The browser is not supported
To display the website correctly, please use one of the following browsers.WarningPlease update your browser, if you proceed with this browser, your shopping experience might not be successful!

Customer Privacy Policy

Data protection on www.lidl.com.mt

(Version 9.2; dated March 29, 2023)

Privacy policy

Thank you for your interest in the data protection on our website www.lidl.com.mt . When you visit our website we want you to feel safe and comfortable and for you to see our implementation of data protection as a customer-oriented quality feature.


The following privacy policy will inform you of how and to what extent Lidl Malta Limited (hereinafter also ‘Lidl’), having registered office in Vassallo Business Park, Burmarrad Road, Naxxar NXR 6345, Malta (as a Data Controller) processes your personal data. ‘Personal data’ refers to information that can be directly or indirectly attributable to or assigned to you (as a Data Subject).


The processing of personal data in this context is carried out in accordance with the Regulation (EU) 2016/679 (hereinafter ‘GDPR’) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any subsidiary legislation issued under the same as may be amended from time to time.


If you are one of our business partners, a specific data protection policy that may be directly applicable to you can be read here.


Our full details, including contact details, can be read below.

As an entity established in Malta (EU) the main privacy laws that are applicable to Lidl Malta Limited in so far as you are concerned, are as follows:

  • The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the ‘GDPR’.
  • The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same – the ‘DPA’;

When you visit the website of Lidl, various information is exchanged between your device and our server. This may also include personal data. Information collected in this way is used for reasons including optimizing our website and displaying advertising in your device's browser as well as to pursue the purposes set out in this privacy policy.

Purpose of data processing and legal basis:


When you visit our website, the browser used on your device sends the following information automatically and without any action on your part to our website’s server:

  • the IP address of the requesting web-enabled device;
  • the date and time of access;
  • the name and URL of the viewed file;
  • the website/application from which access is made (referrer URL);
  • the browser you are using and, if applicable, the operating system of your Internet-enabled; computer and the name of your access provider;
  • in general your browsing data in accordance with the Cookie Policy available at section 8 of this privacy policy.


and stores it temporarily in log files for the following purposes:

  • to browse the website;
  • to ensure a smooth connection and that our website is easy to use;
  • to evaluate system security and stability;
  • to comply with legal obligations.


If you have consented in your browser or in the operating system or other setting in your device to geolocalization, we use this feature to offer you individualized services related to your current location (e.g. the location of the nearest store). We only process your location data in this way for this function.


The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our website (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).


Recipients/Categories of recipients:


For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.


Storage period / Criteria for determining the storage period:


The data is stored for a seven day period, except in case where the storage for a further period is required for any claims, requests from the competent authorities or for compliance with a legal obligation. However, your browsing data may be further stored in accordance with the cookie policy available in paragraph 8 of this privacy policy. Geolocation data is deleted once you have finished browsing our site.

Purpose of data processing and legal basis:


Personal information that you provide to us when filling out contact forms, by e-mail over the telephone or the social media is of course treated confidentially. For this purpose we may process, for example, your name, surname, e-mail address, mailing address, telephone number.


We use your data solely for the purpose of processing your inquiry, resolving complaints and disputes as well as for complying with applicable legal obligations.


The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the contact forms, by e-mail, over the telephone or the social media (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).


Should it be necessary to transmit your personal data to the business partner who will handle the technical assistance relating to non-food and / or textile products, this transmission will only take place exclusively upon your express consent (article 6, paragraph 1, letter a) GDPR) .


You can withdraw your consent for future processing at any point, without impacting the lawfulness of the processing based on the consent until the moment of withdraw. To this end, please send a specific request to withdraw the consent provided to the email address info@lidl.com.mt, indicating the number of the application.

If you participate in one of our customer surveys, you do so on a purely voluntary basis.


No information from these anonymous surveys is stored which will enable a connection to the participants to be established. We only store the date and time of your participation. Any personal information which you provide when answering to our survey questions is considered to be given voluntarily and in accordance with the provisions of the GDPR. Please do not insert any names or similar information into free text fields which could allow a connection to you or other persons to be established.


