Data protection provisions of Lidl Shopping App

(Version 1.2; dated July 10, 2020)

Privacy policy

Thank you for your interest in the data protection on our Lidl App. When you use our App we want you to feel safe and comfortable and for you to see our implementation of data protection as a customer-oriented quality feature.

The following privacy policy will inform you of how and to what extent Lidl Malta Limited (hereinafter also ‘Lidl’), having registered office in Triq il-Karmnu, Luqa LQA 1311, Malta (as a Data Controller) processes your personal data. ‘Personal data’ refers to information that can be directly or indirectly attributable to or assigned to you (as a Data Subject).

The processing of personal data in this context is carried out in accordance with the Regulation (EU) 2016/679 (hereinafter ‘GDPR’) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any subsidiary legislation issued under the same as may be amended from time to time.

Table of contents

1. Overview
2. Downloading our App in the relevant App store
3. Usage of our App
4. Access to functions and sensors on your mobile device
5. Usage analysis and advertising
6. Other functions
7. Recipients outside the EU
8. Your rights as data subject
9. Contact
10. Name and contact details of the controller responsible for the processing and contact details of the company's Data Protection Officer

1. Overview

When you use our App, Lidl shall carry out the following data processing activities:
•    The required information is transmitted to the relevant App store in downloading our App.
•    Our App requires access to different functions and sensors on your mobile device in order to enable you to have a variety of features, e.g. finding Lidl stores close to you.
•    When you use our App, various information is exchanged between your device and our server. This may also include personal data. Information collected in this way is used to:
•    facilitate your shopping in a Lidl store,
•    optimize our App and
•    display advertising in your device's browser or via push notifications.

2. Downloading our App in the relevant App store

Downloading our App automatically processes the following data, by the respective App store operator (Apple App Store or Google Play), in particular:
•    user name in the App store,
•    e-mail address stored in the App store,
•    customer number of your App store account,
•    time of the download,
•    individual device ID.
We have no influence on this data collection nor do we assume any responsibility for it. You can find further information on this data processing in the respective App store operator's privacy policy:
•    Google Play Store: https://policies.google.com/privacy 
•    Apple App Store: https://www.Apple.com/legal/privacy/en-vw

3. Usage of our App

Purposes of data processing and legal basis:
When you use our App, the following data is automatically transmitted to our App’s server and temporarily stored in log files without any action on your part:
•    the mobile device you start our App on,
•    the IP address of your mobile device,
•    the date and time of access,
•    the client request,
•    the http response code,
•    the amount of data transmitted,
•    the App version used.
This serves the following purposes:
•    allowing the use of our App
•    protection of our systems,
•    analysis of errors,
•    prevention of misuse or fraudulent behavior,
•    compliance with applicable legislation.

The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our App (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).
Recipients / Categories of recipients:
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.
Storage period / Criteria for determining the storage period:
The data described in this section will be stored for the period necessary to pursue the purposes set out in this policy and in any case cancelled after 14 days. After then the personal data are automatically deleted, except in the case where the storage for a longer period of time is necessary for any disputes, requests by the competent authorities or pursuant to the applicable legislation.

4. Access to functions and sensors on your mobile device

Location data

Purposes of data processing and legal basis:
If, within the scope of the use of our App or in the settings of your device you have consented to the so-called geolocation, we use this feature to offer you personalized services related to your current location (e.g. the location of the nearest store).
The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our App (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).
Recipients / Categories of recipients:
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.
Storage period / Criteria for determining the storage period:
The data described in this section will be stored as long as you use our App and in any case for the period necessary to pursue the purposes set out in this policy. After then the personal data are automatically deleted. When you finish using our App, the geolocalization data is also deleted, except in the case where the storage for a longer period of time is necessary for any disputes, requests by the competent authorities or pursuant to the applicable legislation.

Photos/ media/ files on your mobile device/USB stored content (reading, changes and deletion)

If you use our App to create a shopping list or a shopping cart, it will be stored directly on your mobile device or on a storage medium connected to it, regardless of where the App is installed and storage available.
Recipients / Categories of recipients:
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta Ltd. with reference to the activities of the sectors (by way of example), technological, accounting, administrative, legal, insurance, IT; (ii) service providers related to the sending of promotional communications, (iii) companies of the group to which Lidl Malta Ltd. belongs.
Storage period / Criteria for determining the storage period:
The data described in this section will be stored as long as you use our App and in any case for the period necessary to pursue the purposes set out in this policy. After then the personal data are automatically deleted, except in the case where the storage for a longer period of time is necessary for any disputes, requests by the competent authorities or pursuant to the applicable legislation.

