Data protection on www.lidl.com.mt

(Version 1.2; dated March 11, 2020)

Privacy policy

Thank you for your interest in the data protection on our website www.lidl.com.mt. When you visit our website we want you to feel safe and comfortable and for you to see our implementation of data protection as a customer-oriented quality feature.

The following privacy policy will inform you of how and to what extent Lidl Malta Limited (hereinafter also ‘Lidl’), having registered office in Triq il-Karmnu, Luqa LQA 1311, Malta (as a Data Controller) processes your personal data. ‘Personal data’ refers to information that can be directly or indirectly attributable to or assigned to you (as a Data Subject).

The processing of personal data in this context is carried out in accordance with the Regulation (EU) 2016/679 (hereinafter ‘GDPR’) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any subsidiary legislation issued under the same as may be amended from time to time.

If you are one of our business partners, a specific data protection policy that may be directly applicable to you can be read here

Our full details, including contact details, can be read below.

Table of Contents

1. Applicable laws
2. Overview
3. Visiting our website
4. Contact form / e-mail contact / phone calls
5. Social Listening
6. Prize draws
7. Newsletter
8. Use of cookies and similar technologies
9. Recipients outside the EU
10. Third party content on our website
11. Bing Maps
12. Purchase in our Lidl branches
13. Your rights as data subject
14. Contact
15. Name and contact details of the controller responsible for the processing and contact details of the company's Data Protection Officer

1.    Applicable laws

As an entity established in Malta (EU) the main privacy laws that are applicable to Lidl Malta Limited in so far as you are concerned, are as follows:
•    The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the ‘GDPR’.
•    The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same – the ‘DPA’;

2. Overview

When you visit the website of Lidl, various information is exchanged between your device and our server. This may also include personal data. Information collected in this way is used for reasons including optimizing our website and displaying advertising in your device's browser as well as to pursue the purposes set out in this privacy policy.

3. Visiting our website

Purpose of data processing and legal basis:

When you visit our website, the browser used on your device sends the following information automatically and without any action on your part to our website’s server:

•    the IP address of the requesting web-enabled device;
•    the date and time of access;
•    the name and URL of the viewed file;
•    the website/application from which access is made (referrer URL);
•    the browser you are using and, if applicable, the operating system of your Internet-enabled; computer and the name of your access provider;
•    in general your browsing data in accordance with the Cookie Policy available at section 8 of this privacy policy.

and stores it temporarily in log files for the following purposes:

•    to browse the website;
•    to ensure a smooth connection and that our website is easy to use;
•    to evaluate system security and stability;
•    to comply with legal obligations.

If you have consented in your browser or in the operating system or other setting in your device to geolocalization, we use this feature to offer you individualized services related to your current location (e.g. the location of the nearest store). We only process your location data in this way for this function.

The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our website (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).

Recipients/Categories of recipients:

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.

Storage period / Criteria for determining the storage period:

The data described in this section will be stored as long as you browse the website and in any case for the period necessary to pursue the purposes set out in this policy. After then the personal data are automatically deleted. When you finish using our website, the geolocalization data is also deleted.

4. Contact form / e-mail contact / phone calls

Purpose of data processing and legal basis:

Personal information that you provide to us when filling out contact forms, by e-mail over the telephone or the social media is of course treated confidentially. For this purpose we may process, for example, your name, surname, e-mail address, mailing address, telephone number.

We use your data solely for the purpose of processing your inquiry, resolving complaints and disputes as well as for complying with applicable legal obligations.

The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the contact forms, by e-mail, over the telephone or the social media (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).

If you participate in one of our customer surveys, you do so on a purely voluntary basis.

No information from these anonymous surveys is stored which will enable a connection to the participants to be established. We only store the date and time of your participation. Any personal information which you provide when answering to our survey questions is considered to be given voluntarily and in accordance with the provisions of the GDPR. Please do not insert any names or similar information into free text fields which could allow a connection to you or other persons to be established.

Should you request to be contacted by our Customer Service and therefore provide your personal data such as name, surname, e-mail address or telephone number, these data will be processed for the exclusive purpose of fulfilling your request. For this specific data processing, art. 6, paragraph 1, letter b) GDPR is the legal basis. For more information in this regard, please read the specific privacy policy for the said customer survey.

Recipients / Categories of recipients:

For the abovementioned purposes, your personal data may be transferred to the following categories of recipients: (i) where necessary contracting parties (e.g. suppliers, where inquiries are product-specific) in order to process your inquiry (in these cases, your inquiry will be anonymized in advance to ensure that the third party cannot relate it to you. If sharing your personal data is necessary in an individual case, we will inform you of this and obtain your consent), (ii) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (iii) companies of the group to which Lidl belongs; (iv) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor.