Should you request to be contacted by our Customer Service and therefore provide your personal data such as name, surname, e-mail address or telephone number, these data will be processed for the exclusive purpose of fulfilling your request. For this specific data processing, art. 6, paragraph 1, letter b) GDPR is the legal basis. For more information in this regard, please read the specific privacy policy for the said customer survey.


Recipients / Categories of recipients:


For the abovementioned purposes, your personal data may be transferred to the following categories of recipients: (i) upon your express consent, to business partners who will provide technical assistance for non-food and / or textile products in order to process your request; (ii) where necessary contracting parties (e.g. suppliers, where inquiries are product-specific) in order to process your inquiry (in these cases, your inquiry will be anonymized in advance to ensure that the third party cannot relate it to you. If sharing your personal data is necessary in an individual case, we will inform you of this and obtain your consent), (iii) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (iv) companies of the group to which Lidl belongs; (v) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor.


As far as surveys are concerned, these are usually used for internal evaluations only. Any personal information that may be provided during the survey will not be passed on to third parties, except in the event of a request for any litigation, requests from the competent authorities or pursuant to applicable law.


Storage period / Criteria for determining the storage period:


All the personal data that you provide us in inquiries (suggestions, praise or criticism) via this website or by e-mail will be stored as long as necessary to pursue the purposes set out in this policy and will be deleted, no later than 90 days after the final response is sent, or anonymized, except for the case in which storage for a further period is required for any claims, requests by the competent authorities or for compliance with a legal obligation. In our experience, we generally receive no further inquiries to our responses after 90 days.


If you exercise your rights as a data subject, your personal data will be stored for a period of 5 years from our response, as evidence of the completeness of the information provided to you and of compliance with legal requirements.


The retention period of the personal data that you may provide in the context of customer surveys is indicated in advance by means of the specific privacy policy for the said survey. However, data may be stored for a further period if required for any claims, requests from the competent authorities or for compliance with a legal obligation.

Purpose of data processing and legal basis:


In addition to the information we have directly shared with you through social networks, we also use the option of ‘social listening’ in order to get an idea of perceptions of our products and services and to identify any potential for improvement. Contributions made public by you on online platforms (Facebook, Instagram, etc.) are reviewed and evaluated according to a search request (for example in relation to a new product line). Only contributions that have been made publicly available will be viewed here.


The extent of the data processed is primarily determined by the nature and content of the said contribution such as e.g. a posting in text form or an uploaded image file. In single cases, the respective user ID may also be processed if Lidl would like to offer help with any problems.


The legal basis for the processing of personal data in the context of social listening is our legitimate interest in being able to identify any deficiencies in our products and services and to react to them in an appropriate manner (article 6, paragraph 1, letter f) GDPR). Lidl's legitimate interest is equally balanced with your legitimate interest, as the said data processing is limited to what is strictly necessary for the aforementioned purpose namely, to analyze the content made publicly accessible by the data subject.


Recipients / Categories of recipients:


For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: marketing, technological, accounting, administrative, legal, insurance, IT. Our third-party suppliers may process the personal data also on servers based in Canada; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.


Storage period / Criteria for determining the storage period:


Personal data are not stored as Lidl only analyzes them in order to recognize any shortcomings in our products or services and identify potential for improvement.

Purpose of data processing / Legal basis:


You have the option of taking part in various Lidl prize draws through our website, our newsletter or via the Lidl app. The personal data collected in the context of the prize draw will be indicated by Lidl when you sign up to the draw. Unless otherwise specified in special data protection principles for the prize draw in question or if you have not given us additional express consent, the personal data you provided to us when entering the prize draw will be processed exclusively to execute the prize draw (e.g. determination of the winner(s), notification of the winner(s), sending of the prize) and to comply with applicable law obligations.


The processing of the aforementioned personal data is necessary as essential in order to consent your partecipation in the prize draw (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).


Further details are provided in the specific privacy policy for the prize draw.


Recipients / Categories of recipients:


For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor.