5. Usage analysis and advertising

Purposes of data processing and legal basis:
In order to improve the features of our App as well as our services and the marketing of them, we create pseudonymised usage profiles to determine usage behaviour, provided you give your consent. The legal basis for is your consent in accordance with article 6, paragraph 1, letter a) GDPR. We use the following services for usage analysis and advertising:

Google Analytics

Subject to your consent, this App uses Google Analytics, a service of Google LLC (“Google”), to analyse usage behaviour. Google processes the following information:
•    the mobile device on which you start our App
•    browser type and version
•    operating system used
•    IP address
•    time of the server request.
The aforesaid information is used to:
•    evaluate the use of our App
•    compile reports about App activities
•    provide additional services associated with the use of the App and the internet for the purposes of market research and the design of these websites in accordance with requirements.
The IP addresses are anonymised so that no association is possible (“IP masking”).
You may withdraw your consent to the use of Google Analytics in the “Legal Notice/Tracking” menu item of this App at any time with effect for the future, without impacting the lawfulness of the previous processing of data.

Google Firebase

Subject to your consent, A/B Testing, Analytics, Cloud Messaging, Crashlytics, Dynamic Links, In-App Messaging, Performance, Predictions and Remote Config – analytic services from Google LLC ("Firebase"), used among other things to analyse usage of the app – are used within this app. When you install the app, Firebase records when and how long the app is used, which app sites are visited, which functions are clicked on and which contents are displayed. That allows us to understand how you interact with our app. Based on your user behaviour, we can also constantly improve the app and provide you with more relevant offers/services. In addition, we can carry out several app tests in parallel and develop other data-based apps.  

For this analysis, starting from when registration has been completed, Firebase accesses your customer number, information from Google Signals (if the Google advertising function is enabled in your Google account, Google can process certain information upon your consent. For more information, click here) or device information. Further information in connection with Firebase can be found in the privacy policy on the Google Firebase website.

You may withdraw your consent to the use of Google Firebase in the “Legal Notice/Tracking” menu item of this app at any time with effect for the future, without impacting the lawfulness of the previous processing of data.

 

Adjust

Subject to your consent, our App also uses the adjust analysis service, a product of adjust GmbH. When you install our App, adjust stores installation and event data (e.g. usage of the App). This allows us to understand how you interact with our App. It also allows us to analyse and improve our mobile advertising campaigns. For this analysis, adjust uses:
•    the IDFA (Identifier for Advertising on iOS devices) or the Android Advertising ID
•    the IP/MAC address
•    the HTTP header
•    a fingerprint of your device (additionally: time of access, country, language, local settings, operating system and version as well as the App version)
•    user device and web activity information
•    App and event token
Adjust transfers these data to our service providers Google LLC (“Google”) and Facebook, Inc (“Facebook”). If Google and Facebook can use this information to identify you, they will provide information to adjust about the advertising campaign that brought you to the App store and the way you acted there (especially whether you downloaded the App or, for example, discontinued it and similar information). Adjust uses this information to create anonymous statistics so that we can track the success of individual advertising campaigns.
You can reset or disable the IDFA and the Android Advertising ID at any time on your operating system.
If you no longer wish to be tracked by adjust, you can withdraw your consent at any time in the “Legal Notice/Tracking” menu item of this App with effect for the future, without impacting the lawfulness of the previous processing of data.

Push notification

If you have enabled the relevant feature in our App or in the operating system of your mobile device, we will send you push notifications (messages on your mobile device that are displayed on the lock screen, the home screen and when other Apps are running without opening our App) about current offers and promotions. A click/tap on the push message will open our App, if it is not yet open, and display the message there.
Should you no longer wish to receive push notifications from us, you can stop receiving our push notifications by disabling them
•    completely in the system settings for push notifications on your mobile device, or
•    in the “Push notifications” menu item in our Android App.

6. Other functions

6.1 Websites you can access via the in-App browser

If you use another function via our App or select special offers, you are redirected via the in-App browser (iOS: Safari/ Android: Chrome) to the relevant subpages of our website www.lidl.com.mt  or to the partner websites linked to them. Our App offering and our online content accessible via the in-App browser may contain links to other websites.
If you access websites via the in-App browser (e.g. via links), your personal data is processed on these websites in derogation of these data protection provisions. This privacy policy is only valid for our App. We ask that you note the privacy policies on the linked websites. We accept no responsibility for external content made available via links and specially indicated nor do we endorse such content. The provider of the linked website bears sole liability for any illegal, erroneous or incomplete content as well as for damages resulting from the use or non-use of the information.

