Business Partner Privacy Policy
Data protection is important for us
Thank you for visiting Our web site and/or asking for a paper copy of this policy.
Lidl Malta Limited (C 36317) , Lidl Immobiliare Malta Limited (C 36321) and Lidl Logistica Malta Ltd (C79620), three companies registered in Malta and all having their registered address at The Administration Office, Triq Il-Karmnu, Luqa, Malta LQA1311, (together hereafter referred to as ‘Lidl’, ‘We’, ‘Us’, ‘Our’ or ‘Ourselves’) take the protection of your personal data very seriously. We are therefore, jointly committed to providing you with a comprehensive privacy policy about the processing of your personal data in this specific context. We are also individually committed to providing you with more detail of a general nature (depending on Our processing operations).
The following specific privacy policy applies to you when you may be deemed to be a ‘data subject’ as defined by the EU General Data Protection Regulation (‘GDPR’) and in those cases where you or an entity you represent, initiate and/or already enjoy and/or execute a commercial relationship with Us in any capacity whatsoever, including but not limited to employees, shareholders, suppliers and/or clients of Our business partners and/or affiliates and when you contact Us, when you act in any contract negotiations and/or act pursuant to any contractual agreement between Us (and/or the entity you represent) and personal data belonging to you or other similar natural persons are processed in this context.
If you are reading this as a business partner or affiliate of LIDL where you cannot be deemed as a ‘data subject’ as understood by the GDPR, you must take all necessary measures to provide all data subjects for whom you are responsible (including but not limited to your employees and your clients) and whose personal data will be processed by Us in connection with the commercial relationship between Us, with this specific and condensed privacy policy and any other policy provided by LIDL (including LIDL’s full privacy policy available on the website of the respective LIDL entity with whom you are contracting).
The processing of personal data in this context is carried out in accordance with the European General Data Protection Regulation (the GDPR) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any Subsidiary Legislation issued under the same as may be amended from time to time.
The particular personal data that are processed in each single case depends on the service contact; therefore not all parts of this specific privacy policy might be relevant to you.
Generally, We collect your personal data from yourself and/or the entity you represent (usually Our business partner and/or affiliate) and We normally do this in order to fulfil Our contractual obligations with Our business partners and/or affiliate (henceforth, the ‘Partner) or any of the other legal grounds described below). In some cases, should the personal data We require from you not be forthcoming, it may be the case that We will not be able to adequately fulfil Our contractual obligations with Our Partners or do so in a timely manner.
However, it could also be necessary to process personal data about you which We obtain from other companies, authorities or third parties, like credit agencies, tax offices or similar. Such entities store personal data which We obtain through Our channels and generally use to report a possible compliance breach or in relation to compliance investigations.
Relevant personal data may be: basic personal data (e.g. name, surname, address or other contact details, date and place of birth as well as nationality), legitimacy and authentication data (e.g. commercial register extracts, identification data, specimen signature), data in the context of Our business relationship (e.g. payment data, order data, VAT number), validity data, company structure and propriety relationship, photo and video recording (e.g. for the delivery of the goods) as well as other data comparable to the mentioned categories.
You always have the choice whether you want to communicate with Us via e-mail or post. Due to technical reasons, communication by email may be unencrypted and We shall accept no responsibility or liability whatsoever for the security of your data while in transit through the Internet unless Our responsibility results explicitly from a law having effect in Malta.
For the performance of contractual obligations (Art. 6 par. 1 b) GDPR)
The purposes of the data processing resulting from the performance of pre-contractual measures, which precede a contractually regulated business relationship, and in the eventual fulfilment of the contract obligations between LIDL and Our Partner(s).
For compliance with a legal obligation (Art. 6 par. 1 c) GDPR)
The purposes of data processing in each case are determined also by certain legal obligations. These legal obligations include for example the fulfilment of storage and identification duties, for example within the framework of anti-money laundering prescriptions, tax control and reporting obligations as well as data processing in the context of requests from relevant authorities.
Purposes of legitimate interests (Art. 6 par. 1 f) GDPR)
It could also be necessary to process your personal data provided by you (or any entity you represent) beyond the actual performance of the contract. In this sense Our legitimate interests are, in particular, the selection of suitable business partners, the exercise of legal claims, the defence against liability claims, the physical and logistical access controls, the clarification of potential compliance-violations, the prevention of criminal acts and the regulation of damages resulting from the business relationship.