Storage period / Criteria for determining the storage period:


Your personal data processed in the context of the prize draw will be stored as long as necessary to pursue the purposes set out in this policy. After the end of the prize draw and the identification of the winners, the personal data of participants are deleted, except in case where the storage for a further period is required for any claims, requests from the competent authorities or for compliance with a legal obligation. In case of material prizes, the data of the winners are stored for the duration of the statutory warranty claims in order to arrange for rectification or replacement if there is any defect in the prize.

Purpose of data processing and legal basis:


On our websites / apps and/or websites / apps belonging to our business partners or through dedicated event communications on our social media frames, you have the opportunity to subscribe to the Lidl newsletter. If you subscribe to our newsletter, we use your e-mail address and, in certain cases, your name to send you information about products, promotions, prize draws and news from our shops, the Lidl Plus App as well as to conduct customer satisfaction surveys. We collect and process your data for the sole purpose of sending you our newsletter.


Newsletter content includes promotional offers (deals, discounts, prize draws, etc.) as well as products and services of Lidl Malta Ltd. (www.lidl.com.mt) and Lidl Stiftung & Co. KG ( www.lidlplus.com.mt).


If you have requested our newsletter service, the processing of your personal data as set out above is necessary as it is essential to provide you with commercial communications relating to products and services offered by Lidl and the business partner identified above. The legal basis for the processing shall therefore be your express consent provided under Article 6, paragraph 1, letter a) GDPR.


In order to ensure that your e-mail address is entered correctly, we apply the so-called double opt-in procedure: once you have entered your e-mail address in the registration field, we will send you a confirmation link, by clicking on which you confirm the request to register your e-mail address in our system.


You may decide to withdraw your consent by unsubscribing from the newsletter section on our website at any time. This shall not affect the lawfulness of processing based on consent before its withdrawal. You may find the link to unsubscribe here or at the end of each newsletter.


Recipients / Categories of recipients:


For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, marketing and advertising networks; (ii) service supplier for sending the newsletter; (iii) companies of the group to which Lidl Malta Ltd. belongs. If external processors are commissioned for the dispatch of the newsletter, these are bound by contract pursuant to article 28 GDPR.


Storage period / Criteria for determining the storage period:


If you don’t confirm the signing up to our newsletter by the double opt-in procedure, your personal data will be erased after 7 days. If instead you decide to unsubscribe to the newsletter, your personal data will be deleted from the systems within 6 months, without prejudice to such cases in which the storage for a further period is required in order to handle any disputes, requests from the competent authorities or for compliance with a legal obligation.

Data Controller, purpose of data processing and legal basis:


Lidl Malta Ltd., with registered office in Vassallo Business Park, Burmarrad Road, Naxxar NXR 6345, Malta, is the controller for data processing activities in the context of the use of cookies and other similar technologies for processing usage data on all (sub-) domains under www.lidl.com.mt.


Cookies are small text files that are placed on your device (laptop, tablet, smartphone or similar) when you visit our websites. Cookies do not cause any damage to your device, do not contain viruses, trojans or other types of malware. In the cookie, information is stored which is related to the specific device you use. This does not mean though, that we are directly informed about your identity. The other similar technologies for processing usage data are in particular the pixel tracker, the local storage, the session storage and the cache storage.

The use of cookies and other technologies serves the following purposes, depending on the category of the cookie or other technology:

  • Technically necessary: These are cookies and similar technologies, without which you cannot use our services (e.g. to display our website/functions you have requested correctly).
  • Convenience: These technologies allow us to take into account your actual or assumed preferences for the convenient use of our websites. For example, your preferences allow us to display our web pages in a language that is appropriate for you. It also helps us to avoid showing you offers that may not be available in your area.
  • Statistics: These technologies enable us to compile anonymous statistics on the use of our services in order to tailor them to your needs. This enables us to determine, for instance, how we can adapt our websites even better to the habits of the users.
  • Marketing: These technologies enable us to display advertising content that is suitable for you, based on the analysis of your pattern of use. In this context, your pattern of use can also be tracked via different websites, browsers or terminal devices using a User ID (unique identifier).


