Data privacy at www.lidl.com.mt

(Version 1.1; dated July 31, 2019)

 

Data Protection Provisions

Thank you for your interest in the data privacy on our website. When you visit our website and/or when you shop with us, we want you to feel safe and comfortable and for you to see our implementation of data protection as a customer-oriented quality feature.

 

The following data privacy policy will inform you of how and to what extent Lidl Malta Limited having registered office in Triq il-Karmnu, Luqa LQA 1311, Malta (as a Data Controller) processes your personal data. ‘Personal data’ refers to information that can be directly or indirectly attributable to or assigned to you (as a Data Subject).   

 

The processing of personal data in this context is carried out in accordance with the European General Data Protection Regulation (the GDPR) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any Subsidiary Legislation issued under the same as may be amended from time to time.

If you are one of our business partners, a specific data protection policy that may be directly applicable to you can be read here

Our full details, including contact details, can be read below.

Table of Contents

 

  1. Applicable Laws
  2. Overview
  3. Visiting our website
  4. Contact form/E-mail contact/Phone calls
  5. Social Listening
  6. Prize draws
  7. Newsletter dispatch
  8. Online presence and website optimization
  9. Recipients outside the EU
  10. Purchase in our Lidl branches
  11. Your rights as data subject
  12. Contact
  13. Name and contact details of the controller responsible for the processing and contact details of the company's Data Protection Officer 

 

1.Applicable Laws

 

 

As an entity established in Malta, EU, the main privacy laws that are applicable to Lidl Malta Limited in so far as you are concerned, are as follows: 

  • The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the ‘GDPR’.
  • The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same – the ‘DPA’; 

 

2.Overview

When you visit the website of Lidl Malta Limited, various information is exchanged between your device and our server. This may also include personal data. Information collected in this way is used for reasons including optimizing our website and displaying advertising in your device's browser as well as to pursue the purposes set out in this policy .

 

3.Visiting our website

 

Purpose of data processing/Legal basis:

When you visit our website, the browser used on your device sends the following information automatically and without any action on your part to our website’s server:

 

  • the IP address of the requesting web-enabled device;
  • the date and time of access;
  • the name and URL of the viewed file;
  • the website/application from which access was made (referrer URL);
  • the browser you are using and, if applicable, the operating system of your Internet-enabled; computer and the name of your access provider;
  • in general your browsing data in accordance with the Cookie Policy available at the following link.

and stores it temporarily in log files for the following purposes:

  • to browse the website;
  • to ensure a smooth connection and that our website/application is easy to use;
  • to evaluate system security and stability;
  • to comply with legal obligations.

If you have consented in your browser or in the operating system or other setting in your device to geolocalization, we use this feature to offer you individualized services related to your current location (e.g. the location of the nearest store). We only process your location data in this way for this function.

The legal basis for processing the IP address is Art. 6 (1) f) GDPR. Our legitimate interest arises from the purposes of data processing listed above.

Recipients/Categories of recipients:

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta Ltd. with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl Malta Ltd. belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.

Storage period/ Criteria for determining the storage period:

The data described in this section will be stored as long as you browse the website  and in any case for the period necessary to pursue the purposes set out in this policy. After then the personal data are automatically deleted. When you finish using our website, the geolocalization data is also deleted.

 

4.Contact form/E-mail contact/Phone calls

Purpose of data processing/Legal basis:

Personal information that you provide to us when filling out contact forms, over the telephone or by e-mail is of course treated confidentially. For this purpose we may process, for example, your name, surname, e-mail address, mailing address, telephone number.

We use your data solely for the purpose of processing your inquiry, resolving complaints and disputes as well as for complying with applicable legal obligations. The legal basis for the data processing is Art. 6 (1) f) GDPR. Our and your concurrent (legitimate) interest in this data processing arises from the aim of responding to your inquiry or resolving any problems and thus maintaining and encouraging your satisfaction as a customer or user of our website.

