Depending on the agreed services, Lidl may process the following categories of personal data:
- identification data (e.g. name, surname, data of birth, nationality);
- recognition and/or registration data (e.g. identity card, specimen signature, electronic signature and/or digital signature, commercial register extract);
- contact details (e.g. e-mail address, telephone number);
- IT-authentication data (e.g. protocol data, username and password, user ID);
- company data (e.g. company name, registered office, any operational offices, VAT num-ber, tax code);
- payment data (e.g. bank account details) as well as data referred to orders/procurements;
- data relating to the asset structure, the tax position and the solidity, solvency and economic reliability as well as bank data, including bank guarantees, functional to the establishment and management of the Contract;
- data relating to the corporate structure, the composition of the corporate structure and the administrative bodies (e.g. boards of the company, shareholders, mayors, employees);
- within the limits permitted by the applicable legislation, any data relating to criminal convictions and/or offences, i.e. information relating to the inclusion of the Data Subjects in the lists of subjects involved in terrorist acts and subject to restrictive measures of the EU and the United States, data relating to administrative fines, pending proceedings as well as data relating to insolvencies, negative reports and / or news of adverse press relevant in order to verify the reliability and integrity of the Data Subjects, as well as to ensure Lidl's compliance with international principles on the matter of contrasting the activities of States, individuals or organizations that threaten international peace and security and with the relevant regulations anti-money laundering, anti-mafia and anti-terrorism laws applicable to Lidl.
It should be noted that, if the Contract was entered into by means of a digital signature, Lidl also processed data related to it and in particular the e-mail address, the IP address, the date and time of the processing of the relative contractual document. These data are accessible to all those involved in the drawing up and signing of the Contract.
Generally, personal data are collected directly from the Data Subjects. However, in some cases, in compliance with regulatory provisions or on the basis of legitimate interests (e.g. checks on the reliability and integrity of business partners), it could also be necessary to process personal data about you obtained from other companies, Revenue Agency, authorities, credit agencies, insolvency registers, publicly accessible sources (e.g. Business Register, press review, Internet) or other third parties. The collection of personal data through these public sources takes place in compliance with the rules for the correct use of these public sources as adopted by the institutions and bodies responsible for their management. Moreover, personal data that we obtain through our reporting channels for possible compliance breach may also be processed.
Lidl processed the aforementioned personal data both with manual and electronical means, suitable in order to guarantee the highest security, confidentiality and to avoid unauthorized access, disclosure, modifications and subtractions of data, thanks to the adoption of adequate technical, physical and organizational security measures for the pursuit of the purposes indicated below. Finally, as regards the ways in which personal data are processed, it is specified that, with reference to art. 22 of the GDPR, no automated decision-making takes place.
Personal data will be processed for:
- managing and executing pre-contractual and contractual relationships;
- manage and archive the relevant documentation for contractual purposes, also through electronic and IT tools;
- carry out the communication in the context of commercial relationships;
- adopt the applications and electronic and IT systems necessary in order to execute the pre-contractual and contractual relationships.
The processing of personal data for the aforementioned contractual purposes is carried out in accordance with art. 6, paragraph 1, letter b) of the GDPR and it is necessary because of its essentiality in order to execute the Contract with the commercial partner. If the commercial partner does not provide personal data for contractual purposes, it will not be possible to execute the Contract.
Personal data, also relating to any criminal convictions and offenses in the cases referred to in art. 10 of the GDPR, may be processed to fulfill the obligations deriving from the legislation applicable to Lidl (including anti-money laundering regulations, anti-mafia and fight against terrorism), including the execution of communications to the competent authorities and supervisory bodies and to comply with requests made by them.
The processing of personal data for the aforementioned legal purposes is carried out on the basis of art. 6, paragraph 1, letter c) of the GDPR and it is necessary given its essentiality in order to ensure Lidl's compliance with the provisions of the applicable legislation, including the international principles on the matter of contrasting the activities of States, individuals or organizations that threaten international peace and security. If the commercial partner does not provide personal data for the purposes of the law, it will not be possible for Lidl to continue with the contractual relationship with the commercial partner as this would mean violating the regulations applicable to the specific case.
Purposes of legitimate interests:
Personal data may also be processed for:
- adopting the technical, electronic and IT solutions and measures that provide for the analysis of the use of Lidl systems and are necessary in order to protect and ensure the secure management of company activities, as well as prevent the illicit use of technological resources and infrastructures technologies of Lidl and identify conduct to the detriment of Lidl;
- optimizing company activities, also through the preparation of reporting documentation and statistical analyses;
- enforcing and defending Lidl's rights in both judicial and extrajudicial settings, including in any proceedings initiated by third parties;
- performing, also in the pre-contractual phase, checks on the reputational, economic, financial and capital situation of commercial partners as well as on their solidity, solvency and economic reliability in order to protect Lidl commercial interests and the commercial interests of the societies of the Schwarz Group;
- performing, also in the pre-contractual phase, checks aimed at the prevention of convictions and therefore in order to identify possible compliance risks deriving from the commercial relationship and therefore to protect company activities by avoiding significant damage to Lidl society/societies or to the societies of the Schwarz Group;
- completing a potential merger, disposal of assets, company or business unit transfers by divulging and transferring personal data to the third parties involved.