You can find an overview of the cookies and other similar technologies used, including the respective processing purpose, the storage period and any third-party provider involved, here.

Within the scope of the use of cookies and similar technologies, depending on the purpose, the following categories of personal data are processed:


Technically necessary:

  • User entries to remember the input over several sub-pages (e.g. to select your preferred store in the section “store finder”);
  • Security-relevant incidents (e.g. detection of multiple failed login attempts);
  • Data to play multimedia content (e.g. playback of (product) videos selected by the user).


Convenience:

  • User interface customization settings that are not linked to a permanent identifier (e.g. the active language selection or the specific display of search queries or maps in the section “store finder”).


Statistics:

  • Pseudonymized User profiles with information about the use of our websites. These include in particular:
  • browser-typ/ -version,
  • the operating system used,
  • referrer URL (the previously visited website),
  • host name of the accessing computer (IP address),
  • time of the server request,
  • individual user ID and
  • triggered events on the website (browsing patterns).
  • The IP address is anonymized, so that it cannot be traced back to your person.
  • We only combine the user ID with other data from you (e.g. name, email address, etc.) with your express consent (see e.g. section 7 of this privacy policy). Based solely on the user ID itself, we cannot draw any conclusions about your person.


Marketing:

  • Pseudonymized user profiles with information about the use of our website. These include in particular:
  • IP address,
  • individual user ID,
  • potential product interest and
  • triggered events on the website (browsing patterns).
  • The IP address is anonymized, so that it cannot be traced back to your person.
  • We only combine the user ID with other data from you (e.g. name, email address, etc.) with your express consent (see e.g. section 7 of this privacy policy). Based solely on the user ID itself, we cannot draw any conclusions about your person. Where appropriate, we share the user ID and the associated usage profiles with third parties via providers of advertising networks.


The legal basis for the use of convenience, statistical and marketing cookies and of similar technologies is your consent in accordance with article 6, paragraph 1, letter a) GDPR. The legal basis for the use of technically necessary cookies and similar technologies is article 6, paragraph 1, letter b) GDPR, i.e. we process your data to provide our services in the course of initiation or performance of the contract.


You can withdraw / adjust your consent for future processing at any point, without impacting the lawfulness of the processing based on the consent until the moment of withdraw. Simply click here and make your selection.


Cookies can also be blocked at a general level. However, this block would have an impact on the use of the website and the services offered therein. All the latest browsers allow you to change the settings on cookies that are usually found in the menu of your browser under 'options' or 'preferences'. To understand how to set them up, you can consult the following links:


For information on how to manage cookies through other browsers, it is useful to consult the online help files. If this information is not sufficient, we advise you to consult the "Help" section of the browser for more details.


Additionally, our site includes third party content. These third parties may use, with prior consent (where necessary), their own cookies as part of the content integrated on our site. Although these cookies are included in the overview of the cookies and other technologies used, we have no access to these cookies and we are in no way (joint) data controllers. For more information see paragraph 10 of this privacy policy.


Recipients / Categories of recipients:


Within the scope of data processing by means of cookies and similar technologies, we use specialised service providers, especially from the sector of online marketing. These service providers process your data on our behalf as processors, are in each case carefully selected and contractually obliged in accordance with article 28 GDPR, except for those third parties identified under paragraph 10 of this privacy policy.


In the context of our collaboration with Google LLC, your personal data may be also processed on servers located in the USA for statistical and marketing purposes.


Storage period / Criteria to determine the storage period:


You can find the storage period for cookies and other similar technologies in our list of cookies. If "persistent" is stated in the "expiration" column, the cookie or other similar technology is stored permanently until the corresponding consent is revoked.

The recipients / categories of recipients, including those located in a third country, outside the European Union (EU) or the European Economic Area (EEA), are indicated in correspondence with each type of processing activity described in this privacy policy. Some third countries are certified by the European Commission through the so-called adequacy decisions, when they guarantee a level of protection of personal data comparable to that within the EU and the EEA. The list of these third countries is available at the following link. If a comparable level of protection is not guaranteed in a third country, it will be our concern to verify that the level of protection of personal data is adequately guaranteed through other measures. These are for example binding corporate rules, standard data protection clauses adopted by the Commission, certificates or codes of conduct. For more information, please contact our Data Protection Officer.

