The browser is not supported
To display the website correctly, please use one of the following browsers.WarningPlease update your browser, if you proceed with this browser, your shopping experience might not be successful!

Data protection provisions of Lidl Shopping App

(Version 1.3; dated October 17, 2021)

Privacy policy

Thank you for your interest in the data protection on our Lidl App. When you use our App we want you to feel safe and comfortable and for you to see our implementation of data protection as a customer-oriented quality feature.


The following privacy policy will inform you of how and to what extent Lidl Malta Limited (hereinafter also ‘Lidl’), having registered office in Triq il-Karmnu, Luqa LQA 1311, Malta (as a Data Controller) processes your personal data. ‘Personal data’ refers to information that can be directly or indirectly attributable to or assigned to you (as a Data Subject).


The processing of personal data in this context is carried out in accordance with the Regulation (EU) 2016/679 (hereinafter ‘GDPR’) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any subsidiary legislation issued under the same as may be amended from time to time.

When you use our App, Lidl shall carry out the following data processing activities:

  • The required information is transmitted to the relevant App store in downloading our App.
  • Our App requires access to different functions and sensors on your mobile device in order to enable you to have a variety of features, e.g. finding Lidl stores close to you.

When you use our App, various information is exchanged between your device and our server. This may also include personal data. Information collected in this way is used to:

  • facilitate your shopping in a Lidl store,
  • optimize our App and
  • display advertising in your device's browser or via push notifications.

Downloading our App automatically processes the following data, by the respective App store operator (Apple App Store or Google Play), in particular:

  • user name in the App store,
  • e-mail address stored in the App store,
  • customer number of your App store account,
  • time of the download,
  • individual device ID.

We have no influence on this data collection nor do we assume any responsibility for it. You can find further information on this data processing in the respective App store operator's privacy policy:

Purposes of data processing and legal basis:


When you use our App, the following data is automatically transmitted to our App’s server and temporarily stored in log files without any action on your part:

  • the mobile device you start our App on,
  • the IP address of your mobile device,
  • the date and time of access,
  • the client request,
  • the http response code,
  • the amount of data transmitted,
  • the App version used.


This serves the following purposes:

  • allowing the use of our App
  • protection of our systems,
  • analysis of errors,
  • prevention of misuse or fraudulent behavior,
  • compliance with applicable legislation.


The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our App (article 6, paragraph 1, letter b) GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).


Recipients / Categories of recipients:


For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.


Storage period / Criteria for determining the storage period:


The data described in this section will be stored for the period necessary to pursue the purposes set out in this policy and in any case cancelled after 14 days. After then the personal data are automatically deleted, except in the case where the storage for a longer period of time is necessary for any disputes, requests by the competent authorities or pursuant to the applicable legislation.

Location data


Purposes of data processing and legal basis:


If, within the scope of the use of our App or in the settings of your device you have consented to the so-called geolocation, we use this feature to offer you personalized services related to your current location (e.g. the location of the nearest store).

The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our App (article 6, paragraph 1, letter b) GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).


Recipients / Categories of recipients:


For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.


Storage period / Criteria for determining the storage period:


The data described in this section will be stored as long as you use our App and in any case for the period necessary to pursue the purposes set out in this policy. After then the personal data are automatically deleted. When you finish using our App, the geolocalization data is also deleted, except in the case where the storage for a longer period of time is necessary for any disputes, requests by the competent authorities or pursuant to the applicable legislation.


Photos/ media/ files on your mobile device/USB stored content (reading, changes and deletion)


If you use our App to create a shopping list or a shopping cart, it will be stored directly on your mobile device or on a storage medium connected to it, regardless of where the App is installed and storage available.


Recipients / Categories of recipients:


For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta Ltd. with reference to the activities of the sectors (by way of example), technological, accounting, administrative, legal, insurance, IT; (ii) service providers related to the sending of promotional communications, (iii) companies of the group to which Lidl Malta Ltd. belongs.


Storage period / Criteria for determining the storage period:


The data described in this section will be stored as long as you use our App and in any case for the period necessary to pursue the purposes set out in this policy. After then the personal data are automatically deleted, except in the case where the storage for a longer period of time is necessary for any disputes, requests by the competent authorities or pursuant to the applicable legislation.

6.1 Websites you can access via the in-App browser


If you use another function via our App or select special offers, you are redirected via the in-App browser (iOS: Safari/ Android: Chrome) to the relevant subpages of our website www.lidl.com.mt or to the partner websites linked to them. Our App offering and our online content accessible via the in-App browser may contain links to other websites.

