See below for information on how your data are processed in accordance with Article 13 of the General Data Protection Regulation (GDPR) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any Subsidiary Legislation issued under the same as may be amended from time to time.
1. Data Controller
The data collection and processing described below is controlled partly by us,
Lidl Malta Limited
Triq il-Karmnu, Luqa LQA 1311, Malta
and partly by the respective operator of the social media platforms. For certain processing operations we and the platform operator act as Joint Controllers within the meaning of Article 26 GDPR (processing under section 4).
We, Lidl Malta Limited, (hereinafter: Lidl Malta) operate the following social media pages:
- Facebook: https://www.facebook.com/lidlmalta
- YouTube: https://www.youtube.com/channel/UCNjDlXKz49VsQ8sBrLtXiLw
- Instagram: https://www.instagram.com/lidlmalta
2. Processing by the Platform Operator
As Data Controller, the platform operator is responsible for the data processing (e.g. handling of members and of shared information) carried out by himself within the social media platform. Where we can exercise influence, we use the options available to work towards data-protection-compliant data processing by the operator of the social media platform.
The platform operator operates the entire IT infrastructure of the service, has its own data protection provisions and maintains its own user relationship with you (if you are a registered user of the social media service). In addition, the operator alone is responsible for all questions regarding the data of your user profile, to which we as a company have no access.
Further information on the data processing carried out by the social media platform operators, including information on how to object, are provided in the operators' privacy policies:
3. Processing by Lidl
a) Purposes and legal basis for the data processing
The purpose of data processing by us on the social media platforms is (i) to inform customers about offers, products, services, promotions, prize draws, factual issues and company news, (ii) to interact with visitors of social media presences on these topics, and (iii) to respond to corresponding questions, praise or criticism. We only reserve the right to (iv) delete content, if this becomes necessary, (v) share your data on our page, if this is a function of the social platform, and communicate with you via this social media platform. In this context, the data are processed in the interests of our relations with the public and our communications.
In addition to the above, the processing of data for the purposes referred to in point (iii) is necessary with reference to the above mentioned purposes given its essential nature in order to provide the service requested by you in compliance with Article 6, paragraph 1, letter b) GDPR.
The operator has no influence on the processing of your data by Lidl Malta within the scope of customer communication or prize draws.
As already stated, we endeavor to design our social media pages to be as compliant with data protection provisions as possible, where the social media platform provider permits this.
b) Recipients / Categories of Recipients:
The data you enter on our social media pages, such as comments, videos, images, likes, public messages, etc., are published for this purpose by the social media platform and is not used or processed by us for other purposes at any time. We merely reserve the right to delete illegal content if necessary. This is for example, the case with infringing or illegal posts, hate comments, lewd comments (explicit sexual content) or attachments (e.g. images or videos), which may breach copyrights, individual rights to privacy, criminal laws or the ethical principles of Lidl Malta.
We may share your content on our page if this is a function of the social media platform and communicate via social media. If you submit a query on the social media platform, we may refer you to other secure communication channels that guarantee confidentiality, depending on the response required. You always have the option of sending confidential inquiries to the address provided in section 1 or through the dedicated channels available on the website www.lidl.com.mt.
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl Malta belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor.
Recipients outside the EU
We do not share your data with recipients established outside the European Union (EU) or the European Economic Area (EEA). Should we transfer personal data to recipients outside the European Union or European Economic Area, this shall occur exclusively if the EU Commission has identified an appropriate level of data protection in the third country, an appropriate data protection level has been agreed with the recipient (for example through EU standard contractual clauses) or if you have given us your consent (and this, under with all appropriate safeguards in place). You are entitled to contact us to obtain a copy of the safeguards we have in place to ensure the security of any data transfers we may effect to third countries.
c) Storage Period / Criteria for Determining the Storage Period:
All the personal data that you send us in inquiries (suggestions, praise or criticism) by secure message will be deleted or securely anonymized no later than 90 days after the final response is sent to you. The storage duration of 90 days is due to the fact that on some occasions you as a customer might contact us on the same matter again after a response and we must be able to refer to our previous correspondence. In our experience, we generally receive no further questions regarding our responses after 90 days.