10.1 YouTube videos


YouTube videos, which are saved on www.YouTube.com, are made available and can be viewed directly from our website. These are included in the "advanced privacy mode", which means that your personal data is not stored by YouTube.


Further information about the purposes and methods of the processing of personal data carried out through YouTube , also on server located in the USA, can be found in the provider's privacy policy. It also contains information relating to your rights and system settings to protect your privacy. YouTube address and privacy policy: Google LLC, 1600 Amphitheater Parkway. Mountain View, CA 94043, USA; https://policies.google.com/privacy?fg=1.


10.2 Bing Maps


On our website we use the services offered by Bing Maps. In this way you can view and use the interactive maps directly from our website to find, for example, the Lidl stores closer to you.


As part of browsing our website, the Bing Maps provider, i.e. the Microsoft Corporation, receives the information if you access the relevant page on our website. To use the Bing Maps functions, it is necessary to process your IP address. As a rule, this is processed on a Microsoft server in the USA. We have no possibility to influence the processing carried out through Bing Maps.


The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our website (article 6, paragraph 1, letter b), GDPR) and fulfill the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).


Further information about the purposes and methods of the personal data processing carried out by Bing Maps can be found in the provider's privacy policy. It also contains information relating to your rights and system settings to protect your privacy. Address and privacy policy of the Bing Maps service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA, https://privacy.microsoft.com/en-us/privacystatement.


10.3 Google reCaptcha


We use the Google reCaptcha service provided by Google LLC ("Google") in order to protect your personal data and ensure the security of data transfers, particularly in the context of prize competitions. The processing of data is thus carried out on the basis of article 6, paragraph 1, letter f) GDPR, as we have a legitimate interest in protecting your personal data and guaranteeing the security of the aforementioned transfers. Through Google reCaptcha it is possible to verify whether data entry is performed by a person or by an automated program. This information is transmitted and processed on Google's servers in the US. The collection and analysis of this data does not allow us or Google to identify the person. More specifically, Google does not combine such information with other personal data.


Further information relating to Google reCaptcha is available at https://policies.google.com/privacy?hl=it or https://policies.google.com/terms?hl=it.

11.1 Age check


When selling products with age restriction, such as alcohol (17 years) / sale of computer and console games, DVDs, videos with age restriction, a visual check of your personal data (usually an identity card) is carried out by our cashiers in compliance with our legal obligations (article 6, paragraph 1, letter c) GDPR).


11.2 Security cameras


Occasionally we process your data for the purpose of preventing and detecting criminal offenses (article 6, paragraph 1, letter f) GDPR), for the protection of our customers, employees and our property. The use of security cameras is indicated by a clearly visible pictogram in the branches. We store images for 7 days. For installation and maintenance, maintenance companies commissioned by us may have access to stored data.


11.3 Payment procedure


Every time you make a card payment, we process your personal data as contained on such card and in connection with that transaction for the sole purpose of managing the payment itself (article 6, paragraph 1, letter b) GDPR). This concerns your card data (IBAN in the case of bank cards, card number, security code, card type as well as the expiration date of the card) and the data referred to the payment (amount, date, time, identification of the card reading device, this means place, company and store where you paid, PIN and, if necessary, your signature as well as your name and surname).


The card data and the data referred to the payment will be immediately transmitted, after the card is read from the card reading terminal (through the terminal manager) by the acquirer bank to your bank. Such data may also be transmitted, in the cases determined by the law, to the law enforcement authorities and to the Financial Intelligence Units.


We do not retain your card data unless this is necessary to ensure the payment transfer. For purposes concerning the document archiving, some data referred to the payment (type of card, date, time, number of the POS terminal, authorization code, place, company, branch, amount and if necessary your signature as well as your name and surname) will be processed according to the provisions of the law to fulfill our legal obligations (article 6, paragraph 1, letter c) GDPR) and held by us for the duration of the statutory retention periods. However, a card payment is not possible without the data. You can alternatively pay at any time with cash.

