Privacy policy - My Lidl Account

Registration for My Lidl Account

If you register with the target service without having previously registered with another target service and thus set up the My Lidl Account for the first time, we ask for at least your e-mail address and a password as part of the registration process. Depending on the target service, additional customer master data is also collected: First name, last name, date of birth, mobile phone number and preferred Lidl store. Optionally, salutation, gender, and address (street, house number, postal code, city and country) can be specified. You can find out which of the data we collect is specifically passed on to the respective target service in the Privacy policy of the relevant target service. When you register for a new target service with an existing My Lidl Account, we will only ask for the above-mentioned customer master data that you have not already provided and that is required for the use of this target service.

We also collect data such as: Your IP address, your mouse movements, the duration of your stay on the My Lidl Account registration website, online identifiers such as device ID, browser details, i.e. browser name and version, name and version of the operating system of the device on which the browser is installed and network-based location data of your device when logging in.

Furthermore, we also store and process certain data in so-called log files if you have visited the registration page. In particular, a log file provides information about the date and time of the registration/login attempt and whether it was successful, the e-mail address provided and the IP address.

Use of the About me function

If you voluntarily enter certain information about your circumstances and interests as well as the birth date of your child in the "About Me" section of the Portal, we will also store this data for your overview.

Linking with Lidl Liddle Club

If you have also registered with our Family Club, we store information on the benefits granted and display this in the Portal.

Payment history

In addition to the data mentioned above, we may also receive information from the target service you use about the payment methods stored there and the history of your purchases and orders. We display this data to you in the Portal. You can find out which target services transfer their payment history to the My Lidl Account in the Privacy policy of the respective target service.

Analysis of user behaviour / cookies

Lidl Stiftung & Co. KG, Stiftbergstraße 1, 74167 Neckarsulm, Germany, is the data controller in connection with the use of cookies and other similar technologies for processing usage data on the My Lidl Account website accounts.lidl.com and in the portal.

When cookies and similar technologies are used to process usage data (in particular local storage), files are stored locally on your end device (laptop, tablet, smartphone or similar) when you use our Services. These files do not cause any damage to your end device and do not contain any viruses, Trojans or other malware. Information is stored in them in connection with the end devices you use and the actions you take when using them. However, this does not mean that we gain direct knowledge of your identity. Cookies send different information, e.g. the IP address of your device, to a web server.

You can find an overview of the cookies used together with the respective processing purposes, the storage periods and any integrated third-party providers here.

Customer Service

When you contact Lidl Customer Service, they can access the information from your My Lidl Account to help you as efficiently as possible.

Purpose of registration, login and account management

In order to provide you with the greatest possible convenience in your user experience, we process your personal data in My Lidl Account, to enable you to avoid having to re-enter your personal data for the usage of the Service.

From now on, your My Lidl Account can rather be used for the use of all connected target services without the need for a separate, complete registration or a renewed entry of detailed user data in each case, as provided for and agreed in the terms of use.

The legal basis for data processing is thus Article 6, paragraph 1, letter b) GDPR, i.e. you provide us with the data on the basis of the contractual relationship between you and us.

This also applies to any additional personal data we receive from target services in connection with the use of your My Lidl Account.

Should you voluntarily store certain information about your circumstances and interests in the "About Me" area, we will also display this data for your overview in your My Lidl Account, as provided in the terms of use. Thus, the legal basis is also Article 6, paragraph 1, letter b) GDPR.

Purpose of securing your customer profile

In the context of registration and/or login, we use Google reCaptcha, a service provided by Google. Our legitimate interest here lies in the protection of your data and our systems. In this context, an analysis of various information is used to determine whether the data entry is made by a human or by an automated program. This analysis begins automatically as soon as you open the My Lidl Account registration website. For the analysis, Google reCaptcha evaluates various information (e.g. IP address, your time spent on the page or mouse movements made by the user). The information generated is transferred to a Google server in the USA and processed there. The collection and analysis do not enable us or Google to identify you. In particular, the information will not be merged by Google with personal data of you. For more information on Google reCaptcha, please visit https://policies.google.com/privacy?hl=en or https://policies.google.com/terms?hl=en. The legal basis for this is Article 6 Paragraph 1 lit f GDPR.

Purpose of the processing of your technical user data for abuse prevention

We use your IP address as well as the online identifiers described above, logfiles and your network-based location to prevent abuse and prevent and detect any security breaches and other prohibited or unlawful activities. For example, if you login from a new/unknown device, we may notify you of such a login attempt. The processing of this data is based on our legitimate interest in monitoring and improving the information security of our service (Article 6, paragraph 1, letter f) GDPR).

Purpose of the data overview and management in the Portal

SSO provides you with a cross-portal identity that is recognized and verified by the connected target services. In this way, your master data and information from the "About me" and "Lidl Liddle Club" functions mentioned in section 1 can also be viewed by you from the connected target services in the Portal and can be used for the respective target services within the scope of what is required for the respective purpose. The Portal also allows you to easily and centrally manage the data you have stored there and your My Lidl Account. For example, you can correct and partially delete your master data, change your password, and view some information about your purchases and orders made via the respective target services. Furthermore, the Portal offers you the possibility to use the stored data when using the respective target service. For example, during the checkout process in the Lidl Online Shop, you can automatically use your address stored in the Portal without having to enter it again.

Purpose of the processing of "About me" to determine your product interests and the optimization of our online offers

Should you voluntarily store certain information about your circumstances and interests in the "About Me" area, we will also display this data for your overview in your My Lidl Account.

If you have registered to use the Lidl Plus service, we will also use your information in "About me" for the purpose of personalized advertising targeting as part of the Lidl Plus service, as provided for in the usage agreement for the Lidl Plus service. Thus, the legal basis for this is Article 6, paragraph 1, letter b) GDPR, i.e. you provide us with the data on the basis of the contractual relationship with the use of Lidl Plus between you and us.

