Data protection provisions of Lidl Shopping App

(Version 1.3; dated September 15, 2021)

Privacy policy

Thank you for your interest in the data protection on our Lidl App. When you use our App we want you to feel safe and comfortable and for you to see our implementation of data protection as a customer-oriented quality feature.

The following privacy policy will inform you of how and to what extent Lidl Malta Limited (hereinafter also ‘Lidl’), having registered office in Triq il-Karmnu, Luqa LQA 1311, Malta (as a Data Controller) processes your personal data. ‘Personal data’ refers to information that can be directly or indirectly attributable to or assigned to you (as a Data Subject).

The processing of personal data in this context is carried out in accordance with the Regulation (EU) 2016/679 (hereinafter ‘GDPR’) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any subsidiary legislation issued under the same as may be amended from time to time.

Table of contents

1. Overview
2. Downloading our App in the relevant App store
3. Usage of our App
4. Access to functions and sensors on your mobile device
5. Usage analysis and advertising
6. Other functions
7. Transfers of personal data to third countries
8. Your rights as data subject
9. Contact
10. Name and contact details of the controller responsible for the processing and contact details of the company's Data Protection Officer

1. Overview

When you use our App, Lidl shall carry out the following data processing activities:
•    The required information is transmitted to the relevant App store in downloading our App.
•    Our App requires access to different functions and sensors on your mobile device in order to enable you to have a variety of features, e.g. finding Lidl stores close to you.
•    When you use our App, various information is exchanged between your device and our server. This may also include personal data. Information collected in this way is used to:
•    facilitate your shopping in a Lidl store,
•    optimize our App and
•    display advertising in your device's browser or via push notifications.

2. Downloading our App in the relevant App store

Downloading our App automatically processes the following data, by the respective App store operator (Apple App Store or Google Play), in particular:
•    user name in the App store,
•    e-mail address stored in the App store,
•    customer number of your App store account,
•    time of the download,
•    individual device ID.
We have no influence on this data collection nor do we assume any responsibility for it. You can find further information on this data processing in the respective App store operator's privacy policy:
•    Google Play Store: https://policies.google.com/privacy 
•    Apple App Store: https://www.Apple.com/legal/privacy/en-vw

3. Usage of our App

Purposes of data processing and legal basis:
When you use our App, the following data is automatically transmitted to our App’s server and temporarily stored in log files without any action on your part:
•    the mobile device you start our App on,
•    the IP address of your mobile device,
•    the date and time of access,
•    the client request,
•    the http response code,
•    the amount of data transmitted,
•    the App version used.
This serves the following purposes:
•    allowing the use of our App
•    protection of our systems,
•    analysis of errors,
•    prevention of misuse or fraudulent behavior,
•    compliance with applicable legislation.

The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our App (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).
Recipients / Categories of recipients:
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.
Storage period / Criteria for determining the storage period:
The data described in this section will be stored for the period necessary to pursue the purposes set out in this policy and in any case cancelled after 14 days. After then the personal data are automatically deleted, except in the case where the storage for a longer period of time is necessary for any disputes, requests by the competent authorities or pursuant to the applicable legislation.

4. Access to functions and sensors on your mobile device

Location data

Purposes of data processing and legal basis:
If, within the scope of the use of our App or in the settings of your device you have consented to the so-called geolocation, we use this feature to offer you personalized services related to your current location (e.g. the location of the nearest store).
The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our App (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).
Recipients / Categories of recipients:
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.
Storage period / Criteria for determining the storage period:
The data described in this section will be stored as long as you use our App and in any case for the period necessary to pursue the purposes set out in this policy. After then the personal data are automatically deleted. When you finish using our App, the geolocalization data is also deleted, except in the case where the storage for a longer period of time is necessary for any disputes, requests by the competent authorities or pursuant to the applicable legislation.

Photos/ media/ files on your mobile device/USB stored content (reading, changes and deletion)

If you use our App to create a shopping list or a shopping cart, it will be stored directly on your mobile device or on a storage medium connected to it, regardless of where the App is installed and storage available.
Recipients / Categories of recipients:
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta Ltd. with reference to the activities of the sectors (by way of example), technological, accounting, administrative, legal, insurance, IT; (ii) service providers related to the sending of promotional communications, (iii) companies of the group to which Lidl Malta Ltd. belongs.
Storage period / Criteria for determining the storage period:
The data described in this section will be stored as long as you use our App and in any case for the period necessary to pursue the purposes set out in this policy. After then the personal data are automatically deleted, except in the case where the storage for a longer period of time is necessary for any disputes, requests by the competent authorities or pursuant to the applicable legislation.

