1. Data Controller (Art. 4 No. 7 GDPR)

The entity responsible for the processing of personal data on this website is:

Graner Bonomi GmbH
Behrstrasse 90
73240 Wendlingen am Neckar
Germany

Phone: +49 176 95296442
WhatsApp: +49 176 95296442
E-Mail: info@graner-bonomi.com
Website: www.graner-bonomi.com

Managing Director: Patrick Bonomi
Commercial Register: Amtsgericht Stuttgart HRB 761334

For data protection enquiries, please contact us at: datenschutz@graner-bonomi.com (or info@graner-bonomi.com with the subject line „Data Protection“).

 

2. General Information on Data Processing

We take the protection of your personal data very seriously. We process personal data collected during your visit to our website exclusively in accordance with applicable data protection law – in particular the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications Digital Services Data Protection Act (TDDDG).

Personal data means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). We process personal data only to the extent permitted by law or where you have given us your consent.

 

3. Legal Bases for Processing (Art. 13 GDPR)

We process your personal data on the following legal bases:

  • 6(1)(a) GDPR – Consent: Where you have given us your express consent to processing.
  • 6(1)(b) GDPR – Contract performance: Where processing is necessary for the performance of a contract or pre-contractual measures.
  • 6(1)(c) GDPR – Legal obligation: Where processing is necessary to comply with a legal obligation.
  • 6(1)(f) GDPR – Legitimate interests: Where processing is necessary to protect our legitimate interests or those of third parties, and your interests do not override ours.

 

4. Hosting & Infrastructure

4.1 Web Hosting

Our website is hosted by a professional hosting provider. When you access our website, the following data is automatically collected and stored in server log files:

  • IP address of the requesting device
  • Date and time of the request
  • Name and URL of the file retrieved
  • Website from which access is made (referrer URL)
  • Browser used and, if applicable, your operating system
  • Name of your internet access provider

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technically error-free provision of the website). Data is deleted as soon as it is no longer required for the purpose for which it was collected, at the latest after 7 days.

4.2 Cloudflare Turnstile

This website uses Cloudflare Turnstile, a CAPTCHA service provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Turnstile is used to detect and prevent automated access (bots) to our contact forms.

When using Turnstile, data (including your IP address and browser information) is transmitted to Cloudflare in the United States. This transfer is carried out on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website security and the prevention of spam and abuse).

Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/

 

5. Contact Forms & Enquiries

Our website provides contact forms. If you contact us via a contact form or by e-mail, the data you provide (e.g. name, e-mail address, message) will be stored and processed by us in order to handle your enquiry.

Legal basis: Art. 6(1)(b) GDPR where your enquiry relates to a contract or pre-contractual measures; otherwise Art. 6(1)(f) GDPR (legitimate interest in processing enquiries).

Data will be deleted once it is no longer required to achieve the purpose for which it was collected. This is the case when the relevant conversation with you has concluded and no further follow-up is to be expected, at the latest after 3 years (statutory retention periods under commercial law).

Your data will not be passed on to third parties unless this is required in order to process your enquiry.

Notice: By submitting a contact form, you consent to the processing of the data you have provided in accordance with this Privacy Policy. You may withdraw this consent at any time with effect for the future (see Section 11).

 

6. Processing of Player & Client Data

In the course of our activities as licensed football agents (FIFA Agents), we process personal data of football players and prospective clients. The following categories of data may be processed:

  • Contact data (name, address, telephone number, e-mail address)
  • Career data (club, league, position, contract duration)
  • Performance data (statistics, scouting reports)
  • Health data, where required for advisory purposes (Art. 9(2)(b) GDPR)
  • Financial data in the context of contract negotiations
  • Photographs and image material

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(a) GDPR (consent). For special categories of personal data (e.g. health data), we rely on Art. 9(2)(a) or (b) GDPR.

 

7. Cookies & Tracking

7.1 Cookies in General

Our website uses cookies. Cookies are small text files stored on your device when you visit a website. You can restrict or disable the use of cookies in your browser settings.

Technically necessary cookies: These cookies are required for the operation of the website. Legal basis: Art. 6(1)(f) GDPR.

Analytics and marketing cookies: These cookies are only set after you have given your express consent. Legal basis: Art. 6(1)(a) GDPR. You may withdraw your consent at any time via our cookie banner.

7.2 Google Ads (formerly Google AdWords)

This website uses Google Ads Conversion Tracking provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you click on a Google ad, a conversion tracking cookie is set. These cookies expire after 30 days.

Data transfer to the USA: Where data is transferred to the United States, this is carried out on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the EU-US Data Privacy Framework.