Recipients/Categories of recipients:

For the abovementioned purposes, your personal data may be transferred to the following categories of recipients: (i) where necessary contracting parties (e.g. suppliers, where inquiries are product-specific) in order to process your inquiry (in these cases, your inquiry will be anonymized in advance to ensure that the third party cannot relate it to you. If sharing your personal data is necessary in an individual case, we will inform you of this and obtain your consent), (ii) third-party suppliers of assistance and advice for Lidl Malta Ltd. with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (iii) companies of the group to which Lidl Malta Ltd. belongs; (iiii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor.

Storage period/ Criteria for determining the storage period:

All the personal data that you send us in inquiries (suggestions, praise or criticism) via this website or by e-mail will be stored as long as necessary to pursue the purposes set out in this policy and will be deleted, no later than 90 days after the final response is sent, or anonymized, excepting for the case in which storage for a further period is required for any claims, requests by the competent authorities or for compliance with a legal obligation. In our experience, we generally receive no further inquiries to our responses after 90 days. If you exercise your rights as a data subject pursuant to Section 10, your personal data will be stored for a period of 5 years from our response, as evidence of the completeness of the information provided to you and of compliance with legal requirements.

5.Social Listening

Purposes of data processing/ Legal bases:

Besides the information you provide to us directly on social networking sites, we continue to use the possibility of “Social Listening”, to gain insight into the perception of our products and services and to identify potential for improvement. Here, posts on online platforms (Xing, Facebook, etc.) are evaluated based on the search request (e.g. for a new product line). In doing so, only posts that you make available freely to an unrestricted public audience are examined.

The scope of the data collected is determined primarily by the type and content of the respective post; this might involve, for example, a post in text form or uploaded image data. In individual instances, the user ID may be relevant; if Lidl would like to offer help with any problems. In part, we also receive information about the scope of the posts concerned from the respective platform operators.

The legal basis for the processing of your personal data in the context of Social Listening is Article 6(1)(f) GDPR, as we have a legitimate interest in identifying freely accessible statements of any shortcomings in our products and services and being able to respond appropriately to these.

Recipients/ Categories of recipients:

Personal data, which is processed in the context of Social Listening, is not communicated to external third parties.

Storage period/ Criteria for determining the storage period:

The relevant data is not stored permanently by Lidl, but only analysed in a goal-oriented manner with a view to any potential countermeasures required.

 

6.Prize draws

Purpose of data processing/Legal basis:

You have the option of taking part in various Lidl prize draws on our website, through our newsletter or via the Lidl app. For this purpose we may process, for example, the following categories of personal data, your name, surname, email address, mailing address.

The personal data collected in the context of the prize draw will be indicated by Lidl Malta Ltd. when you sign up to the draw. Unless otherwise specified in special data protection principles for the prize draw in question or if you have not given us additional express consent, the personal data you provided to us when entering the prize draw will be processed exclusively to execute the prize draw (e.g. determination of the winner(s), notification of the winner(s), sending of the prize) and to comply with applicable law obligations. The legal basis for data processing in the context of prize draws is generally Art. 6 (1) b) GDPR. If a declaration of consent is provided as part of a prize draw, Art. 6 (1) a) GDPR is the legal basis for the data processing based on this consent. If you have declared your consent in the context of a prize draw, you can revoke this consent at any time with effect for the future. Further details are provided in these cases in the specific data protection policy of the relevant prize draw.

Recipients/Categories of recipients:

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta Ltd. with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl Malta Ltd. belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor.

Storage period/ Criteria for determining the storage period:

Your personal data processed in the context of the prize draw will be stored as long as necessary to pursue the purposes set out in this policy. After the end of the prize draw and the identification of the winners, the personal data of entrants are deleted, except in case where the storage for a further period is required for any claims, requests from the competent authorities or for compliance with a legal obligation. In case of material prizes, the data of the winners are stored for the duration of the statutory warranty claims in order to arrange for rectification or replacement if there is any defect in the prize.

 

7.Newsletter dispatch

Purpose of data processing/Legal basis:

On our website, we offer you the option of signing up for our newsletter. If you have consented to receiving our newsletters, we use your e-mail address and in certain cases your name for sending information on products, promotions, prize draws and news, on store, photo and travel offerings as well as for customer satisfaction surveys. We store and process this data for purposes of sending the newsletter.