5. Usage analysis and advertising

Purpose of data processing and legal basis:

If you have provided your consent, we create pseudonymised usage profiles for the following purposes:

  • improve our services as well as their functions,
  • improve our offer and the marketing of our products via (advertising) campaigns,
  • display of interest-based advertisements (e.g. via push messages and advertising banners on third-party services).

For this purpose the following categories of personal data are processed:

  • name of the mobile device from which you start our App,
  • Fingerprint of your device for recognition, consisting of
  • time of access,
  • country and language,
  • local settings,
  • operating system and version as well as App version,
  • browser type / version,
  • HTTP headers,
  • IP or MAC address in anonymous form,
  • mobile Session ID,
  • Apple IDFA or Google GAID (identification number of the iOS or Android operating systems for advertising purposes; can be reset or deactivated at any time via the operating system),
  • time of the server request,
  • installation and event data linked to our services, in particular:
  • which areas of the App / website you access and
  • what actions you take there.
  • App and event tokens,
  • Push notification tokens.

The legal basis for the processing activity described above is your consent in accordance with Article 6, paragraph 1, letter a) GDPR.

You can withdraw your consent for one or more purposes at any time under the section "Legal Notices / Tracking" of this App with effect for the future.

This App also uses the "Google Signals" function to add statistical reports created with Google products to a cross-device analysis of visitor flows. Google Signals is only used by users who are logged into a Google account during the sessions and have activated the "personalized advertising" function in the Google account. Through Google Signals, we do not receive any in-depth knowledge about specific individuals or ways to identify, in a unique manner, you or the device you are using. If you would like to deactivate this function, you can set this accordingly in your Google account. You can find more information about the customization options for Google advertising settings at https://support.google.com/ads/answer/2662856. You can find more information about Google Signals at https://support.google.com/analytics/answer/7532985?hl=en.

Recipients / Categories of recipients:

We use specialized service providers, in particular from the area of ​​online marketing, to process usage data. Our service providers which process your personal data as data processors, are carefully selected and contractually obliged in accordance with Article 28 GDPR. If necessary, your data will be transferred to other third parties if this is required by law.

In the context of the cooperation with Facebook, events collected by our Apps are transmitted to Facebook. The processing activity is carried out by Lidl and Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (Facebook), as joint data controllers according to Article 26 GDPR. The agreement on which the cooperation with Facebook is based can be found here. The usage data of our App are collected and compared with the data from Facebook in order to show you personalized advertising on the websites and in the Apps of Facebook and of business partners. Facebook also uses the data for its own advertising purposes as well as for third-party advertising purposes in accordance with the Facebook data policy. By clicking on the link above you will also find further information on how you can exercise your rights as a data subject towards Facebook with regard to the processing activity performed by Facebook itself.

As part of our cooperation with Google LLC, the data mentioned above are usually also processed on servers in the USA.

Storage period / Criteria for determining the storage period:

Your personal data will be processed anonymously, insofar as this is possible for the pursued purposes. After anonymization, it is no longer possible to identify you personally. Incidentally, the data mentioned above will not be stored for longer than 26 months, especially if you withdraw your consent.

6. Other functions

6.1 Websites you can access via the in-App browser

If you use another function via our App or select special offers, you are redirected via the in-App browser (iOS: Safari/ Android: Chrome) to the relevant subpages of our website www.lidl.com.mt  or to the partner websites linked to them. Our App offering and our online content accessible via the in-App browser may contain links to other websites.
If you access websites via the in-App browser (e.g. via links), your personal data is processed on these websites in derogation of these data protection provisions. This privacy policy is only valid for our App. We ask that you note the privacy policies on the linked websites. We accept no responsibility for external content made available via links and specially indicated nor do we endorse such content. The provider of the linked website bears sole liability for any illegal, erroneous or incomplete content as well as for damages resulting from the use or non-use of the information.

7. Transfers of personal data to third countries

The recipients / categories of recipients, including those located in a third country, outside the European Union (EU) or the European Economic Area (EEA), are indicated in correspondence with each type of processing activity described in this privacy policy. Some third countries are certified by the European Commission through the so-called adequacy decisions, when they guarantee a level of protection of personal data comparable to that within the EU and the EEA. The list of these third countries is available at the following link https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. If a comparable level of protection is not guaranteed in a third country, it will be our concern to verify that the level of protection of personal data is adequately guaranteed through other measures. These are for example binding corporate rules, standard data protection clauses adopted by the Commission, certificates or codes of conduct. For more information, please contact our Data Protection Officer.

