisions by the European Commission, standard contractual clauses, or comparable appropriate safeguards may be used for this purpose.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about how Shopify processes data, please see Shopify’s Privacy Policy.

If you have consented to this, we use the JW Player service to provide and analyze video content on our website.

JW Player enables the integration, delivery, and technical provision of videos, as well as the analysis of their usage. The information gathered helps us further develop our digital media offerings in terms of both technology and content.

In particular, the following data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

This data is processed to analyze the use of our video content, optimize the technical delivery of videos, and improve our digital media offerings.

To the extent that personal data is processed outside the European Union or the European Economic Area in connection with the use of JW Player, such processing is carried out exclusively in compliance with the legal requirements set forth in Articles 44 et seq. of the GDPR.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about data processing by JW Player, please refer to the provider's privacy policy.

We embed external media and content on our website to provide audiovisual content and expand the information we offer.

External media are generally embedded only after you have given your consent. Depending on the service used, personal data may be transmitted to the respective providers, and information may be stored on or retrieved from your device.

In particular, the following data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

To the extent that personal data is processed outside the European Union or the European Economic Area in connection with the integration of external media, such processing is carried out exclusively in compliance with the legal requirements set forth in Articles 44 et seq. of the GDPR.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

Our website may include videos from YouTube. The service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

To ensure greater privacy, we use YouTube's enhanced privacy mode. According to YouTube, this means that information about visitors to our website is not processed until a video is actively playing.

Only after you give your consent will a connection be established with YouTube's servers and the video in question be loaded.

In particular, the following personal data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

To the extent that personal data is processed outside the European Union or the European Economic Area in connection with the use of YouTube, such processing is carried out in accordance with the legal requirements set forth in Articles 44 et seq. of the GDPR. This may, in particular, involve processing by companies within the Google Group in the United States.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about Google's data processing practices, please see Google's Privacy Policy.

Provided you have consented to this, we use marketing, advertising, analytics, and personalization services to increase the reach of our offerings, evaluate advertising campaigns, personalize content and product recommendations, and improve the user experience on our website and in our online store.

In particular, the following personal data may be processed:

The storage and retrieval of information on your device are carried out—where necessary—based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

The services used can be employed to measure the effectiveness of advertising campaigns, identify target audiences, personalize content and offers, and statistically analyze the use of our digital offerings.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

If you have given your consent, we use Google Ads, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads allows us to run online ads and measure and analyze the success of our advertising campaigns. This enables us to track whether users perform specific actions on our website or in our online store after clicking on an ad.

In addition, Google Ads can be used to create target audiences and show users interest-based content and ads (remarketing).

In particular, the following personal data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with Section 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

To the extent that personal data is processed outside the European Union or the European Economic Area in connection with the use of Google Ads, such processing is carried out in accordance with the legal requirements set forth in Articles 44 et seq. of the GDPR. This may, in particular, involve processing by companies within the Google group in the United States.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about Google's data processing practices, please see Google's Privacy Policy.

If you have consented to this, we use the Meta Pixel from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, on our website.

The Meta Pixel allows us to analyze the effectiveness of our advertising campaigns on Facebook and Instagram. This enables us to track whether users visited our website after clicking on an ad and performed specific actions there.

In addition, the Meta Pixel can be used to create audiences, serve interest-based ads, and carry out remarketing campaigns. This allows us to show users relevant content and offers on Meta’s platforms.

In particular, the following personal data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

We are jointly responsible with Meta Platforms Ireland Limited for certain processing activities related to the Meta Pixel. This joint responsibility is limited in particular to the collection and transmission of data to Meta, as well as the provision of aggregated analyses. To this end, we have entered into a joint controller agreement in accordance with Article 26 of the GDPR.

To the extent that personal data is processed outside the European Union or the European Economic Area, such processing is carried out in accordance with the legal requirements set forth in Articles 44 et seq. of the GDPR.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about Meta's data processing practices, please see Meta's Privacy Policy.

If you have given your consent, we use the marketing and analytics features of the Shopify platform. The provider is Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland.

These features help us evaluate the effectiveness of our marketing efforts, track the sources of store visitors and orders, analyze marketing campaigns, and optimize the user experience in our online store.

In particular, the following personal data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

In particular, this data processing is used to measure the effectiveness of marketing campaigns, analyze customer interactions, optimize our online store, and improve our digital offerings.

To the extent that personal data is processed outside the European Union or the European Economic Area in connection with the use of Shopify Marketing, such processing is carried out in compliance with the legal requirements of Articles 44 et seq. of the GDPR. In particular, adequacy decisions by the European Commission, standard contractual clauses, or comparable appropriate safeguards may be used for this purpose.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about how Shopify processes data, please see Shopify’s Privacy Policy.

