See below for information on how your data is used in accordance with Art. 13 of the General Data Protection Regulation (GDPR).
The processing of personal data in this context is carried out in accordance with the European General Data Protection Regulation (the GDPR) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any Subsidiary Legislation issued under the same as may be amended from time to time.
We, Lidl Malta Ltd. with registered office in Triq il-Karmnu, Luqa LQA 1311, Malta, which can be contacted at firstname.lastname@example.org, as data controller, operate the following social media pages:
- Facebook: https://www.facebook.com/lidlmalta
- YouTube: https://www.youtube.com/channel/UCNjDlXKz49VsQ8sBrLtXiLw
- Instagram: https://www.instagram.com/lidlmalta
Along with us, there is also the operator of the social media platform itself, which also acts as data controller; over the data processing carried out by the aforementioned controller we have however a limited control. In those areas where we can exercise influence and parameterize the processing of data, we work to ensure that the social platform operator processes data in accordance with the provisions on personal data protection. However, we are unable to influence the processing of data carried out by the social media platform operator and we are also unaware of exactly which data is processed by the controller himself.
Data processing carried out by us
The data you enter on our social pages, such as comments, videos, images, likes, public news, etc., are published by the social platform and are neither used by us nor processed for other purposes at any time. We only reserve the right to (i) delete content, if this becomes necessary, (ii) share your data on our page, if this is a function of the social platform, and (iii) communicate with you via this social media platform. In this context, the data are processed in the interests of our relations with the public and our communications.
In addition to the above, the processing of data for the purposes referred to in point (iii) is necessary with reference to the above mentioned purposes given its essential nature in order to provide the service requested by you in compliance with art. 6, paragraph 1, letter b) GDPR.
If you wish to object to the processing of certain data under our influence, please use the contact details provided in the legal notes. We will assess your objection.
If you submit a query on the social media platform, depending on the answer required we may refer you to other secure communication channels that guarantee confidentiality. You always have the option of sending confidential inquiries to the address provided in the legal notice.
As already stated, where the social media platform provider allows us, we endeavor to design our social media pages to be as compliant with data protection provisions as possible.
Data processing carried out by the social media platform operator
The operator of the social media platform uses web tracking methods. Web tracking may also be used regardless of whether you are registered with or have logged on to the social media platform. As previously stated, we are unfortunately unable to influence the social tracking systems used by social media platform. For instance, we cannot disable them.
Please be aware that we cannot rule out the social media site operator using your profile and behavior data to assess your habits, personal relationships, preferences, etc. In this respect, we have no influence on the processing of your data carried out by the social media platform operator.
- Facebook: https://www.facebook.com/privacy/explanation
- YouTube: https://policies.google.com/privacy
- Instagram: https://help.instagram.com/
Recipients/Categories of recipients
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta Ltd. with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl Malta Ltd. belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor.
Recipients outside the EU
We do not share your data with recipients established outside the European Union or the European Economic Area. Should We transfer personal data to recipients outside the European Union (EU) or European Economic Area (EEA), this shall occur exclusively if the EU Commission has identified an appropriate level of data protection in the third country, an appropriate data protection level has been agreed with the recipient (for example through EU standard contractual clauses) or if you have given us your consent (and this, under with all appropriate safeguards in place). You are entitled to contact us (using the details below) to obtain a copy of the safeguards (such as the model EU standard contractual clauses) we have in place to ensure the security of any data transfers we may effect to third countries.
Your rights as user
The GDPR grants you certain rights as a website user when your personal data is processed:
1. Right of access (Art. 15 GDPR):
You have the right, pursuant to Art. 15 (1) GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:
- the purposes for which the personal data are processed;
- the categories of personal data which are processed;
- the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
- the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
- the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- any available information about the source of the data, if the personal data are not collected from you (the data subject);
- the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.
2. Right to rectification and erasure (Arts. 16 and 17 GDPR):
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.
You also have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they was collected or otherwise processed;
- you withdraw the consent on which the processing was based in accordance with Art. 6 (1) a) or Art. 9 (2) a) GDPR, and there is no other legal ground for the processing;
- you object to the processing pursuant to Art. 21 (1) or (2) GDPR, and there are no overriding legitimate reasons for processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation;
- the personal data has been collected in relation to the offer of information society services to children as referred to in Art. 8 (1) GDPR.
In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:
- for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
- for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.
Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.
3. Right to restriction of processing (Art. 18 GDPR):
You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:
- The accuracy of your personal data is contested for a period enabling us to verify the accuracy of the personal data; or
- The processing is unlawful and you oppose the erasure of your personal data; or
- We no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
- You exercised Your right to object and verification of our legitimate grounds to override your objection is pending.
Following your request for restriction, except for storing your personal data, we may only process your personal data:
- Where we have your consent; or
- For the establishment, exercise or defence of legal claims; or
- For the protection of the rights of another natural or legal person; or
- For reasons of important public interest.
4. Right to data portability (Art. 20 GDPR):
You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:
- The processing is based on your consent or on the performance of a contract with you; and
- The processing is carried out by automated means.
5. Right to object (Art. 21 GDPR):
Under the conditions set out in Art. 21 (1) GDPR, you have the right to object to data processing on grounds relating to your particular situation.
In those cases where we only process your personal data when this is 1. necessary for the performance of a task carried out in the public interest or 2. when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.
When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.
For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.
What we may require from you
As one of the security measures we implement, before being in the position to help you exercise your rights as described above we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.
Time limit for a response
We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.
Right to lodge a complaint with a supervisory authority
You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. The right to lodge a complaint may be exercised in particular with a supervisory authority in the member state in which you reside or work, or in the location of the alleged infringement. We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).
Contact details of the Data Protection Officer
If you have any further questions concerning the processing of your data, you can contact our Data Protection Officer at the address provided in the legal notice or at the following email address email@example.com