Storage period / Criteria for determining the storage period:

All the personal data that you provide us in inquiries (suggestions, praise or criticism) via this website or by e-mail will be stored as long as necessary to pursue the purposes set out in this policy and will be deleted, no later than 90 days after the final response is sent, or anonymized, excepting for the case in which storage for a further period is required for any claims, requests by the competent authorities or for compliance with a legal obligation. In our experience, we generally receive no further inquiries to our responses after 90 days.

If you exercise your rights as a data subject, your personal data will be stored for a period of 5 years from our response, as evidence of the completeness of the information provided to you and of compliance with legal requirements.

The retention period of the personal data that you may provide in the context of customer surveys is indicated in advance by means of the specific privacy policy for the said survey. However, data may be stored for a further period if required for any claims, requests from the competent authorities or for compliance with a legal obligation.

5. Social Listening

Purpose of data processing and legal basis:

In addition to the information we have directly shared with you through social networks, we also use the option of ‘social listening’ in order to get an idea of perceptions of our products and services and to identify any potential for improvement. Contributions made public by you on online platforms (Facebook, Instagram, etc.) are reviewed and evaluated according to a search request (for example in relation to a new product line). Only contributions that have been made publicly available will be viewed here.

The extent of the data processed is primarily determined by the nature and content of the said contribution such as e.g. a posting in text form or an uploaded image file. In single cases, the respective user ID may also be processed if Lidl would like to offer help with any problems.

The legal basis for the processing of personal data in the context of social listening is our legitimate interest in being able to identify any deficiencies in our products and services and to react to them in an appropriate manner (article 6, paragraph 1, letter f) GDPR). Lidl's legitimate interest is equally balanced with your legitimate interest, as the said data processing is limited to what is strictly necessary for the aforementioned purpose namely, to analyze the content made publicly accessible by the data subject.

Recipients / Categories of recipients:

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.

Storage period / Criteria for determining the storage period:

The data will be stored for a period of time necessary for the pursuit of the purposes set out in this privacy policy and, in any case, for a maximum period of 90 days from the collection, except in the event that storage for a further period is required for any disputes, requests from the competent authorities or pursuant to applicable legislation.

6. Prize draws

Purpose of data processing / Legal basis:

You have the option of taking part in various Lidl prize draws through our website, our newsletter or via the Lidl app. The personal data collected in the context of the prize draw will be indicated by Lidl when you sign up to the draw. Unless otherwise specified in special data protection principles for the prize draw in question or if you have not given us additional express consent, the personal data you provided to us when entering the prize draw will be processed exclusively to execute the prize draw (e.g. determination of the winner(s), notification of the winner(s), sending of the prize) and to comply with applicable law obligations.

The processing of the aforementioned personal data is necessary as essential in order to consent your partecipation in the prize draw (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).

Further details are provided in the specific privacy policy for the prize draw.

Recipients / Categories of recipients:

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor.

Storage period / Criteria for determining the storage period:

Your personal data processed in the context of the prize draw will be stored as long as necessary to pursue the purposes set out in this policy. After the end of the prize draw and the identification of the winners, the personal data of participants are deleted, except in case where the storage for a further period is required for any claims, requests from the competent authorities or for compliance with a legal obligation. In case of material prizes, the data of the winners are stored for the duration of the statutory warranty claims in order to arrange for rectification or replacement if there is any defect in the prize.

7. Newsletter

Purpose of data processing and legal basis:

On our website / App and various other platforms you have the possibility to subscribe to our newsletter. If you have subscribed to our newsletters, we use your e-mail address and in certain cases your name for sending information on products, promotions, prize draws and news, on store, photo and travel offerings as well as for customer satisfaction surveys. We store and process this data for purposes of sending the newsletter.

Newsletter content covers promotions (offers, discount promotions, prize draws, etc.) as well as the goods and services of Lidl.

The processing of the aforementioned personal data is necessary as essential in order to provide you the newsletter service (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).

In order to ensure that no errors have occurred during entry of your e-mail address  we use the double opt-in procedure. We send you a confirmation link after you have entered your e-mail address in the sign-in field. Your e-mail address will not be added to our mailing list until you click on this confirmation link.

You may decide to no longer receive the newsletter at any time in the future, e.g. by unsubscribing from the newsletter on our website. You can find the link to unsubscribe at the end of each newsletter. When you unsubscribe to our newsletter the collected data will be deleted.

