According to articles 13 and 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation’ or ‘GDPR’) and the Maltese Data Protection Act ( Chapter 586 of the Laws of Malta), collectively referred to as the “Data Protection Laws”, in relation to the management of the whistleblowing system, we hereby inform you that any information and personal data voluntarily provided through or requested by the whistleblowing system (the “Personal Data”) will be processed by Lidl Malta Ltd located in Triq il-Karmnu, Luqa LQA 1311(Malta) as the Controller of the Personal Data (the “Data Controller”, “We”, “Us” “Ourselves” and/or “Our”) in line with the said Data Protection Laws.
1. Purpose of data processing
1.1 The Personal Data processed within the whistleblowing system will be limited to the Personal Data which are strictly and objectively necessary to verify the legitimacy of the allegations made, including your name, surname, mailing address, telephone or mobile number and/or email address. Reports can also be made anonymously, provided they are adequately documented.
1.2 The processing of Personal Data of the whistleblower, the reported person and any other third parties involved (“Data Subject” or jointly “Data Subjects”) will occur for one or several of the following purposes:
1.2.1 as may be strictly and objectively necessary for the application and the management of the scheme and of the whistleblowing system mentioned above, including the assessment of the facts reported as well as the production of reports regarding the functioning and the results of the scheme itself;
1.2.2 in the event that the whistleblowing system is used to place questions and queries regarding the company’s compliance, in order to provide a response to the requests made by the Data Subject;
1.2.3 in order to meet a legal obligation imposed by law, by regulations or by community and/or national rules;
1.2.4 in order to enforce or defend the rights of the Data Controller before judicial courts, for no longer than is necessary for the purpose of safeguarding such rights;
1.2.5 in order to pursue a legitimate interest of the Data Controller in terms of article 6(1) (f) of the GDPR, in ensuring compliance with applicable laws throughout all of the Data Controller’s operations and facilitating the provision of information by Data Subjects to the Data Controller regarding a suspected breach of such compliance.
2. Manner of data processing
2.1 The Personal Data will be processed both manually and with the aid of electronic or automated means, relying on logics which are strictly related to the purposes mentioned above and nevertheless suitable in order to guarantee the highest security and confidentiality in compliance with the provisions of the Data Protection Laws. We do not rely on any decisions taken solely by automated means (in other words, without significant human intervention) – including any profiling. Should this position change in the future (and only as We may be legally permitted to do), you will be notified accordingly.
2.2 With reference to the purposes referred to in paragraph 1.2 above, the provision of the Personal Data of the whistleblower is not statutorily or contractually mandatory, considering that it is also possible to submit a whistleblowing report and/or questions and queries relating to the compliance field in an anonymous manner.
2.3 In the event of identified reports (i.e. those reports which are not submitted anonymously) the Personal Data and, in particular, the identity of the whistleblower will remain strictly confidential and will not be disclosed to third parties other than those indicated under the following paragraph 3, unless such identity needs to be disclosed – in compliance with the principle of proportionality and in order to meet a legal obligation – to the relevant people and/or authorities involved in any further investigation and/or subsequent judicial proceedings conducted as a result of the assessments carried out.
2.5 The whistleblowing reports as well as the information and the Personal Data included or inserted therein will be processed by the “Chief Compliance Officer” and/or the “Data Protection Officer ”, both of whom have been nominated for this purpose by the Data Controller as persons specifically and internally appointed pursuant to articles 37 to 39 of the GDPR.
2.6 The Personal Data will be processed for the period of time strictly and objectively necessary for the achievement of the scope and the purposes identified in paragraph 1 above. Moreover, We generally determine whether there are any laws and/or contractual provisions that may be invoked against Us by you and/or third parties and if so, what the prescriptive periods for such actions are (this is usually five (5) years in those cases where Our contractual relationship with you (if applicable) terminates or two (2) years in those cases where no such contractual relationship exists). In this case, We will keep any relevant Personal Data that We may need to defend Ourselves against any claim(s), challenge(s) or other such action(s) by you and/or third parties for such time as is necessary. Where your Personal Data are no longer required by Us, We will either securely delete or anonymise the Personal Data in question.