The processing of personal data for purposes of legitimate interests pursuant to art. 6, paragraph 1, letter f) of the GDPR it is equally balanced with the legitimate interest of the Data Subjects, as the personal data processing activity is limited to what is strictly necessary for the execution of the requested business operations.
In addition to the foregoing, it should be noted that the legitimate interests concern, in particular, the choice of solid, reliable commercial partners who reflect the integrity requirements also required by sector regulations, the carrying out of audits of the social balance sheet in order to verify the compliance with social standards, the conduct of surveys for the purposes of evaluating companies, the processing of the contact details of the referents, the assignment of the work results to the individual commercial partners, the accounting of commercial transactions, the negotiation with the referents of the commercial partner as well as the processing carried out within the digitization process of the signature. Other legitimate interests include inviting to events / meetings, asserting a legal claim and, consequently, avoiding prejudicial situations against Lidl, legitimacy checks (e.g. withdrawal and delivery of money), threat prevention and liability claims, prevention of legal risks and economic disadvantages, recognition and management of potentially harmful e-mails, physical or logical access controls, requests for clarifications regarding possible compliance-violations, the prevention of criminal acts, the regulation of damages resulting from the business relationship, efficient and fast digital management of the signing of the Contract, the corresponding protocol of the signature process for the purpose of checking the validity of the qualified electronic signature (digital signature) and other internal administrative purposes.
For the abovementioned purposes, your personal data may be transferred to the following categories of recipients located inside the European Union: (a) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, advertising; (b) companies of the Schwarz Group; (c) Lid potential buyers and entities resulting from the merger or any other transformation regarding Lidl; (d) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities.
Finally, it should be noted that, if the commercial partner has concluded a framework contract for the supply / provision of a good and / or service with Lidl or with the other companies of the Schwarz Group, the respective contact details of the commercial partner may be processed by the Procurement and Purchasing departments of Lidl or by other companies of the Schwarz Group in order to establish the necessary contacts.
The data obtained in the context of the checks conducted, even in the pre-contractual phase, on the commercial partners may also be processed by the Compliance departments of Lidl or other companies of the Schwarz Group in order to pursue Lidl's legitimate interest in protecting its economic activity and minimize the risks of non-compliance with the applicable regulations within the limits indicated above. Such data transmission occurs in the interest of the societies of the Schwarz Group, acting as join data controllers pursuant to art. 26 of the GDPR, in order to ensure compliance in relations with its commercial partners. Outside the Schwarz Group, the data will be transmitted only if there are legal obligations that impose such transmission (e.g. communications to the authorities).
Personal data are kept only for as long as necessary. Necessity depends on legal obligations that must be satisfied. For example, in accordance with legal obligation, personal data deemed as ‘accounting records’, must be kept for ten 10 years. The data controller is also entitled to retain personal data in some cases (as opposed to being obliged to do so) for example if the storage of personal data is necessary to defend against civil claims that may be brought against the data controller itself. Under these circumstances the data controller is allowed to keep the data for as long as that risk subsists (this is usually 5 years from the end of the contractual relationship with the business partner, where such relationship exists, and 2 years when no such contractual relationship exists). At the end of the retention period, personal data will be deleted, anonymized or aggregated.
Personal data will not be transferred to recipients located outside the European Union (EU) or European Economic Area (EEA). Should personal data be transferred to recipients outside the EU or EEA, such transfer takes place in compliance with the appropriate guarantees for the purposes of the transfer itself, such as the EU standard contractual clauses or in case of explicit consent pursuant to the applicable legislation and in particular to articles 45 and 46 of the GDPR.
According to art. 15 of the GDPR, the Data Subject has the right to receive, free of charge and upon request, the disclosure of information regarding the personal data being processed by the controller.
Furthermore, where the legal requirements are met, the Data Subject has the right to rectification of information (art. 16 GDPR), to erasure (art. 17 GDPR), to restriction of processing (art. 18 GDPR) and to the portability (art. 20 GDPR) of the personal data being processed by the Data Controller.
If the basis of processing is art. 6, paragraph 1, letter f) GDPR, you also have a right to object under Art. 21 GDPR. If you object to the processing, the Data Controller will no longer process your data, unless the Data Controller demonstrates that there are compelling legitimate grounds for the processing which override the legitimate interests of the Data Subject.
If, instead, the basis of processing is art. 6, paragraph 1, letter a) GDPR, the Data Subject has the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent before withdrawal.
Finally the Data Subject has the right to lodge a complaint with the competent data protection supervisory authority (IDPC).
To exercise the aforementioned rights, the Data Subject can contact the data protection officer at the email address: email@example.com.