Privacy Policy
You Come First
At Lidl, our customers come First! That’s why Lidl is not only committed to providing you with a comprehensive online service, but is also committed to protecting your privacy. This Privacy Policy explains what information we collect and how that information is processed.
The following data protection information will inform you about the nature and scope of the processing of your personal data by Lidl Ireland GmbH (hereafter referred to as Lidl).
Unless otherwise stated in the following clauses, Lidl Ireland Gmbh, Main Road, Tallaght, Dublin 24, Ireland ("Lidl Ireland”) and Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm ("Lidl Stiftung", and together with Lidl Ireland "we", "us") are joint controllers of the processing of your data on the website www.lidl.ie and in the Lidl app (the "Services").
The data protection officers of Lidl Ireland and Lidl Stiftung can be contacted at the above postal addresses or at data.controller@lidl.ie and Customer.service@lidl.ie.
CUSTOMER SERVICE PRIVACY POLICY
At Lidl we ensure that customer satisfaction is at the heart of everything we do. We know your privacy is important to you so we want you to know that we will treat your personal information with respect.
WHY DO WE USE PERSONAL INFORMATION?
To help us provide you with the best possible customer service sometimes we will need to use your personal information. This is so that we can address any issues and respond to your requests. This generally done with your consent to help us deal with your query in an efficient manner. Where you’re the matter relates to a claim or prospective legal claim, we will rely on our legitimate interest to process your data.
WHAT PERSONAL INFORMATION DO WE USE?
Depending on the circumstances, we may collect any of the following information:
• Name;
• Email address;
• Home or postal address;
• Call recordings.
Personal information obtained by Lidl when dealing with your request by telephone, e-mail, live-chat, WhatsApp, or letter is treated confidentially. In order to maintain our high standards of customer satisfaction all calls are recorded for training, quality, and safety purposes. In most cases, personal data will be kept no longer than 30 days from the date a request is resolved.
WHO CAN ACCESS YOUR INFORMATION?
Lidl will only allow access to your information to those members of staff that require it in order to respond to your request. All Lidl staff are under contractual obligations of confidentiality. In some cases, it may be necessary for us to forward extracts of your request to a contract partner. If this is necessary, we will inform you in advance and obtain your consent before we transfer any of your personal information externally.
HOW DOES LIDL USE SOCIAL MEDIA?
Lidl continues to use the option of so-called social listening in order to get an idea of the perception of our products and services and to identify any potential for improvement. Social listening analyses mentions / posts on various social media online platforms and forums (e.g. Twitter, Facebook, etc.) in order to gain insights in to any product deficiencies and to action responses to these deficiencies to meet the need of our customers.
Direct mentions of the Lidl brand or discussions regarding specific keywords which appear on these online platforms and forums are evaluated according to a search request (e.g. a new product line). Only mentions / posts that have been made available to an unrestricted public will be viewed here.
The extent of the data collected is primarily determined by the nature and content of the respective mention / post. In individual cases, the respective user ID used may be relevant; if Lidl would like to offer help with any problems. We also receive information from the respective platform operators on the scope of the respective contributions.
As a business we have a legitimate interest in being able to recognize any deficiencies in our products and services and to react appropriately to them.
The personal data processed in the context of social listening is only processed within the EEA.
The relevant data is not permanently stored by Lidl, but only analysed in a targeted manner with regard to potentially required countermeasures and will not be kept for longer than necessary.
WHAT ARE YOUR RIGHTS?
You have:
• The right to revoke your consent at any time (where you have previously provided your consent);
• The right to request information about your personal data stored with us;
• The right to request rectification of incorrect data;
• The right to request deletion of your personal data in certain circumstances;
• The right to apply for the restriction of processing of your personal data;
• The right to request data portability.
• The Right to object to the processing of your personal data;
• The right to contact the Data Protection Commission if Lidl is unable to address your concerns.
QUESTIONS OR COMMENTS?
You can contact us using the below details:
Lidl Ireland GmbH
Main Road
Tallaght
Dublin 24
data.controller@lidl.ie
Unless otherwise stated, the recipients or categories of recipients named below act as data processors. They are carefully selected and contractually bound in accordance with Article 28 GDPR. This means that they may only process personal data on the basis of our instructions and not for purposes other than those stated.
Under certain circumstances, it may be necessary for us to transfer your personal data to recipients in a third country or several third countries outside the European Union (EU)/the European Economic Area (EEA).
The EU Commission has certified some third countries as having a level of data protection comparable to the GDPR by means of an adequacy decision. You can find an overview of third countries with an adequacy decision here. For service providers based in the USA, this only applies if they are certified in accordance with the EU-US Data Privacy Framework.
