DATA PROTECTION IS IMPORTANT FOR US
Thank you for visiting Our web site and/or asking for a paper copy of this policy.
The processing of personal data in this context is carried out in accordance with the European General Data Protection Regulation (the GDPR) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any Subsidiary Legislation issued under the same as may be amended from time to time.
HOW WE COLLECT YOUR PERSONAL DATA AND WHICH KIND OF DATA DO WE USE?
Generally, We collect your personal data from yourself and/or the entity you represent (usually Our business partner and/or affiliate) and We normally do this in order to fulfil Our contractual obligations with Our business partners and/or affiliate (henceforth, the ‘Partner) or any of the other legal grounds described below). In some cases, should the personal data We require from you not be forthcoming, it may be the case that We will not be able to adequately fulfil Our contractual obligations with Our Partners or do so in a timely manner.
However, it could also be necessary to process personal data about you which We obtain from other companies, authorities or third parties, like credit agencies, tax offices or similar. Such entities store personal data which We obtain through Our channels and generally use to report a possible compliance breach or in relation to compliance investigations.
Relevant personal data may be: basic personal data (e.g. name, surname, address or other contact details, date and place of birth as well as nationality), legitimacy and authentication data (e.g. commercial register extracts, identification data, specimen signature), data in the context of Our business relationship (e.g. payment data, order data, VAT number), validity data, company structure and propriety relationship, photo and video recording (e.g. for the delivery of the goods) as well as other data comparable to the mentioned categories.
You always have the choice whether you want to communicate with Us via e-mail or post. Due to technical reasons, communication by email may be unencrypted and We shall accept no responsibility or liability whatsoever for the security of your data while in transit through the Internet unless Our responsibility results explicitly from a law having effect in Malta.
PURPOSE OF THE PROCESSING AND LEGAL BASIS
For the performance of contractual obligations (Art. 6 par. 1 b) GDPR)
The purposes of the data processing resulting from the performance of pre-contractual measures, which precede a contractually regulated business relationship, and in the eventual fulfilment of the contract obligations between LIDL and Our Partner(s).
For compliance with a legal obligation (Art. 6 par. 1 c) GDPR)
The purposes of data processing in each case are determined also by certain legal obligations. These legal obligations include for example the fulfilment of storage and identification duties, for example within the framework of anti-money laundering prescriptions, tax control and reporting obligations as well as data processing in the context of requests from relevant authorities.
Purposes of legitimate interests (Art. 6 par. 1 f) GDPR)
It could also be necessary to process your personal data provided by you (or any entity you represent) beyond the actual performance of the contract. In this sense Our legitimate interests are, in particular, the selection of suitable business partners, the exercise of legal claims, the defence against liability claims, the physical and logistical access controls, the clarification of potential compliance-violations, the prevention of criminal acts and the regulation of damages resulting from the business relationship.
At the end of the contract in some cases We collect data on your credit rating via credit bureaus in order to perform the above-mentioned legitimate interests. We use the data of the credit bureaus to examine your credit rating (depending on your role and capacity). The credit bureaus store data which they obtain, for example, from banks or companies. These data include name, surname, data of birth, address, and payment information. You can obtain information on the personal data stored directly from the credit bureaus.
WHO RECEIVES THE PERSONAL DATA PROVIDED BY YOU?
Within Our company, access to your personal data is given only to those departments which need them to perform contractual or legal obligations or to fulfil legitimate interests (which interests have been explained above). Within the framework of contractual relationships, We also appoint data processors or providers who can obtain access to your personal data. In this case, compliance with data protection regulations is contractually ensured through data processing agreements We have in place with such data processors or providers (on the basis of Article 28 of the GDPR).
The data may also be transmitted to companies within the Schwarz Group for the performance of contractual obligations.
HOW LONG WILL THE DATA BE STORED?
We will keep your personal data only for as long as necessary. Necessity depends on legal obligations We may have. For example, if any personal data can be deemed as ‘accounting records’, We are legally obliged to keep those data for ten (10) years. We are also entitled to retain personal data in some cases (as opposed to being obliged to do so). For example, when We believe that the personal data are necessary for Us to defend Ourselves against civil claims that may be brought against Us, We are allowed to keep the data for as long as that risk subsists (this is usually 5 years from the end of Our contractual relationship with you, where such relationship exists, and of 2 years when no such contractual relationship exists).
ARE YOU OBLIGED TO PROVIDE YOUR PERSONAL DATA?
As part of Our business relationship with Our Partners (who you are in some way associated with) you must, in some cases, provide the personal data necessary for Us to establish, execute and/or terminate a business relationship and to perform all necessary obligations, which We are required to do by law or authorized to do due to in terms of Our legitimate interests. Without this data We will normally be unable to enter into and/or manage a business relationship with you and/or the entity you represent.
WILL YOUR DATA BE TRANSFERRED TO THIRD COUNTRIES?
Should We transfer personal data to recipients outside the European Union (EU) or European Economic Area (EEA), this shall occur exclusively if the EU Commission has identified an appropriate level of data protection in the third country, an appropriate data protection level has been agreed with the recipient (for example through EU standard contractual clauses) or if you have given Us your consent (and this, under with all appropriate safeguards in place). You are entitled to contact Us (using the details below) to obtain a copy of the safeguards (such as the model EU standard contractual clauses) We have in place to ensure the security of any data transfers We may effect to third countries.
WHAT ARE YOUR RIGHTS AS DATA SUBJECTS?
You, as a ‘data subject’ as understood under the GDPR, have a number of rights that are applicable under certain conditions and in certain circumstances, including Your:
- Right of access to your personal data processed by Us;
- Right to ask Us to rectify inaccurate personal data concerning you;
- Right to have Us erase your personal data (‘right to be forgotten’);
- Right to ask Us to restrict (that is, store but not further process) Your personal data;
- Right to ask Us to provide Your personal data to You in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller (‘right to data portability’)
- Right to object to Our processing your personal data; in this particular context only where We, as explained above, process your personal data on the basis of Our legitimate interests. For the avoidance of all doubt no right to object exists in connection with processing carried out on the basis of contractual necessity and Our legal obligations.
- Right to lodge a complaint with the relevant supervisory authority.
In those cases where the data processing is based on your consent, you would have the right to withdrawyour consent for any future processing at any point. In this case, please contact Our Data Protection Officer mentioned below in writing by post or email.
In addition, if you do not agree with the processing of your personal data, you can lodge a complaint with the appropriate Data Protection Supervisory Authority [in Malta, this is the Office of the Information and Data Protection Commissioner]. However, We would appreciate you contacting Us beforehand so that We may attempt to resolve the matter amicably.
DO YOU HAVE ANY FURTHER QUESTIONS?
Contact details of Our Data Protection Officer:
Address (depending on which company you or the entity you represent has contracted with):
- Lidl Malta Limited (C 36317), The Administration Office, Triq Il-Karmnu, Luqa, LQA1311, Malta
- Lidl Immobiliare Malta Limited (C 36321) The Administration Office, Triq Il-Karmnu, Luqa, LQA1311, Malta
- Lidl Logistica Malta Ltd (C79620), The Administration Office, Triq Il-Karmnu, Luqa, LQA1311, Malta