Newsletter content covers promotions (offers, discount promotions, prize draws, etc.) as well as the goods and services of Lidl Malta Limited.

The legal basis for data processing in the context of dispatching newsletters is your consent based on Art. 6 (1) a) GDPR.

We use the double opt-in procedure in order to ensure that no errors have occurred during entry of your e-mail address. We send you a confirmation link after you have entered your e-mail address in the sign-in field. Your e-mail address will not be added to our mailing list until you click on this confirmation link.

You can revoke your consent to receipt of the newsletter or creation of a personalized usage profile at any time with future effect, for instance, by unsubscribing to the newsletter on our website. You can find the link to the unsubscription page here or at the end of every newsletter. Revocation results in deletion of user data collected.

Recipients/Categories of recipients:

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta Ltd. with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) service supplier for sending the newsletter; (iii) companies of the group to which Lidl Malta Ltd. belongs. If external processors are commissioned for the dispatch of the newsletter, these are bound by contract pursuant to Art. 28 GDPR. We categorically rule out any further disclosure of the data to third parties.

Storage period/ Criteria for determining the storage period:

If you don’t confirm the signing up to our newsletter by the double opt-in procedure, your personal data will be erased after 7 days. If instead you subscribe to the newsletter, your personal data will be processed as long as necessary for the provision of the aforementioned service, without prejudice to such cases in which the storage for a further period is required in order to handle any disputes, requests from the competent authorities or for compliance with a legal obligation. If you instead revoke your consent to receiving the Lidl newsletter, your data are deleted from the relevant (e-mail) mailing list.

 

8.Online presence and website optimization

8.1 Cookies-General information

On our website use cookies in accordance with Art. 6 (1) f) GDPR.

For more information about the cookies installed (for example the storage period) and the possibility to object to such cookies, please consult our cookie policy.

 

9.Recipients outside the EU

With the exception of the processing set out in Section 7, we do not share your data with recipients established outside the European Union or the European Economic Area. The processing specified in Section 7 does not result in any transfer of data to the server of the service providers of tracking or targeting technologies engaged by us. Some of these servers are based in the USA (you can find details on this in the statements related to the specific recipients). The data is transferred in accordance with the principles of the privacy shield and on the basis of the standard contract clauses  of the European Commission. 

 

10.Purchase in our Lidl branches

10.1 Age check

When selling products with age restriction, such as alcohol (17 years) / sale of computer and console games, DVDs, videos with age restriction, a visual check of your personal data (usually an identity card) is carried out by our cashiers in compliance with our legal obligations (Article 6 (1) (c) GDPR).

10.2 Security cameras

Occasionally we process your data for the purpose of preventing and detecting criminal offenses (Article 6 (1) (f) GDPR), for the protection of our customers, employees and our property. The use of security cameras is indicated by a clearly visible pictogram in the branches. We store images for 7 days. For installation and maintenance, maintenance companies commissioned by us may have access to stored data.

10.3 Payment procedure

Every time you make a card payment, we process your personal data as contained on such card and in connection with that transaction for the sole purpose of managing the payment itself (Article 6, paragraph 1, letter b) GDPR). This concerns your card data (IBAN in the case of bank cards, card number, security code, card type as well as the expiration date of the card) and the data referred to the payment (amount, date, time, identification of the card reading device, this means place, company and store where you paid, PIN and, if necessary, your signature as well as your name and surname).

The card data and the data referred to the payment will be immediately transmitted, after the card is read from the card reading terminal (through the terminal manager) by the acquirer bank to your bank. Such data may also be transmitted, in the cases determined by the law, to the law enforcement authorities and to the Financial Intelligence Units.

We do not retain your card data unless this is necessary to ensure the payment transfer. For purposes concerning the document archiving, some data referred to the payment (type of card, date, time, number of the POS terminal, authorization code, place, company, branch, amount and if necessary your signature as well as your name and surname) will be processed according to the provisions of the law to fulfill our legal obligations (Article 6, paragraph 1, letter c) GDPR) and held by us for the duration of the statutory retention periods. However, a card payment is not possible without the data. You can alternatively pay at any time with cash.