Recipients / Categories of recipients:

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, marketing and advertising networks; (ii) service supplier for sending the newsletter; (iii) companies of the group to which Lidl Malta Ltd. belongs. If external processors are commissioned for the dispatch of the newsletter, these are bound by contract pursuant to article 28 GDPR.

Storage period / Criteria for determining the storage period:

If you don’t confirm the signing up to our newsletter by the double opt-in procedure, your personal data will be erased after 7 days. If instead you decide to unsubscribe to the newsletter, your personal data will be deleted from the systems within 6 months, without prejudice to such cases in which the storage for a further period is required in order to handle any disputes, requests from the competent authorities or for compliance with a legal obligation.

8. Use of cookies and similar technologies

Data Controller, purpose of data processing and legal basis:

Lidl Malta Ltd., with registered office in Triq il-Karmnu, Luqa LQA 1311, Malta, is the controller for data processing activities in the context of the use of cookies and other similar technologies on all (sub-) domains under www.lidl.com.mt.

Cookies are small text files that are placed on your device (laptop, tablet, smartphone or similar) when you visit our websites. Cookies do not cause any damage to your device, do not contain viruses, trojans or other types of malware. In the cookie, information is stored which is related to the specific device you use. This does not mean though, that we are directly informed about your identity. The other similar technologies for processing usage data are in particular the pixel tracker and local storage.

The use of cookies and other technologies serves the following purposes, depending on the category of the cookie or other technology:
•    Technically necessary: These are cookies and similar technologies, without which you cannot use our services (e.g. to display our website/functions you have requested correctly).
•    Convenience: These technologies allow us to take into account your actual or assumed preferences for the convenient use of our websites. For example, your preferences allow us to display our web pages in a language that is appropriate for you. It also helps us to avoid showing you offers that may not be available in your area.
•    Statistics: These technologies enable us to compile anonymous statistics on the use of our services in order to tailor them to your needs. This enables us to determine, for instance, how we can adapt our websites even better to the habits of the users.
•    Marketing: These technologies enable us to display advertising content that is suitable for you, based on the analysis of your pattern of use. In this context, your pattern of use can also be tracked via different websites, browsers or terminal devices using a User ID (unique identifier).

You can find an overview of the cookies and other similar technologies used, including the respective processing purpose, the storage period and any third-party provider involved, here.

Within the scope of the use of cookies and similar technologies, depending on the purpose, the following categories of personal data are processed:

Technically necessary:
•    User entries to remember the input over several sub-pages (e.g. to select your preferred store in the section “store finder”);
•    Security-relevant incidents (e.g. detection of multiple failed login attempts);
•    Data to play multimedia content (e.g. playback of (product) videos selected by the user).

Convenience:
•    User interface customization settings that are not linked to a permanent identifier (e.g. the active language selection or the specific display of search queries or maps in the section “store finder”).

Statistics:
•    Pseudonymized User profiles with information about the use of our websites. These include in particular:
o    browser-typ/ -version,
o    the operating system used,
o    referrer URL (the previously visited website),
o    host name of the accessing computer (IP address),
o    time of the server request,
o    individual user ID and
o    triggered events on the website (browsing patterns).
•    The IP address is anonymized, so that it cannot be traced back to your person.
•    We only combine the user ID with other data from you (e.g. name, email address, etc.) with your express consent (see e.g. section 7 of this privacy policy). Based solely on the user ID itself, we cannot draw any conclusions about your person.

Marketing:
•    Pseudonymized user profiles with information about the use of our website. These include in particular:
o    IP address,
o    individual user ID,
o    potential product interest and
o    triggered events on the website (browsing patterns).  
•    The IP address is anonymized, so that it cannot be traced back to your person.
•    We only combine the user ID with other data from you (e.g. name, email address, etc.) with your express consent (see e.g. section 7 of this privacy policy). Based solely on the user ID itself, we cannot draw any conclusions about your person. Where appropriate, we share the user ID and the associated usage profiles with third parties via providers of advertising networks.

The legal basis for the use of convenience, statistical and marketing cookies and of similar technologies is your consent in accordance with article 6, paragraph 1, letter a) GDPR. The legal basis for the use of technically necessary cookies and similar technologies is article 6, paragraph 1, letter b) GDPR, i.e. we process your data to provide our services in the course of initiation or performance of the contract.

Cookies can be blocked at a general level. However, this block would have an impact on the use of the website and the services offered therein. All the latest browsers allow you to change the settings on cookies that are usually found in the menu of your browser under 'options' or 'preferences'. To understand how to set them up, you can consult the following links:

Google Chrome
Mozilla Firefox
Internet Explorer
Safari browser

For information on how to manage cookies through other browsers, it is useful to consult the online help files. If this information is not sufficient, we advise you to consult the "Help" section of the browser for more details.