If you access websites via the in-App browser (e.g. via links), your personal data is processed on these websites in derogation of these data protection provisions. This privacy policy is only valid for our App. We ask that you note the privacy policies on the linked websites. We accept no responsibility for external content made available via links and specially indicated nor do we endorse such content. The provider of the linked website bears sole liability for any illegal, erroneous or incomplete content as well as for damages resulting from the use or non-use of the information.

The recipients / categories of recipients, including those located in a third country, outside the European Union (EU) or the European Economic Area (EEA), are indicated in correspondence with each type of processing activity described in this privacy policy. Some third countries are certified by the European Commission through the so-called adequacy decisions, when they guarantee a level of protection of personal data comparable to that within the EU and the EEA. The list of these third countries is available at the following link https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. If a comparable level of protection is not guaranteed in a third country, it will be our concern to verify that the level of protection of personal data is adequately guaranteed through other measures. These are for example binding corporate rules, standard data protection clauses adopted by the Commission, certificates or codes of conduct. For more information, please contact our Data Protection Officer.

8.1 Overview


In addition to the right to revoke the consent you may have granted us, you also have the following rights provided the respective statutory requirements are met:

  • The right of access to information about your personal data in accordance with Art. 15 GDPR.
  • The right to rectification of inaccurate data or to have incomplete data completed in accordance with Art. 16 GDPR.
  • The right to erasure of your data stored with us in accordance with Art.17 GDPR.
  • The right to restriction of processing of your data in accordance with Art. 18 GDPR.
  • The right to data portability in accordance with Art. 20 GDPR.
  • The right to object in accordance with Art. 21 GDPR.


8.2 The right of access to information in accordance with Art. 15 GDPR


You have the right, pursuant to Art. 15 (1) GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:

  • the purposes for which the personal data are processed;
  • the categories of personal data which are processed;
  • the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
  • the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
  • the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • any available information about the source of the data, if the personal data are not collected from you (the data subject);
  • the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.


8.3 The right to rectification in accordance with Art. 16 GDPR


You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.


8.4 The right to erasure in accordance with Art. 17 GDPR


You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you withdraw the consent on which the processing was based in accordance with Art. 6 (1) a) or Art. 9 (2) a) GDPR, and there is no other legal ground for the processing;
  • you object to the processing pursuant to Art. 21 (1) or (2) GDPR, and there are no overriding legitimate reasons for processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation;
  • the personal data has been collected in relation to the offer of information society services to children as referred to in Art. 8 (1) GDPR.

In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:

  • for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
  • for the establishment, exercise or defence of legal claims.

There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.


Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.


8.5 The right to restriction of processing in accordance with Art. 18 GDPR


You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:

  • The accuracy of your personal data is contested (see the right to data rectification above), for a period enabling us to verify the accuracy of the personal data; or
  • The processing is unlawful and you oppose the erasure of your personal data; or
  • We no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
  • You exercised Your right to object and verification of our legitimate grounds to override your objection is pending.


Following your request for restriction, except for storing your personal data, we may only process your personal data:

  • Where we have Your consent; or
  • For the establishment, exercise or defence of legal claims; or
  • For the protection of the rights of another natural or legal person; or
  • For reasons of important public interest.


8.6 The right to data portability in accordance with Art. 20 GDPR


You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:

  • The processing is based on your consent or on the performance of a contract with you; and
  • The processing is carried out by automated means.


8.7 Right to object in accordance with Art. 21 GDPR


Under the conditions set out in Art. 21 (1) GDPR, you have the right to object to data processing on grounds relating to your particular situation.

In those cases where we only process your personal data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.


When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.


For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.


In any case you also have the right to lodge complaints at any time with the competent data protection supervisory authority.


8.8 What we may require from you


As one of the security measures we implement, before being in the position to help you exercise your rights as described above we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.


8.9 Time limit for a response


We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.

9.1 Contacts for questions or to exercise your data protection rights


If you have any questions about our App or would like to exercise your rights with regard to the processing of your data (data protection rights), you can contact our Customer Services, simply clicking here.


9.2 Contacts for questions on data protection


If you have any further questions concerning the processing of your data, you can contact our data protection officer at the following email address privacymt@lidl.com.mt. Please do not use this e-mail address for issues that do not present privacy-relevant profiles (e.g. applications and customer service contact requests).


9.3 Right to lodge a complaint with the data protection supervisory authority


You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. You can contact the Office of the Information and Data Protection Commissioner, the data protection supervisory authority of Malta by email on: idpc.info@idpc.org.mt or by telephone on (+356) 2328 7100.

We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).

This privacy policy applies to the data processing carried out on our App by Lidl Malta Limited, the Administration Office, Triq Il-Karmnu, Luqa, LQA1311 (“Data Controller”). The data protection officer for Lidl Malta Limited can be contacted using the above address.