 

11.Your rights as data subject

11.1 Overview

In addition to the right to revoke the consent you may have granted us, you also have the following rights provided the respective statutory requirements are met:

  • The right of access to information about your personal data in accordance with Art. 15 GDPR.
  • The right to rectification of inaccurate data or to have incomplete data completed in accordance with Art. 16 GDPR.
  • The right to erasure of your data stored with us in accordance with Art.17 GDPR.
  • The right to restriction of processing of your data in accordance with Art. 18 GDPR.
  • The right to data portability in accordance with Art. 20 GDPR.
  • The right to object in accordance with Art. 21 GDPR.

11.2 The right of access to information in accordance with Art. 15 GDPR

You have the right, pursuant to Art. 15 (1) GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:

  • the purposes for which the personal data are processed;
  • the categories of personal data which are processed;
  • the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
  • the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
  • the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • any available information about the source of the data, if the personal data are not collected from you (the data subject);
  • the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

11.3 The right to rectification in accordance with Art. 16 GDPR

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.

11.4 The right to erasure in accordance with Art. 17 GDPR

You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they was collected or otherwise processed;
  • you withdraw the consent on which the processing was based in accordance with Art. 6 (1) a) or Art. 9 (2) a) GDPR, and there is no other legal ground for the processing;
  • you object to the processing pursuant to Art. 21 (1) or (2) GDPR, and there are no overriding legitimate reasons for processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation;
  • the personal data has been collected in relation to the offer of information society services to children as referred to in Art. 8 (1) GDPR.

In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:

 

  • for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
  • for the establishment, exercise or defence of legal claims.

 

There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.

 

Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.

11.5 The right to restriction of processing in accordance with Art. 18 GDPR

You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:

 

  • The accuracy of your personal data is contested (see the right to data rectification in 10.3 above), for a period enabling us to verify the accuracy of the personal data; or
  • The processing is unlawful and you oppose the erasure of your personal data; or
  • We no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
  • You exercised Your right to object and verification of our legitimate grounds to override your objection is pending.

 

Following your request for restriction, except for storing your personal data, we may only process your personal data:

 

  • Where we have Your consent; or
  • For the establishment, exercise or defence of legal claims; or
  • For the protection of the rights of another natural or legal person; or
  • For reasons of important public interest.

 

11.6 The right to data portability in accordance with Art. 20 GDPR

You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:

  • The processing is based on your consent or on the performance of a contract with you; and
  • The processing is carried out by automated means.

 

11.7 Right to object in accordance with Art. 21 GDPR

Under the conditions set out in Art. 21 (1) GDPR, you have the right to object to data processing on grounds relating to your particular situation.

In those cases where we only process your personal data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.

 

When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.

 

For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.

 

In any case you also have the right to lodge complaints at any time with the competent data protection supervisory authority (see 13.3 below).

 

11.8 WHAT WE MAY REQUIRE FROM YOU

 

As one of the security measures we implement, before being in the position to help you exercise your rights as described above we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.

 

11.9 TIME LIMIT FOR A RESPONSE

 

We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.

 

12.Contact

12.1 Contacts for questions or to exercise your data protection rights

If you have any questions about our website or the Lidl shop(s) or would like to exercise your rights with regard to the processing of your data (data protection rights), you can contact our Customer Services:

https://www.lidl.com.mt/en/Contact-Form.htm

12.2 Contacts for questions on data privacy

If you have any further questions concerning the processing of your data, you can contact our data protection officer at the following email address privacymt@lidl.com.mt

12.3 Right to lodge a complaint with the data protection supervisory authority

You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. You can contact the Office of the Information and Data Protection Commissioner, the data protection supervisory authority of Malta by email on: idpc.info@idpc.org.mt or by telephone on (+356) 2328 7100.

We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).

13.Name and contact details of the controller responsible for the processing and contact details of the company's Data Protection Officer

These Data Protection Provisions apply to data processing by Lidl Malta Limited, the Administration Office, Triq Il-Karmnu, Luqa, LQA1311  (“controller”) and to the website www.lidl.com.mt. The company data protection officer for Lidl Malta Limited can be contacted using the above address, for the attention of the Data Protection Officer, or using the e-mail address privacymt@lidl.com.mt