If you have given your consent, we use personalization services provided by DYMATRIX GmbH, Lautenschlagerstraße 2, 70173 Stuttgart, Germany.

The personalization features we use allow us to tailor content, offers, and product recommendations to our users’ interests and needs, as well as to enhance the user experience on our website and in our online store.

In particular, the following personal data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

This data is processed to present content tailored to your interests, personalize offers and product recommendations, and optimize the user experience.

Personalization is always based on pseudonymized information. We do not intend to directly identify you through this process.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about data processing by DYMATRIX, please refer to the provider’s privacy policy.

If you have given your consent, we use the dymatrix Audience Relationship Platform (ARP) provided by DYMATRIX GmbH, Lautenschlagerstraße 2, 70173 Stuttgart, Germany.

The dymatrix Audience Relationship Platform helps us analyze user interests and interactions with our digital offerings, identify target audiences, and deliver content, offers, and marketing initiatives in a more targeted manner.

In particular, the following personal data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

We process this data to create target groups, personalize content and offers, optimize our marketing efforts, and improve the user experience.

Where possible, processing is based on pseudonymized information.

No decisions are made solely by automated means within the meaning of Article 22 of the GDPR that produce legal effects on data subjects or similarly significantly affect them.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about DYMATRIX's data processing practices, please refer to the provider's privacy policy.

If you have given your consent, we use the services of Kameleoon SAS, 12 Rue de la Chaussée d’Antin, 75009 Paris, France.

Kameleoon helps us analyze and optimize our website and online store. This may involve conducting A/B tests, user segmentation, and personalization initiatives to continuously improve content, features, and the user experience.

In particular, the following personal data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with Section 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

This data is used to analyze user behavior, conduct A/B tests, optimize content and features, and improve the user experience on our website and in our online store.

Where possible, processing is based on pseudonymized information.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about data processing by Kameleoon, please refer to the provider’s privacy policy.

If you have given your consent, we use interactive communication and consultation features provided by LoyJoy GmbH, Kapuzinerstraße 20, 48149 Münster, on our website.

LoyJoy enables the provision of digital communication and advisory services, particularly to assist with inquiries, provide information, and improve user interaction on our website.

When using the relevant features, the following personal data, in particular, may be processed:

The storage and retrieval of information on your device are carried out—to the extent technically necessary—based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

The purpose of this data processing is to provide interactive communication and advisory services, to handle user inquiries, and to improve our digital services.

When using the communication features, please do not enter any special categories of personal data as defined in Article 9 of the GDPR or any other confidential information, unless this is expressly required.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about data processing by LoyJoy, please refer to the provider's privacy policy.

If you have given your consent, we use the services of the affiliate network AWIN AG, located at Eichhornstraße 3, 10785 Berlin, Germany.

AWIN helps us implement and measure the success of our affiliate marketing campaigns. Through this program, partner companies (affiliate partners) can refer visitors to our website or online store. If, for example, a purchase or another defined action is subsequently made, it can be attributed to the respective affiliate partner.

In particular, the following personal data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

This data is processed to measure the success of affiliate marketing campaigns, to attribute referrals and orders to affiliate partners, and to calculate commissions.

To the extent that personal data is processed in connection with the use of AWIN, this is done exclusively in accordance with applicable data protection laws.

You can withdraw your consent at any time with future effect through the settings in our consent management system.

For more information about AWIN's data processing practices, please refer to AWIN's privacy policy.

If you have given your separate consent, we may send you push notifications about news, products, promotions, events, and other information from 1. FC Köln.

To send push notifications, we process technical information that is necessary for the delivery and management of the notifications.

In particular, the following personal data may be processed:

The storage and retrieval of information on your device are based on your consent in accordance with § 25(1) of the TDDDG.

The subsequent processing of personal data is based on your consent in accordance with Article 6(1)(a) of the GDPR.

This data is processed for the purpose of sending push notifications, managing your consent, and analyzing and optimizing our communication efforts.

You can withdraw your consent at any time, effective immediately. You can also disable push notifications at any time through the settings on your device or browser.

For more information about the push services used, please refer to the provider’s respective privacy policy.

We use the service provided by Judge.me Ltd, c/o Buckworths, 1-3 Worship Street, 2nd Floor, London, EC2A 2AB, to display, manage, and verify product reviews in our online store.

Judge.me allows us to collect, display, and manage customer reviews of products, as well as verify the authenticity of those reviews. Our goal is to increase the transparency of our offerings and help other customers make informed purchasing decisions.

When using the review features, the following personal data, in particular, may be processed:

The storage and retrieval of information on your device are carried out—to the extent technically necessary—based on your consent in accordance with § 25(1) of the TDDDG.