7. Recipients outside the EU

With the exception of the processing set out in section 5, we do not share your data with recipients established outside the European Union or the European Economic Area. The processing specified in Section 5 may however result in a transfer of data to the servers of Google LLC, some of which are located in the United States. For the United States, with resolution of 12.07.2016, the European Commission has concluded that the provisions contained in the EU-U.S. Privacy Shield report an adequate level of data protection (so-called "adequacy decision" pursuant to art. 45 GDPR). The provider Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, is certified according to the EU-U.S. Privacy Shield.
In case of transmission of your data to recipients based outside the European Union or the European Economic Area, you have the right to obtain a copy of the security measures implemented or to know the place where they are made available, by forwarding such request to Lidl at the address indicated in this privacy policy.

8. Your rights as data subject

8.1 Overview

In addition to the right to revoke the consent you may have granted us, you also have the following rights provided the respective statutory requirements are met:
•    The right of access to information about your personal data in accordance with Art. 15 GDPR.
•    The right to rectification of inaccurate data or to have incomplete data completed in accordance with Art. 16 GDPR.
•    The right to erasure of your data stored with us in accordance with Art.17 GDPR.
•    The right to restriction of processing of your data in accordance with Art. 18 GDPR.
•    The right to data portability in accordance with Art. 20 GDPR.
•    The right to object in accordance with Art. 21 GDPR.

8.2 The right of access to information in accordance with Art. 15 GDPR

You have the right, pursuant to Art. 15 (1) GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:
•    the purposes for which the personal data are processed;
•    the categories of personal data which are processed;
•    the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
•    the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
•    the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
•    the right to lodge a complaint with a supervisory authority;
•    any available information about the source of the data, if the personal data are not collected from you (the data subject);
•    the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

8.3 The right to rectification in accordance with Art. 16 GDPR

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.

8.4 The right to erasure in accordance with Art. 17 GDPR

You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:
•    the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
•    you withdraw the consent on which the processing was based in accordance with Art. 6 (1) a) or Art. 9 (2) a) GDPR, and there is no other legal ground for the processing;
•    you object to the processing pursuant to Art. 21 (1) or (2) GDPR, and there are no overriding legitimate reasons for processing;
•    the personal data have been unlawfully processed;
•    the personal data have to be erased for compliance with a legal obligation;
•    the personal data has been collected in relation to the offer of information society services to children as referred to in Art. 8 (1) GDPR.
In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:
•    for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
•    for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.

Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.

8.5 The right to restriction of processing in accordance with Art. 18 GDPR

You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:

•    The accuracy of your personal data is contested (see the right to data rectification above), for a period enabling us to verify the accuracy of the personal data; or
•    The processing is unlawful and you oppose the erasure of your personal data; or
•    We no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
•    You exercised Your right to object and verification of our legitimate grounds to override your objection is pending.

Following your request for restriction, except for storing your personal data, we may only process your personal data:
•    Where we have Your consent; or
•    For the establishment, exercise or defence of legal claims; or
•    For the protection of the rights of another natural or legal person; or
•    For reasons of important public interest.

8.6 The right to data portability in accordance with Art. 20 GDPR

You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:
•    The processing is based on your consent or on the performance of a contract with you; and
•    The processing is carried out by automated means.

8.7 Right to object in accordance with Art. 21 GDPR

Under the conditions set out in Art. 21 (1) GDPR, you have the right to object to data processing on grounds relating to your particular situation.
In those cases where we only process your personal data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.

When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.

For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.

In any case you also have the right to lodge complaints at any time with the competent data protection supervisory authority.

8.8 What we may require from you

As one of the security measures we implement, before being in the position to help you exercise your rights as described above we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.

8.9 Time limit for a response

We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.

9. Contact

9.1 Contacts for questions or to exercise your data protection rights

If you have any questions about our App or would like to exercise your rights with regard to the processing of your data (data protection rights), you can contact our Customer Services:
https://www.lidl.com.mt/en/Contact-Form.htm

9.2 Contacts for questions on data protection

If you have any further questions concerning the processing of your data, you can contact our data protection officer at the following email address privacymt@lidl.com.mt. Please do not use this e-mail address for issues that do not present privacy-relevant profiles (e.g. applications and customer service contact requests).

9.3 Right to lodge a complaint with the data protection supervisory authority

You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. You can contact the Office of the Information and Data Protection Commissioner, the data protection supervisory authority of Malta by email on: idpc.info@idpc.org.mt  or by telephone on (+356) 2328 7100.
We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).

10. Name and contact details of the controller responsible for the processing and contact details of the company's Data Protection Officer

This privacy policy applies to the data processing carried out on our App by Lidl Malta Limited, the Administration Office, Triq Il-Karmnu, Luqa, LQA1311 (“Data Controller”). The data protection officer for Lidl Malta Limited can be contacted using the above address.