All public posts by you on this social media presence will remain on the timeline indefinitely unless we delete them because of an update of the underlying topic, violations of the law or infringements of our guidelines or you delete the post again yourself.
We have no influence on the deletion of your data by the operator itself. The data protection provisions of the respective operator therefore also additionally apply.
d) Prize Draws
Purposes and legal basis for the data processing:
You have the option of taking part in various Lidl prize draws on our website, through our newsletter, on our social media presences or via the Lidl app. Unless otherwise specified for the prize draw in question or if you have not given us additional express consent, the personal data you provided to us when entering the prize draw will be used exclusively to execute the prize draw (e.g. determine the winner(s), notify the winner(s), send the prize, possibly anonymously announce the winner). If you operate under your real name in the relevant social media network or are identifiable through photos in your profile, we cannot exclude identification by other users.
The legal basis for data processing in the context of prize draws is generally article 6, paragraph 1, letter b) GDPR. If a declaration of consent is provided as part of a prize draw, article 6, paragraph 1, letter a) GDPR is the legal basis for the data processing carried out. If you have declared your consent in the context of a prize draw, you can revoke this consent at any time with effect for the future.
Recipients / Categories of recipients:
Data is shared with third parties only if this is necessary for running the prize draw or sending the prize (e.g. for the promoter of a prize draw to send the prize or sharing the data with a logistics company) or you have given us your express consent to do so. Please note that in the case of some social media presences, entry may also be possible directly on the publicly visible web presences (e.g. on the board or via comments) and thus other users can also see the fact you have entered publicly through your interaction with us. Moreover, in such cases the fact you have won may also be identifiable on the respective social media presence. If you operate under your real name in the relevant social media network or are identifiable through photos in your profile, we cannot exclude identification by other users.
Storage period / Criteria for determining the storage period:
After the end of the prize draw and announcement of the winners, the personal data of entrants are deleted. In case of material prizes, the data of the winners are stored for the duration of the statutory warranty claims in order to arrange for rectification or replacement if there is any defect in the prize. In the case of entry into a prize draw on a social media site (e.g., by means of a post or comment), we have no influence on the deletion of your data by the operator. The data protection provisions of the respective operator of the social media site therefore also additionally apply.
e) Newsletter Dispatch
Purposes and legal basis for the data processing:
You also have the option of subscribing to our newsletter via online frames on our social media presence. If you have consented to receiving our newsletters, we use your e-mail address and in certain cases your name for sending information (individualized, if possible) on products, promotions, prize draws and news on store, photo and travel offerings as well as for customer satisfaction surveys. We store and process this data for purposes of sending the newsletter.
Newsletter content covers promotions (offers, discount promotions, prize draws, etc.) as well as information on the goods and services of partner companies.
Your consent in accordance with Article 6, paragraph 1, letter a) GDPR serves as the legal basis for the above-mentioned data processing.
We use the double opt-in procedure in order to ensure that no errors have occurred during entry of your e-mail address. We send you a confirmation link after you have entered your e-mail address in the sign-in field. Your e-mail address will not be added to our mailing list until you click on this confirmation link.
You can revoke your consent to receipt of the newsletter, participation in surveys on customer satisfaction or creation of a personalized usage profile at any time with future effect, for instance, by unsubscribing to the newsletter on our website. You can find the link to the unsubscribe page at the end of every newsletter. If you unsubscribe, we consider your consent to creation of a personalized usage profile and receipt of the newsletter on that basis to be revoked. We will delete your usage data.
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) service supplier for sending the newsletter; (iii) companies of the group to which Lidl Malta belongs. If external processors are commissioned for the dispatch of the newsletter, these are bound by contract pursuant to Article 28 GDPR. We categorically rule out any further disclosure of the data to third parties.
Storage period / Criteria for determining the storage period:
If you don’t confirm the signing up to our newsletter by the double opt-in procedure, your personal data will be erased after 7 days. If instead you subscribe to the newsletter, your personal data will be processed as long as necessary for the provision of the aforementioned service, without prejudice to such cases in which the storage for a further period is required in order to handle any disputes, requests from the competent authorities or for compliance with a legal obligation.