8. Your rights as data subject

8.1 Overview

In addition to the right to revoke the consent you may have granted us, you also have the following rights provided the respective statutory requirements are met:
•    The right of access to information about your personal data in accordance with Art. 15 GDPR.
•    The right to rectification of inaccurate data or to have incomplete data completed in accordance with Art. 16 GDPR.
•    The right to erasure of your data stored with us in accordance with Art.17 GDPR.
•    The right to restriction of processing of your data in accordance with Art. 18 GDPR.
•    The right to data portability in accordance with Art. 20 GDPR.
•    The right to object in accordance with Art. 21 GDPR.

8.2 The right of access to information in accordance with Art. 15 GDPR

You have the right, pursuant to Art. 15 (1) GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:
•    the purposes for which the personal data are processed;
•    the categories of personal data which are processed;
•    the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
•    the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
•    the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
•    the right to lodge a complaint with a supervisory authority;
•    any available information about the source of the data, if the personal data are not collected from you (the data subject);
•    the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

8.3 The right to rectification in accordance with Art. 16 GDPR

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.

8.4 The right to erasure in accordance with Art. 17 GDPR

You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:
•    the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
•    you withdraw the consent on which the processing was based in accordance with Art. 6 (1) a) or Art. 9 (2) a) GDPR, and there is no other legal ground for the processing;
•    you object to the processing pursuant to Art. 21 (1) or (2) GDPR, and there are no overriding legitimate reasons for processing;
•    the personal data have been unlawfully processed;
•    the personal data have to be erased for compliance with a legal obligation;
•    the personal data has been collected in relation to the offer of information society services to children as referred to in Art. 8 (1) GDPR.
In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:
•    for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
•    for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.

Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.

8.5 The right to restriction of processing in accordance with Art. 18 GDPR

You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:

•    The accuracy of your personal data is contested (see the right to data rectification above), for a period enabling us to verify the accuracy of the personal data; or
•    The processing is unlawful and you oppose the erasure of your personal data; or
•    We no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
•    You exercised Your right to object and verification of our legitimate grounds to override your objection is pending.

Following your request for restriction, except for storing your personal data, we may only process your personal data:
•    Where we have Your consent; or
•    For the establishment, exercise or defence of legal claims; or
•    For the protection of the rights of another natural or legal person; or
•    For reasons of important public interest.

8.6 The right to data portability in accordance with Art. 20 GDPR

You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:
•    The processing is based on your consent or on the performance of a contract with you; and
•    The processing is carried out by automated means.

8.7 Right to object in accordance with Art. 21 GDPR

Under the conditions set out in Art. 21 (1) GDPR, you have the right to object to data processing on grounds relating to your particular situation.
In those cases where we only process your personal data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.

When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.

For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.

In any case you also have the right to lodge complaints at any time with the competent data protection supervisory authority.

8.8 What we may require from you

As one of the security measures we implement, before being in the position to help you exercise your rights as described above we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.

8.9 Time limit for a response

We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.

9. Contact

9.1 Contacts for questions or to exercise your data protection rights

If you have any questions about our App or would like to exercise your rights with regard to the processing of your data (data protection rights), you can contact our Customer Services:
https://www.lidl.com.mt/en/Contact-Form.htm

9.2 Contacts for questions on data protection

If you have any further questions concerning the processing of your data, you can contact our data protection officer at the following email address privacymt@lidl.com.mt. Please do not use this e-mail address for issues that do not present privacy-relevant profiles (e.g. applications and customer service contact requests).

9.3 Right to lodge a complaint with the data protection supervisory authority

You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. You can contact the Office of the Information and Data Protection Commissioner, the data protection supervisory authority of Malta by email on: idpc.info@idpc.org.mt  or by telephone on (+356) 2328 7100.
We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).

10. Name and contact details of the controller responsible for the processing and contact details of the company's Data Protection Officer

This privacy policy applies to the data processing carried out on our App by Lidl Malta Limited, the Administration Office, Triq Il-Karmnu, Luqa, LQA1311 (“Data Controller”). The data protection officer for Lidl Malta Limited can be contacted using the above address.