If there is no adequacy decision, we secure the transfer by other measures. These can be, for example, binding company regulations, standard contractual clauses of the European Commission, certificates or recognised codes of conduct.
Unless otherwise stated below, the transfer to a third country takes place either on the basis of an adequacy decision or one of the measures listed above. If you have any questions, please contact our data protection officer.
Purpose of data processing / legal basis:
CCTV recording is active in all Lidl stores. Such recordings are captured and processed in Lidl’s legitimate interest for the following purposes:
• Crime prevention, prosecution and public safety
• Adherence to other legislation and policies
• Customer queries and risk management
Recipients or categories of recipients:
CCTV footage of customers is recorded by cameras as laid out in accordance with internal procedures for camera layout and in order to ensure proportionality. The physical technological infrastructure and recordings are stored and backed-up internally.
As a general rule we will not disclose this data to third parties unless required to be provided to legal authorities when we have a statutory obligation to provide such recordings. Recordings may at times be used in evidencing legal/ongoing disputes where all requirements for the access and storage of such data have been met as laid out in our internal investigation procedures.
Storage duration / criteria for specifying the storage duration:
CCTV footage is generally kept for a period of up to 30 days from the time of recording, except in the event of an incident.
Purpose of data processing / legal basis:
From time to time Lidl may hold competitions or prize draws. Unless otherwise specified in the individual terms and conditions of any such competition, the personal data forwarded by you to us within the scope of participation in any competition will be used exclusively for processing the competition (e.g. identifying the winner, informing the winners, providing the prize). The legal basis for the data processing in the context of competitions held by Lidl will generally be based on consent. Participants may revoke this consent at any time. Where a winner is identified, prizes will typically be provided on the basis of contract where in consideration of the prize, winners agree to participation in promotional activity surrounding the competition or the prize.
The name and county of major prize-winners will either be published or made available on request. For this reason a full name of winners will be required.
Recipients or categories of recipients:
Data will only be forwarded to third parties if this is necessary for processing the competition (e.g. providing the prize via a third party). We categorically exclude any further dissemination of this data to third parties.
Storage duration / criteria for specifying the storage duration:
Personal data gathered by consent will generally be deleted upon the completion of a competition. Personal data belonging to winners, or any personal data generated through promotional activities may be held longer in accordance with contract.
Purposes of data processing/legal basis
You can sign up for our marketing communications on our website, in our mobile applications, the websites or mobile applications of partner companies and via embedded content on our social media presence. If you have expressly consented to receiving our Lidl marketing communications (email, SMS, WhatsApp, push notifications), we will use your email address or mobile phone number and, if applicable, your name to send you information (see Section "Advertising content"), taking into account your user profile (see Section "Personalised user profile").
In order to ensure that no errors have been made when entering the email address, we use the double opt-in procedure. After you have entered your email address in the registration field, we will send you a confirmation link. Only when you click on this confirmation link will your email address be added to our mailing list. We will do the same with your mobile phone number if you have provided it to us as part of the Lidl Plus registration process.
You can withdraw your consent to receiving marketing communications, including the creation of personalised user profiles, at any time with effect for the future, e.g. at the end of each newsletter, in your Lidl Plus account or via our customer service department at customer.service@lidl.ie. When you unsubscribe, we consider your consent to the creation of this personalised user profile and the receipt of newsletters based on it to be withdrawn.
The legal basis for the aforementioned processing is Article 6(1)(f) GDPR or, if consent has been given, Article 6(1)(a) GDPR. The processing of existing customer data for our own advertising purposes or for the advertising purposes of third parties is a legitimate interest within the meaning of the first-mentioned provision.
Recipients/categories of recipients
The recipients include the operators of social networks, advertising partners and specialised service providers who process personal data on our behalf in accordance with our instructions.
If external data processors are used to carry out marketing communications, they are contractually obliged in accordance with Article 28 GDPR.
Storage period/criteria for determining the storage period
If you withdraw your consent to individual advertising measures or object to certain advertising measures, your data will be deleted from the corresponding (email) distribution lists within 48 hours for technical reasons.
If you file an objection, your contact address will be blocked for further advertising data processing. We would like to point out that in exceptional cases, advertising material may still be sent or advertising campaigns displayed temporarily even after we have received your objection. This is technically due to the necessary lead time for adverts and does not mean that we will not implement your objection.
Your registration data will then be stored for ten years as proof that we have complied with legal requirements. When registering for the newsletter on a social media site, the data protection information of the respective operator of the social media site also applies.