At the end of the contract in some cases We collect data on your credit rating via credit bureaus in order to perform the above-mentioned legitimate interests. We use the data of the credit bureaus to examine your credit rating (depending on your role and capacity). The credit bureaus store data which they obtain, for example, from banks or companies. These data include name, surname, data of birth, address, and payment information. You can obtain information on the personal data stored directly from the credit bureaus.
Within Our company, access to your personal data is given only to those departments which need them to perform contractual or legal obligations or to fulfil legitimate interests (which interests have been explained above). Within the framework of contractual relationships, We also appoint data processors or providers who can obtain access to your personal data. In this case, compliance with data protection regulations is contractually ensured through data processing agreements We have in place with such data processors or providers (on the basis of Article 28 of the GDPR).
The data may also be transmitted to companies within the Schwarz Group for the performance of contractual obligations.
We will keep your personal data only for as long as necessary. Necessity depends on legal obligations We may have. For example, if any personal data can be deemed as ‘accounting records’, We are legally obliged to keep those data for ten (10) years. We are also entitled to retain personal data in some cases (as opposed to being obliged to do so). For example, when We believe that the personal data are necessary for Us to defend Ourselves against civil claims that may be brought against Us, We are allowed to keep the data for as long as that risk subsists (this is usually 5 years from the end of Our contractual relationship with you, where such relationship exists, and of 2 years when no such contractual relationship exists).
As part of Our business relationship with Our Partners (who you are in some way associated with) you must, in some cases, provide the personal data necessary for Us to establish, execute and/or terminate a business relationship and to perform all necessary obligations, which We are required to do by law or authorized to do due to in terms of Our legitimate interests. Without this data We will normally be unable to enter into and/or manage a business relationship with you and/or the entity you represent.
Should We transfer personal data to recipients outside the European Union (EU) or European Economic Area (EEA), this shall occur exclusively if the EU Commission has identified an appropriate level of data protection in the third country, an appropriate data protection level has been agreed with the recipient (for example through EU standard contractual clauses) or if you have given Us your consent (and this, under with all appropriate safeguards in place). You are entitled to contact Us (using the details below) to obtain a copy of the safeguards (such as the model EU standard contractual clauses) We have in place to ensure the security of any data transfers We may effect to third countries.
You, as a ‘data subject’ as understood under the GDPR, have a number of rights that are applicable under certain conditions and in certain circumstances, including Your:
- Right of access to your personal data processed by Us;
- Right to ask Us to rectify inaccurate personal data concerning you;
- Right to have Us erase your personal data ("right to be forgotten");
- Right to ask Us to restrict (that is, store but not further process) Your personal data;
- Right to ask Us to provide Your personal data to You in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller ("right to data portability")
- Right to object to Our processing your personal data; in this particular context only where We, as explained above, process your personal data on the basis of Our legitimate interests. For the avoidance of all doubt no right to object exists in connection with processing carried out on the basis of contractual necessity and Our legal obligations.
- Right to lodge a complaint with the relevant supervisory authority.
In those cases where the data processing is based on your consent, you would have the right to withdraw your consent for any future processing at any point. In this case, please contact Our Data Protection Officer mentioned below in writing by post or email.
In addition, if you do not agree with the processing of your personal data, you can lodge a complaint with the appropriate Data Protection Supervisory Authority [in Malta, this is the Office of the Information and Data Protection Commissioner]. However, We would appreciate you contacting Us beforehand so that We may attempt to resolve the matter amicably.
Although this is a joint privacy policy, the relevant Data Controller mainly responsible for the processing of your personal data is the company with which you (or the entity you represent) are initiating or executing a business relationship. The respective website of the said Data Controller will explain in more detail that data controller’s particular obligations in terms of the applicable data protection laws.
Contact details of Our Data Protection Officer:
E-Mail: privacymt@lidl.com.mt
Address (depending on which company you or the entity you represent has contracted with):
- Lidl Malta Limited (C 36317), The Administration Office, Triq Il-Karmnu, Luqa, LQA1311, Malta
- Lidl Immobiliare Malta Limited (C 36321) The Administration Office, Triq Il-Karmnu, Luqa, LQA1311, Malta
- Lidl Logistica Malta Ltd (C79620), The Administration Office, Triq Il-Karmnu, Luqa, LQA1311, Malta
This notice represents a condensed explanation of how We use your personal data in the specific context in question. For more information including more detail on data subject rights, please read the full privacy policy which is available on the website www.lidl.com.mt and/or upon demand.