3. Communication of Personal Data
3.2 In any case the Data Controller shall provide the Data Processors and the persons specifically appointed with appropriate operating instructions, with particular reference to the implementation of adequate security measures in order to guarantee the confidentiality and the security of the Personal Data.
3.3 The Personal Data will be retained on the server/database of the Data Controller located within the territory of the European Union.
4. Transfers To Third Countries
4.1 As a general rule, the Personal Data We process about you (including that collected via the Business Keeper Management System, any of our Apps or otherwise) will be stored and processed within the European Union (EU)/European Economic Area (EEA) or any other non-EEA country deemed by the European Commission to offer an adequate level of protection (the so-called ‘white-listed’ countries listed here: Click Here
4.2 In some cases, it may be necessary for Us to transfer your Personal Data to a non-EEA country not considered by the European Commission to offer an adequate level of protection (for instance, to one or more of Our Data Processors located there). For example for purposes of investigating a potential breach of compliance, it can be necessary that We disclose your Personal Data to public authorities outside the EEA.
4.3 In such cases, apart from all appropriate safeguards that We implement, in any case, to protect your Personal Data, We have put in place additional adequate measures. For example, We have ensured that the recipient is bound by the EU Standard Contractual Clauses (the EU Model Clauses) designed to protect your Personal Data as though it were an intra-EEA transfer. You are entitled to obtain a copy of these measures by contacting Us as explained below.
5. Security Measures
5.1 In particular, the whistleblower system will be implemented in such a way so as to avoid unauthorized access while the persons appointed to receive, analyse and process the whistleblowing reports will be nominated as Data Processors or persons specifically appointed according to article 28 of the GDPR, and will guarantee the complete confidentiality of the Personal Data provided in compliance with the most appropriate security measures implemented by the Data Controller for such purpose.
5.2 The personal information which We may hold (and/or transfer to any affiliates/partners/public authorities as the case may be) will be held securely in accordance with Our internal security policy and the law.
5.3 We use reasonable efforts to safeguard the confidentiality of any and/or all Personal Data that we may process relating to you and regularly review and enhance Our technical, physical and managerial procedures so as to ensure that your Personal Data is protected from:
5.4 To this end We have implemented security policies, rules and technical and organisational measures to protect the Personal Data that We may have under Our control. All Our members, staff and data processors, who may have access to and are associated with the processing of Personal Data, are further obliged (under contract) to respect the confidentiality of Our Data Subjects’ Personal Data as well as other obligations as imposed by the Data Protection Laws.
5.5 Despite all the above, We cannot guarantee that a data transmission or a storage system can ever be 100% secure. For more information about Our security measures please contact Us in the manner described below. You will be aware that data sent via the Internet may be transmitted across international borders even where sender and receiver of information are located in the same country. We cannot be held responsible for anything done or omitted to be done by you or any third party in connection with any Personal Data prior to Our receiving it including but not limited to any transfers of Personal Data from you to Us via a country having a lower level of data protection than that in place in the European Union, and this, by any technological means whatsoever (for example, WhatsApp, Skype, Dropbox etc.).
Moreover, We shall accept no responsibility or liability whatsoever for the security of your data while in transit through the Internet unless Our responsibility results explicitly from a law having effect in Malta.
As stated above, the said service providers (Our data processors) are also bound by a number of other obligations in line with the Data Protection Laws (particularly, Article 28 of the GDPR).
6. Rights of the Data Subject according to articles 15 to 21 of the GDPR
6.1 You, as a Data Subject as understood under the Data Protection Laws, have a number of rights that are applicable under certain conditions and in certain circumstances, including your:
6.2 Notwithstanding the above, the person against whom the accusations have been made may not have access to the whistleblower’s identity, in accordance with paragraph 2.3 above, but only to the content of the whistleblowing report. Moreover where there is concrete risk that the disclosure of any information falling under paragraph 6.1 would jeopardize the assessments that are being carried out, notification to the Data Subject may be delayed as long as such risk exists.
The company Data Protection Officer for Lidl Malta Limited can be contacted using the above address, for the attention of the Data Protection Officer, or using the e-mail address: firstname.lastname@example.org