Further data processing for advertising purposes
Furthermore, we process data concerning you for advertising purposes using cookies and similar technologies as described in Section 8 in more detail.
8.1 Personalised user profile
With your consent, we and the following operators of Lidl websites and Lidl apps, as well as the senders of Lidl newsletters, record your user behaviour:
Lidl Sitftung & Co. KG,
Lidl Ireland GmbH.
The evaluation of user behaviour includes the following information in particular:
Used areas of the respective website, the mobile apps or the newsletter,
Activated links,
Time of opening,
Products selected or added to the shopping basket,
Time, duration and frequency of use,
Participation in surveys,
Redeemed vouchers,
Purchase data,
Frequency and timeliness/timing? of your store purchases when using Lidl Plus.
We use this data to create personalised user profiles by assigning your person and/or email address or mobile phone number in order to be able to better tailor advertising to your personal interests by means of newsletters, SMS, WhatsApp/push notifications, on-site advertising and print advertising, and to improve our offers and digital presence.
We can also enrich this user profile with information about your age and gender if you have given us your consent to do so.
If you have filled in the "About me" section in Lidl Plus, this data will also be used to customise our Services to your interests. The legal basis for this is Article 6(1)(b) GDPR (contract between Lidl Stiftung and you).
8.2 Advertising content
The content of our marketing communications includes information about promotions, products and services (e.g. offers, discount promotions, competitions, Lidl Plus programme benefits, streaming offers, services, surveys, product reviews) from our website, the Lidl app, store operations and from the operators of the Lidl websites and Lidl apps. These are currently in particular:
Lidl Ireland Gmbh (www.lidl.ie),
Lidl Stiftung & Co. KG (www.lidlplus.ie).
8.3 Push notifications
Purposes of data processing/legal basis
To receive regular information on news, offers, promotions and reminders about unfinished orders, you can register to receive push notifications.
To do this, you must confirm the request from your end device to receive push notifications. The login time and a push token or your device ID are then saved. This data is used to send push notifications and as proof of registration.
The Lidl app only uses push notifications if you activate push notifications when installing the app or at a later time in the settings of your device. You can deactivate the receipt of push notifications at any time in the Lidl app.
We analyse push messages statistically in order to determine whether and when push messages were displayed and clicked on. This enables us to determine the presumed interests of the recipients and thus optimise the push messages.
The legal basis for processing your data to send push notifications is your consent in accordance with Article 6(1)(a) GDPR.
Recipients/categories of recipients
If external data processors are used to send push notifications, they are contractually obliged to do so in accordance with Article 28 GDPR.
Storage period/criteria for determining the storage period
Your data will be stored as long as you have activated push notifications.
Purposes of data processing/legal basis
Personal data that you provide to us when filling out contact forms, by telephone, by email or via social media will only be used for the purpose of processing your enquiry.
If you take part in one of our customer surveys, you do so voluntarily. In these anonymous surveys, no information is stored that allows conclusions to be drawn about the participants. Only the date and time of your participation will be saved. You can specify your details using free-text fields or by creating screenshots. You can also voluntarily agree to be invited to participate in user studies on a regular basis. These are conducted by telephone interviews, written surveys or tests on the user-friendliness of our applications. For this purpose, we store your first name, surname and email address. Any additional personal information you provide in surveys or user studies will be considered to have been provided voluntarily and will be stored in accordance with the GDPR. When using free-text fields and screenshots, please refrain from submitting personal data about yourself or another individual.
The legal basis for data processing is Article 6(1)(f) or Article 6(1)(b) GDPR. Our and your concurrent (legitimate) interest in this data processing arises from the aim of answering your enquiries, solving any problems you may have and thus maintaining and increasing your satisfaction as a customer or user of our website. If you give your consent as part of a customer survey or user study, Article 6(1)(a) GDPR is the legal basis for data processing based on consent. You can withdraw this consent at any time with effect for the future. Further details on this are set out in the data protection notices of the customer surveys and user studies. The legal basis for the processing of data protection requests is Article 6(1)(c) GDPR, as this is necessary to comply with legal obligations.
If you identify yourself as a Lidl Plus customer, the responsible Lidl company will receive your contact details, which are required for the customer service department to process an enquiry or for a product-specific enquiry with suppliers. The legal basis for this is Article 6(1)(b) GDPR.
Recipients/categories of recipients
When answering your enquiries and analysing customer surveys, your data will also be processed on our behalf by data processors from the customer service department and customer survey department.
If necessary to process your complaint, the data you provide may be passed on to companies within the Lidl Group. If your customer service enquiry leads to a further request, we will use your previously collected data for this request so that you do not have to enter your data again.