Personal data is processed for the purpose of providing and publishing product reviews, verifying actual purchases, ensuring quality, and preventing abuse and manipulation.

To the extent that the processing is carried out for the purpose of publishing a review you have submitted, the legal basis is Article 6(1)(a) of the GDPR. To the extent that processing is necessary to provide the review feature and to prevent abuse, it is based on Article 6(1)(f) of the GDPR.

Our legitimate interest lies in providing authentic product reviews, improving the transparency of our online store, and preventing fraudulent or manipulated reviews.

If reviews are published on our website, the information you provide will be visible to other visitors. Therefore, please be careful not to include any confidential or sensitive personal information in your reviews.

For more information about how Judge.me processes data, please refer to the provider’s privacy policy.

If you subscribe to our newsletter or similar electronic communications, we will process the personal data required for this purpose.

In particular, the following personal data may be processed for this purpose:

Your data is processed for the purpose of sending newsletters and electronic communications about 1. FC Köln’s products, offers, promotions, events, and news, as well as for managing and documenting your consent.

Registration is always done via the double opt-in process. After registering, you will receive an email asking you to confirm your registration. This ensures that the owner of the email address provided has consented to receiving the newsletter.

The legal basis for sending the newsletter and managing consent is Article 6(1)(a) of the GDPR.

To the extent that we statistically evaluate the use of our newsletters to analyze reach, open rates, clicks, and user interactions, and to optimize our communication efforts, this is also done on the basis of your consent in accordance with Article 6(1)(a) of the GDPR.

You can withdraw your consent at any time, effective immediately. To do so, you can use the unsubscribe link included in every newsletter.

After you unsubscribe, we will retain the information necessary to document the consent originally provided for the duration of the statutory retention and statute of limitations periods.

We use specialized technical service providers to send and manage our newsletters. You can find more information about this on the respective mailing service providers' websites.

When you contact us—for example, via a contact form, by email, by phone, or through other communication channels—we process the personal data you provide in order to handle your inquiry.

In particular, the following personal data may be processed:

Your data is processed to handle and respond to your inquiry, to communicate with you, and, where applicable, to carry out pre-contractual or contractual measures.

If your request relates to the conclusion or performance of a contract, the processing is based on Article 6(1)(b) of the GDPR.

In all other cases, processing is based on Article 6(1)(f) of the GDPR. Our legitimate interest lies in the efficient handling of incoming inquiries, communication with prospective customers, customers, and users, and the improvement of our services.

The data you provide when contacting us will generally be stored only for as long as is necessary to process your inquiry. If statutory retention obligations apply or if the communication is necessary for the assertion, exercise, or defense of legal claims, the data may be stored for a longer period.

To provide our website, online store, and digital services, we work with external service providers and partners.

Depending on the processing operation, personal data may be disclosed to the following categories of recipients in particular:

To the extent that external service providers process personal data on our behalf, they do so on the basis of appropriate data processing agreements in accordance with Article 28 of the GDPR.

To the extent that recipients process personal data for their own purposes, they do so under their own responsibility under data protection law. You can find more information on this in the respective privacy policies of the relevant providers.

When using certain services, it may be necessary to transfer personal data to recipients outside the European Union or the European Economic Area, or to have such data processed there.

To the extent that personal data is transferred to so-called third countries, this is done exclusively in compliance with the legal requirements set forth in Articles 44 et seq. of the GDPR. In particular, the following safeguards may be implemented:

For more information about the recipients and service providers involved, please refer to the relevant sections of this Privacy Policy.

We retain personal data only for as long as is necessary for the respective processing purposes or as long as there is a legal basis for further retention.

The specific retention period depends in particular on:

Once the relevant purpose for processing no longer applies and there are no statutory retention periods or other legitimate reasons for further storage, the personal data in question will be deleted or anonymized.

Statutory retention periods are primarily based on commercial and tax law provisions. These may require certain data to be retained beyond the duration of the actual contractual relationship.

If specific retention periods are specified in the individual sections of this Privacy Policy, those periods shall take precedence.

As a data subject, you have the following rights under data protection laws:

If personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes.

You have the right to file a complaint with a data protection supervisory authority regarding the processing of your personal data if you believe that the processing of your personal data violates data protection laws.

This right is without prejudice to any other administrative or judicial remedies.

The competent data protection supervisory authority for 1. FC Köln is currently:

State Commissioner for Data Protection and Freedom of Information, North Rhine-Westphalia (LDI NRW) Kavalleriestraße 2–4 40213 Düsseldorf

Phone: +49 211 38424-0 Email: poststelle@ldi.nrw.de

Regardless of this, you may also contact the data protection supervisory authority in your country of habitual residence, your country of employment, or the country where the alleged data breach occurred.