Recipients / Categories of recipients:

Within the scope of data processing by means of cookies and similar technologies, we use specialised service providers, especially from the sector of online marketing. These service providers process your data on our behalf as processors, are in each case carefully selected and contractually obliged in accordance with article 28 GDPR. All the companies listed as providers in our list of cookies are acting for us as processors.

Storage period / Criteria to determine the storage period:

You can find the storage period for cookies and other similar technologies in our list of cookies. If "persistent" is stated in the "expiration" column, the cookie or other similar technology is stored permanently until the corresponding consent is revoked.

9. Recipients outside the EU

With the exception of the processing set out in sections 8, 10 and 11, we do not share your data with recipients established outside the European Union or the European Economic Area. The processing specified in the aforementioned sections may however result in a transfer of data to the servers of Google LLC, some of which are located in the United States. For the United States, with resolution of 12.07.2016, the European Commission has concluded that the provisions contained in the EU-U.S. Privacy Shield report an adequate level of data protection (so-called "adequacy decision" pursuant to art. 45 GDPR). The provider Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, is certified according to the EU-U.S. Privacy Shield.

In case of transmission of your data to recipients based outside the European Union or the European Economic Area, you have the right to obtain a copy of the security measures implemented or to know the place where they are made available, by forwarding such request to Lidl at the address indicated in this privacy policy.

10. Third party content on our website

YouTube videos, which are saved on www.YouTube.com, are made available and can be viewed directly from our website. These are included in the "advanced privacy mode", which means that your personal data is not stored by YouTube if it does not play the videos.

Further information about the purposes and methods of the processing of personal data carried out through YouTube can be found in the provider's privacy policy. It also contains information relating to your rights and system settings to protect your privacy. YouTube address and privacy policy: Google LLC, 1600 Amphitheater Parkway. Mountain View, CA 94043, USA; https://policies.google.com/privacy?fg=1.

11. Bing Maps

On our website we use the services offered by Bing Maps. In this way you can view and use the interactive maps directly from our website to find, for example, the Lidl stores closer to you.

As part of browsing our website, the Bing Maps provider, i.e. the Microsoft Corporation, receives the information if you access the relevant page on our website. To use the Bing Maps functions, it is necessary to process your IP address. As a rule, this is processed on a Microsoft server in the USA. We have no possibility to influence the processing carried out through Bing Maps.

The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our website (article 6, paragraph 1, letter b), GDPR) and fulfill the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).

Further information about the purposes and methods of the personal data processing carried out by Bing Maps can be found in the provider's privacy policy. It also contains information relating to your rights and system settings to protect your privacy. Address and privacy policy of the Bing Maps service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA, https://privacy.microsoft.com/en-us/privacystatement

12. Purchase in our Lidl branches

12.1 Age check

When selling products with age restriction, such as alcohol (17 years) / sale of computer and console games, DVDs, videos with age restriction, a visual check of your personal data (usually an identity card) is carried out by our cashiers in compliance with our legal obligations (article 6, paragraph 1, letter c) GDPR).

12.2 Security cameras

Occasionally we process your data for the purpose of preventing and detecting criminal offenses (article 6, paragraph 1, letter f) GDPR), for the protection of our customers, employees and our property. The use of security cameras is indicated by a clearly visible pictogram in the branches. We store images for 7 days. For installation and maintenance, maintenance companies commissioned by us may have access to stored data.

12.3 Payment procedure

Every time you make a card payment, we process your personal data as contained on such card and in connection with that transaction for the sole purpose of managing the payment itself (article 6, paragraph 1, letter b) GDPR). This concerns your card data (IBAN in the case of bank cards, card number, security code, card type as well as the expiration date of the card) and the data referred to the payment (amount, date, time, identification of the card reading device, this means place, company and store where you paid, PIN and, if necessary, your signature as well as your name and surname).

The card data and the data referred to the payment will be immediately transmitted, after the card is read from the card reading terminal (through the terminal manager) by the acquirer bank to your bank. Such data may also be transmitted, in the cases determined by the law, to the law enforcement authorities and to the Financial Intelligence Units.

We do not retain your card data unless this is necessary to ensure the payment transfer. For purposes concerning the document archiving, some data referred to the payment (type of card, date, time, number of the POS terminal, authorization code, place, company, branch, amount and if necessary your signature as well as your name and surname) will be processed according to the provisions of the law to fulfill our legal obligations (article 6, paragraph 1, letter c) GDPR) and held by us for the duration of the statutory retention periods. However, a card payment is not possible without the data. You can alternatively pay at any time with cash.