4. Joint Controllers pursuant to Article 26 GDPR
A relationship pursuant to Article 26, paragraph 1 GDPR (Joint Controller) in some cases exists with the operator of the social media service.
We and the platform operators act as Joint Controllers for the web tracking methods used by operators of the social media platform. Web tracking may also be used regardless of whether you are registered with or have logged on to the social media site. As previously stated, we regrettably have no influence over the web tracking methods used by social media platforms. For instance, we cannot disable them.
The legal basis for the web tracking methods is Article 6, paragraph 1, letter f) GDPR. The interest of optimizing the social media platform and the respective fan page is to be regarded as legitimate within the meaning of the aforementioned provision.
Further information on the recipients and/or categories of recipients and the storage period and/or the criteria for determining the storage period can be found in the platform operators' privacy policies. We have no influence on these.
The options for exercising your rights to object to these web tracking methods can be found in the privacy policies of the platform operators listed in section 2. You can also contact the platform operators using the contact details provided in the respective legal notice to this end.
As regards the statistics provided to us by the social media platform providers, we can only influence or stop this to a certain extent. However, we do ensure the operators do not provide us with any additional, optional statistics.
The statistics produced by the social media platform providers are provided to Lidl Malta anonymously and we have few possibilities to limit their transmission or contents. However, we ensure that optional statistics are not made available to Lidl Malta.
5. Your Rights as Data Subject
The GDPR grants you certain rights as a website user when your personal data is processed:
a. Right of access (Article 15 GDPR):
You have the right, pursuant to Article 15, paragraph 1 GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:
- the purposes for which the personal data are processed;
- the categories of personal data which are processed;
- the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
- the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
- the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- any available information about the source of the data, if the personal data are not collected from you (the data subject);
- the existence of automated decision-making, including profiling, in accordance with Article 22, paragraph 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
b. Right to rectification and erasure (Articles 16 and 17 GDPR):
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.
You also have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw the consent on which the processing was based in accordance with Article 6, paragraph 1, letter a) or Article 9, paragraph 2, letter a) GDPR, and there is no other legal ground for the processing;
- you object to the processing pursuant to Article 21, paragraph 1 or 2 GDPR, and there are no overriding legitimate reasons for processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation;
- the personal data has been collected in relation to the offer of information society services to children as referred to in Article 8, paragraph 1 GDPR.
In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:
- for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
- for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.
Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.
c. Right to restriction of processing (Article 18 GDPR):
You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:
- The accuracy of your personal data is contested for a period enabling us to verify the accuracy of the personal data; or
- The processing is unlawful and you oppose the erasure of your personal data; or
- We no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
- You exercised Your right to object and verification of our legitimate grounds to override your objection is pending.
Following your request for restriction, except for storing your personal data, we may only process your personal data:
- Where we have your consent; or
- For the establishment, exercise or defence of legal claims; or
- For the protection of the rights of another natural or legal person; or
- For reasons of important public interest.
d. Right to data portability (Article 20 GDPR):
You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:
- The processing is based on your consent or on the performance of a contract with you; and
- The processing is carried out by automated means.
e. Right to object (Article 21 GDPR):
Under the conditions set out in Article 21, paragraph 1 GDPR, you have the right to object to data processing on grounds relating to your particular situation.
In those cases where we only process your personal data when this is 1. necessary for the performance of a task carried out in the public interest or 2. when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.
When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.
For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.
What we may require from you
As one of the security measures we implement, before being in the position to help you exercise your rights as described above we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.
Time limit for a response
We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.
f. Right to lodge a complaint with a supervisory authority
You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. The right to lodge a complaint may be exercised in particular with a supervisory authority in the member state in which you reside or work, or in the location of the alleged infringement. We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).
6. Contact Details of the Data Protection Officer:
Please do not hesitate to contact our Privacy Officer with any questions on data protection:
Lidl Malta Limited
Data Protection Officer
Triq il-Karmnu, Luqa LQA 1311, Malta