Purpose of processing customer requests

If you contact our customer service to process any problems with this area of the My Lidl Account, we will use your data stored there to process your respective request. The legal basis for this is Article 6, paragraph 1, letter b) GDPR, as the processing is necessary to provide you with the agreed Service, or to restore a contractual condition in accordance with the usage agreement.

If you contact Lidl customer service regarding concerns with target services, we will give your data stored in My Lidl Account to the respective target service so that they can process your concern as efficiently as possible. The legal basis for this is Article 6, paragraph 1, letter b) GDPR, i.e. we thereby fulfil our contract with you.

Use of cookies

The use of cookies and the other technologies for processing usage data serves the following purposes, depending on the category of the cookie or the other technology:

• Technically necessary: These are cookies and similar methods without which you cannot use our services (for example, to display our website correctly, including the font and colour/, to provide the functions you want and to take account of your settings, such as the choices you have made about cookies and similar technologies, to save your registration in the login area, etc.).
• Statistics: These techniques enable us to compile anonymous statistics of the use of our services. This enables us, for example, to determine how we can adapt our website even better to the habits of users.

The legal basis for the use of technically necessary cookies is Article 6, paragraph 1, letter b) GDPR. In addition, you have the option to voluntarily consent to the use of statistical cookies (and to withdraw this consent later). The legal basis for this is your consent pursuant to Article 6, paragraph 1, letter a) GDPR. You can find more detailed information in our Cookie Policy.

Transfer to operators of the target services

If you use your My Lidl Account to use a target service, we will pass on your data on to the operator of the respective target service for the purpose of processing purchase contracts or other services that have been ordered via the target services covered by My Lidl Account. The latter receives those data that are required for the provision of the service ordered, insofar as these have been stored by you in the Portal or displayed to the portal by another target service, i.e. depending on the offer:

• Verification of log-in data (e-mail address, password, telephone number if applicable).
• Master data (name, address, date of birth)
• Stored payment methods
• Information about your participation in the Family Club program
• Information stored in the "About Me" section about your circumstances and interests

We also pass on your customer master data to those companies of the group of companies whom you contacted in the context of customer service inquiries regarding target services connected to My Lidl Account.

If you use the Google Assistant as part of our target services, please note that Google obtains access to your customer ID to Google, so that a link between the target service and the Google Assistant can be established. The data processing activity carried out by Google (as far as we know, the recording and conversion of voice commands) is the sole responsibility of Google. For more information, please refer to Google's separate privacy policy ( https://policies.google.com/privacy?hl=en).

Transfer to service providers

In addition, we use service providers to process your data. The companies acting on our behalf are carefully selected and commissioned in writing. They are bound by our instructions and are inspected by us before the start of data processing and regularly thereafter. These companies never pursue their own purposes with your personal data. In this context, we forward your data to recipients who provide us with:

• storage capacity, database systems or similar,
• fraud prevention services,
• technical support and
• marketing advice.

We exclude any further transfer of your data to third parties.

Transfer to third countries

If we transfer personal data to recipients in third countries (countries outside the European Economic Area), you can infer this from the information on data processing by our service providers described in this Privacy policy. By adopting adequacy decisions, the European Commission has determined whether such a third country provides an adequate level of data protection. The exact list of countries with an adequacy decision can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. If an adequate level of protection has not been determined by the European Commission for a third country, we will ensure that the adequate level of data protection is provided through other measures, such as: binding internal data protection rules, standard contractual clauses, certification mechanisms or recognized codes of conduct. Please contact our Data Protection Officer (see above) if you would like more information.

To ensure the confidentiality of your personal data, our employees involved in data processing are prohibited from collecting, processing or using personal data without authorization. Our carefully selected employees, who are sensitive to data protection law, are contractually obligated to maintain data secrecy at the beginning of their employment. This obligation continues after termination of the employment relationship.

We generally store your data for as long as you are a registered user of the My Lidl Account.

If you have only registered with the target service via My Lidl Account, your data will be deleted accordingly as soon as you request the deletion of your account with the target service. Please note, however, that if you have registered with several target services via My Lidl Account, your My Lidl Account and all personal data stored by us will only be deleted once all target services linked to the My Lidl Account have been deleted. The retention periods described in the Privacy policy of the target service apply accordingly.

The processing and storage of data is the responsibility of the respective operator of the service used, who uses the data required to provide the service ordered for this purpose and then archives it in accordance with the statutory retention periods (the retention periods described in the Privacy policy of the target service apply accordingly).

Of course, upon request, we will provide you with the information pursuant to Article 15 GDPR (in particular, the data stored about you, the recipient or categories of recipients to whom data are disclosed, the purpose of storage, etc.). We will provide this information free of charge. In addition, you have the right, under the respective legal conditions, to have incorrect data corrected as well as to have your personal data deleted, restricted from processing and transferred. Furthermore, you have a right to lodge a complaint with the competent supervisory authority.

In cases where the data processing is based on Article 6, paragraph 1, letter f) GDPR or is carried out for the purpose of direct marketing, you have the right to object to the processing.

Insofar as the processing is based on your consent, you have the right to withdraw this at any time with effect for the future.

If you provide this data yourself, you are not obliged to provide the above voluntary information. Without this data, however, we are not able to fully provide you with the My Lidl account service and to fully provide you with the target services based on it. Only optional data fields are marked as such in the My Lidl Account.

An amendment of this Privacy policy may be necessary due to changes in the legal situation or the circumstances of the data processing of the My Lidl Account. If the circumstances or the scope of the processing of your personal data change, we will inform you of this and, if necessary, ask for your consent.