In order to process your complaint, it may also be necessary to pass on your contact details to our service partners, who will contact you regarding the next steps (e.g. arranging a collection or repair appointment). We will inform you of the name of the specific service partner as part of our communication. The transfer of data is necessary to fulfil warranty claims and thus to perform the contractual relationship with you in accordance with Article 6(1)(b) GDPR.
Storage period/criteria for determining the storage period
We will delete or anonymise all personal data that you provide to us in response to enquiries (suggestions, praise or criticism) no later than 95 days after the final response. Experience has shown that there are usually no more queries after 95 days. If you assert your rights as a data subject under data protection law, your personal data will be processed for the following purposes for three years after the final response to prove that we have complied with legal requirements. The storage period for personal data collected as part of customer surveys is communicated in advance as part of the specific customer survey.
Purposes of data processing/legal basis
When you access our Services automatically and without your intervention, your browser sends the
- IP address of the end device used,
- Date and time of access,
- Name and URL of the retrieved file,
- Website/application from which access is made (referrer URL),
- Browser and, if applicable, operating system of your end device,
- Name of your access provider
to our server and temporarily stores them in a log file for the following purposes:
- To ensure a smooth connection set-up,
- To ensure convenient/appropriate use of our website/application,
- To evaluate system security and stability.
If you agree to geolocalisation on your end device, we process your real-time location data when you use certain functions of our Services (e.g. displaying the location of the nearest Lidl store in the store finder).
The legal basis for data processing is Article 6(1)(1)(f) GDPR. Our legitimate interest lies in the correct presentation of our Services, the protection of our systems and the prevention of unauthorised access to our website. If the presentation serves to prepare a contract, the legal basis for data processing is Article 6(1)(b) GDPR.
Storage period/criteria for determining the storage period
The log files are stored for a period of seven days and then automatically deleted.
https://www.lidl.ie/information/my-lidl-shop
The Mini Lidl Shop App (or My Lidl Shop) is provided by Lidl Digital International GmbH & Co. KG. Any references in this section to “we” or “our” refers to Lidl Digital International GmbH & Co. KG.
The following privacy policy is intended to inform you about how we handle the collection, processing and use of your personal information in line with the use of this app.
1. Party Responsible for Article 4, paragraph 7 of GDPR
The party responsible for data processing in relation to Article 4, paragraph 7 of GDPR is:
Lidl Digital International GmbH & Co. KG
Datenschutz
Stiftsbergstraße 1
74172 Neckarsulm
E-Mail: datenschutz@lidl-shop.de
2. Usage data whilst using the App
a) Purpose of data processing and legislative basis
We process information about your use of our app in the form of log files in order to:
• Enable and enhance the features of the app,
• Improve our offer, protect our systems and prevent abusive or fraudulent behaviour.
The corresponding log files consist of:
• the mobile device from which you start our app;
• the IP address;
• the access date and the access time;
• the request of the client;
• the http response code;
• the amount of data transferred;
• the version of the app used.
Personal user profiles will not be created. The legal basis of this data processing is paragraph 15, subparagraph 1 of the Telemedia Act (TMG).
b) Recipients / Categories of Recipients
There is no access to the log files stored in your system for these purposes. The query of the log files occurs automatically each time you visit our app.
c) Storage duration / Criteria for determining the storage duration of the log files
The log files are automatically deleted after 14 days.
3. Access to the functions and sensors of your mobile device
a) Purpose of data processing and legislative basis
We access the following device functions or device sensors via the interfaces of your terminal:
Camera
Only with your explicit consent in accordance with Article 6, paragraph 1 (a) of GDPR via the "Permit Permission" dialog will we be granted access to the camera of your device. The camera of your mobile device is used for scanning product barcodes. By scanning real products in the store additional assets can be unlocked in the app.
Internet
Our app retrieves content such as text and images for in-game features (such as the "Barcode Detective" function) from the Internet.
Wireless connection information
Our app uses the wireless connection of your mobile device to establish a connection to the internet and to allow you to use the app in full (paragraph 15, subparagraph 1 of TMG).
Only with your explicit consent in accordance with Article 6, paragraph 1 (a) of GDPR via
b) Recipients / Categories of Recipients
Fundamentally no one has access to camera data.
c) Storage duration / Criteria for determining the storage duration
The data will only be processed whilst you are playing the in the app. Additional storage does not take place.
4. Usage Analysis
a) Purpose of data processing and legislative basis
In order to improve the functionality of our app and our offer, we create pseudonymised usage profiles in accordance with paragraph 15, subparagraph 3 of the TMG. Details on this and on your options to opt-out can be found in this section.