13. Your rights as data subject

13.1 Overview

In addition to the right to revoke the consent you may have granted us, you also have the following rights provided the respective statutory requirements are met:
•    The right of access to information about your personal data in accordance with article 15 GDPR.
•    The right to rectification of inaccurate data or to have incomplete data completed in accordance with article 16 GDPR.
•    The right to erasure of your data stored with us in accordance with article17 GDPR.
•    The right to restriction of processing of your data in accordance with article 18 GDPR.
•    The right to data portability in accordance with article 20 GDPR.
•    The right to object in accordance with article 21 GDPR.

13.2 The right of access to information in accordance with article 15 GDPR

You have the right, pursuant to article 15, paragraph 1 GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:
•    the purposes for which the personal data are processed;
•    the categories of personal data which are processed;
•    the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
•    the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
•    the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
•    the right to lodge a complaint with a supervisory authority;
•    any available information about the source of the data, if the personal data are not collected from you (the data subject);
•    the existence of automated decision-making, including profiling, in accordance with article 22, paragraph 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to article 46 GDPR relating to the transfer.

13.3 The right to rectification in accordance with article 16 GDPR

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.

13.4 The right to erasure in accordance with article 17 GDPR

You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:
•    the personal data are no longer necessary in relation to the purposes for which they was collected or otherwise processed;
•    you withdraw the consent on which the processing was based in accordance with article 6 paragraph 1, letter a) or article 9 paragraph 2, letter a) GDPR, and there is no other legal ground for the processing;
•    you object to the processing pursuant to article 21, paragraph 1 or 2 GDPR, and there are no overriding legitimate reasons for processing;
•    the personal data have been unlawfully processed;
•    the personal data have to be erased for compliance with a legal obligation;
•    the personal data has been collected in relation to the offer of information society services to children as referred to in article 8, paragraph 1 GDPR.

In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:

•    for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
•    for the establishment, exercise or defence of legal claims.

There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.

Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.

13.5 The right to restriction of processing in accordance with article 18 GDPR

You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:

•    The accuracy of your personal data is contested (see the right to data rectification above), for a period enabling us to verify the accuracy of the personal data; or
•    The processing is unlawful and you oppose the erasure of your personal data; or
•    We no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
•    You exercised Your right to object and verification of our legitimate grounds to override your objection is pending.

Following your request for restriction, except for storing your personal data, we may only process your personal data:

•    Where we have your consent; or
•    For the establishment, exercise or defence of legal claims; or
•    For the protection of the rights of another natural or legal person; or
•    For reasons of important public interest.

13.6 The right to data portability in accordance with Article 20 GDPR

You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:
    
•    The processing is based on your consent or on the performance of a contract with you; and
•    The processing is carried out by automated means.

13.7 Right to object in accordance with article 21 GDPR

Under the conditions set out in article 21, paragraph 1 GDPR, you have the right to object to data processing on grounds relating to your particular situation.
In those cases where we only process your personal data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.

When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.

For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.

In any case you also have the right to lodge complaints at any time with the competent data protection supervisory authority (see below).

13.8 What we may require from you

As one of the security measures we implement, before being in the position to help you exercise your rights as described above, we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.

13.9 Time limit for a response

We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.

14. Contact

14.1 Contacts for questions or to exercise your data protection rights

If you have any questions about our website or the Lidl shop(s) or would like to exercise your rights with regard to the processing of your data (data protection rights), you can contact our Customer Services:
https://www.lidl.com.mt/en/Contact-Form.htm

14.2 Contacts for questions on data protection

If you have any further questions concerning the processing of your data, you can contact our data protection officer at the following email address privacymt@lidl.com.mt . Please do not use this e-mail address for issues that do not present privacy-relevant profiles (e.g. applications and customer service contact requests).

14.3 Right to lodge a complaint with the data protection supervisory authority

You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. You can contact the Office of the Information and Data Protection Commissioner, the data protection supervisory authority of Malta by email on: idpc.info@idpc.org.mt or by telephone on (+356) 2328 7100.

We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).

15. Name and contact details of the controller responsible for the processing and contact details of the company's Data Protection Officer

This privacy policy applies to the data processing carried out on the website www.lidl.com.mt by Lidl Malta Limited, the Administration Office, Triq Il-Karmnu, Luqa, LQA1311 (“Data Controller”). The data protection officer for Lidl Malta Limited can be contacted using the above address.