Legal basis: Art. 6(1)(a) GDPR (consent). You may object to data collection by declining consent in the cookie banner or by opting out at: https://adssettings.google.com/

Google Privacy Policy: https://policies.google.com/privacy

7.3 Google Web Fonts (locally hosted)

Where Google Web Fonts are used on this website, they are hosted locally on our own server. No connection to Google’s servers is established and no data is transmitted to Google.

Note: Where Google Fonts are embedded externally (via a remote call to Google’s servers), this constitutes a GDPR infringement without prior consent under current case law (CJEU, Munich Regional Court I). We strongly recommend local hosting of all web fonts.

7.4 Instagram Feed / Social Media Plugins

Our website embeds content from Instagram (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland). When loading this content, a connection to Meta’s servers may be established, transmitting your IP address and browser information.

We use a two-click solution or cookie consent mechanism for embedding Instagram content, so that a connection to Meta’s servers is only established after your active consent.

Data transfer to the USA: Meta Platforms, Inc. participates in the EU-US Data Privacy Framework. Additionally, Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR apply.

Legal basis: Art. 6(1)(a) GDPR (consent).

Meta/Instagram Privacy Policy: https://privacycenter.instagram.com/policy

 

8. External Links

Our website contains links to external third-party websites. We have no influence over the content of those sites and accept no responsibility for them. By clicking an external link, you leave our website.

The processing of your data on linked donation platforms (e.g. Caritas, DRK, UNICEF, Cruz Roja) is the sole responsibility of the respective operators of those sites. We recommend reading the privacy policies of the respective providers before making a donation.

 

9. Our Social Media Presences

We maintain presences on social networks (in particular Instagram). When you visit our profile pages, data is processed by the respective network operator. The network operator is primarily responsible for this data processing.

Where we are jointly responsible with the network operator within the meaning of Art. 26 GDPR (e.g. through the use of Page Insights), we have entered into a corresponding agreement with the provider. In such cases, you may exercise your data protection rights against both us and the network operator.

 

10. Data Retention Periods

Personal data is retained only for as long as necessary for the respective purpose or as required by statutory retention obligations. Specifically:

  • Server log files: maximum 7 days
  • Contact enquiries: until final processing, then deletion, at the latest after 3 years
  • Contract data (player agency agreements): 10 years under commercial law retention obligations (Section 257 HGB)
  • Cookie consent records: 3 years
  • Application documents (if submitted): 6 months after rejection

 

11. Your Rights as a Data Subject (Arts. 15–22 GDPR)

You have the following rights with regard to your personal data:

  • Right of access (Art. 15 GDPR): You may request information about the personal data we process about you.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): You may request the deletion of your data under certain conditions („right to be forgotten“).
  • Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data.
  • Right to data portability (Art. 20 GDPR): You may receive your data in a structured, commonly used and machine-readable format, or have it transferred to another controller.
  • Right to object (Art. 21 GDPR): You may object at any time to the processing of your data based on Art. 6(1)(f) GDPR.
  • Right to withdraw consent (Art. 7(3) GDPR): You may withdraw any consent you have given at any time with effect for the future.

To exercise your rights, please contact: info@graner-bonomi.com

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The supervisory authority competent for Graner Bonomi GmbH is:

The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg
(Der Landesbeauftragte fuer den Datenschutz und die Informationsfreiheit Baden-Wuerttemberg)
Lautenschlagerstrasse 20
70173 Stuttgart, Germany
Website: https://www.baden-wuerttemberg.datenschutz.de

 

12. Data Security

We implement appropriate technical and organisational security measures to protect your data against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. Our security measures are continuously improved in line with technological developments.

Data transmission on our website is encrypted using SSL/TLS (indicated by „https://“ in the address bar of your browser).

 

13. Automated Decision-Making / Profiling

We do not carry out automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you. No profiling takes place.

 

14. Minors

Persons under the age of 16 should not transmit personal data to us without the consent of their parent or guardian. Parents and guardians who contact us on behalf of a minor consent to the processing of that data in accordance with this Privacy Policy by submitting the relevant information.

In the context of player agency services for youth players under 18 years of age, the consent of a parent or legal guardian is always required. This consent is obtained separately as part of the agency agreement.

 

15. Updates to this Privacy Policy

This Privacy Policy is currently valid and was last updated in March 2026.

As our website develops or in response to changes in legislation or regulatory requirements, it may be necessary to update this Privacy Policy. The current version is available at all times on our website at www.graner-bonomi.com/playersagents-data-protection/