12.1 Overview


In addition to the right to withdraw the consent you may have granted us, you also have the following rights provided the respective statutory requirements are met:

  • The right of access to information about your personal data in accordance with article 15 GDPR.
  • The right to rectification of inaccurate data or to have incomplete data completed in accordance with article 16 GDPR.
  • The right to erasure of your data stored with us in accordance with article 17 GDPR.
  • The right to restriction of processing of your data in accordance with article 18 GDPR.
  • The right to data portability in accordance with article 20 GDPR.
  • The right to object in accordance with article 21 GDPR.


12.2 The right of access to information in accordance with article 15 GDPR


You have the right, pursuant to article 15, paragraph 1 GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:

  • the purposes for which the personal data are processed;
  • the categories of personal data which are processed;
  • the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
  • the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
  • the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • any available information about the source of the data, if the personal data are not collected from you (the data subject);
  • the existence of automated decision-making, including profiling, in accordance with article 22, paragraph 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.


Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to article 46 GDPR relating to the transfer.


12.3 The right to rectification in accordance with article 16 GDPR


You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.


12.4 The right to erasure in accordance with article 17 GDPR


You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you withdraw the consent on which the processing was based in accordance with article 6 paragraph 1, letter a) or article 9 paragraph 2, letter a) GDPR, and there is no other legal ground for the processing;
  • you object to the processing pursuant to article 21, paragraph 1 or 2 GDPR, and there are no overriding legitimate reasons for processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation;
  • the personal data has been collected in relation to the offer of information society services to children as referred to in article 8, paragraph 1 GDPR.


In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:

  • for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
  • for the establishment, exercise or defence of legal claims.


There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.


Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.


12.5 The right to restriction of processing in accordance with article 18 GDPR


You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:

  • The accuracy of your personal data is contested (see the right to data rectification above), for a period enabling us to verify the accuracy of the personal data; or
  • The processing is unlawful, and you oppose the erasure of your personal data; or
  • We no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
  • You exercised Your right to object and verification of our legitimate grounds to override your objection is pending.


Following your request for restriction, except for storing your personal data, we may only process your personal data:

  • Where we have your consent; or
  • For the establishment, exercise or defence of legal claims; or
  • For the protection of the rights of another natural or legal person; or
  • For reasons of important public interest.


12.6 The right to data portability in accordance with Article 20 GDPR


You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:

  • The processing is based on your consent or on the performance of a contract with you; and
  • The processing is carried out by automated means.


12.7 Right to object in accordance with article 21 GDPR


Under the conditions set out in article 21, paragraph 1 GDPR, you have the right to object to data processing on grounds relating to your particular situation.


In those cases where we only process your personal data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.


When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.


For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.


In any case you also have the right to lodge complaints at any time with the competent data protection supervisory authority (see below).


12.8 What we may require from you


As one of the security measures we implement, before being in the position to help you exercise your rights as described above, we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.


12.9 Time limit for a response


We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.

13.1 Contacts for questions or to exercise your data protection rights


If you have any questions about our website or the Lidl shop(s) or would like to exercise your rights with regard to the processing of your data (data protection rights), you can contact our Customer Services, simply clicking here.


13.2 Contacts for questions on data protection


If you have any further questions concerning the processing of your data, you can contact our data protection officer at the following email address privacymt@lidl.com.mt. Please do not use this e-mail address for issues that do not present privacy-relevant profiles (e.g. applications and customer service contact requests).


13.3 Right to lodge a complaint with the data protection supervisory authority


You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. You can contact the Office of the Information and Data Protection Commissioner, the data protection supervisory authority of Malta by email on: idpc.info@idpc.org.mt or by telephone on (+356) 2328 7100.


We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).

This privacy policy applies to the data processing carried out on the website www.lidl.com.mt by Vassallo Business Park, Burmarrad Road, Naxxar NXR 6345, Malta (“Data Controller”). The data protection officer for Lidl Malta Limited can be contacted using the above address.