This app uses Google Analytics, an analytics service provided by Google Inc. (Google), to analyse user behaviour. Google will use this information on behalf of the operator to evaluate your use of the app, compile reports on activity within the app and to provide other services related to the use to the operator. Google will never associate your IP address with other Google data. You may opt-out of using Google Analytics in this app in the future at any time. To do this, open the menu, click on the "More" tab and scroll to the bottom of the privacy policy where there is a button to deactivate the tracking.
The My Lidl Shop App uses the analysis tool adjust, a product of adjust GmbH. When you install the Lidl app, adjust will save installation and event data from your My Lidl Shop App (for example, use of the app or interactions in the customer account). This will help us to understand how you interact with our app. It also allows us to analyse and improve our mobile advertising campaigns. For this analysis, adjust uses the IDFA (Identifier for Advertising) or the Android Advertising ID, the IP / MAC address, the HTTP header and a fingerprint of your device (as well as: time of access, country, language, local settings, operating system and version, and the app version). This data is anonymised, as such, neither we nor adjust will be able to identify you using this data. The IDFA and the Android Advertising ID can be reset or deactivated at any time via your operating system. If you do not want tracking by adjust, you can opt out of it for future use at any time by pressing the button below.
b) Recipients / Categories of Recipients
Google Analytics usually transmits the information generated about your use of the app to a Google server in the United States where it is stored. IP anonymisation has been activated in this app so that the IP address of Google users within member states of the European Union or in other states contracted to the European Economic Area is shortened beforehand. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there.
The adjust GmbH servers, on the other hand, are located exclusively in the European Union.
In addition to these two service providers, nobody has access to your personal data processed during the usage analysis.
c) Storage duration / Criteria for determining the storage duration
The personal data processed as part of the use of the analysis tools will be anonymised immediately after collection.
5. Your rights and contact with the Data Protection officer
Upon request you have the right to obtain information about the personal data stored about you in accordance with Article 15, paragraph 1 of GDPR free of charge. In addition, if the legal prerequisites exist, you are entitled to a correction (Article 16 of GDPR), cancellation (Article 17 of GDPR) and limitation of processing (Article 18 of GDPR) of your personal data.
If the data processing is based on Article 6, paragraph 1 e) or f) of GDPR, you have a right of objection under Article 21 of GDPR. If you object to data processing, it will not be used in the future, unless the person responsible can prove that there are compelling grounds for further processing that are worthy of protection outweighing the interest of the person concerned in the objection.
If you have provided the processed data yourself, you are entitled to transfer data according to Article 20 of GDPR.
If the data processing is based on a consent pursuant to Article 6, paragraph 1a) or Article 9, paragraph 2a) of GDPR, you can revoke the consent at any time with future effect, without affecting the legality of the previous processing.
Should you have any open questions regarding the above, or if you wish to make a complaint, please contact our Data Protection Officer in writing or by e-mail. You also have the right to complain to a data protection supervisory authority. This is the data protection supervisory authority of the area in which you live or that where the party responsible is based.
If you have any further questions regarding the collection, processing and use of your personal data, please contact our Data Protection Officer:
Lidl Digital International GmbH & Co. KG
Data Protection
Stiftsbergstraße 1
74172 Neckarsulm
E-Mail datenschutz@lidl-shop.de
Purposes of data processing/legal basis
In addition to the information you share with us directly via social networks, we also use social listening and social media monitoring. This enables us to get an idea of how our products and services are perceived, evaluate our marketing activities and identify any potential for improvement.
As part of social listening and social media monitoring, posts on online platforms (e.g. Xing, Facebook) are analysed according to a specific search request (e.g. for a new product line) or certain key figures (e.g. views, number of clicks). Only those contributions that you have published for an unrestricted public are analysed.
The scope of the data collected is primarily determined by the type and content of the contribution. For example, a post in text form or an uploaded image file can be analysed. In individual cases, the user ID used may also be processed, e.g. if we would like to offer help with any problems. In addition, we sometimes also receive information from the respective platform operators about the reach of the relevant posts.
The legal basis for the processing of personal data in the context of social listening is Article 6(1)(f) GDPR. Our legitimate interest lies in being able to identify any deficits and to analyse the? performance of our products in freely accessible comments and to be able to react appropriately.
Recipients/categories of recipients
We use Emplifi Czech Republic a.s., Pod Vsemi Svatymi 427/17, Severni Predmesti, 301 00 Plzeň, Czech Republic, for the above-mentioned data processing, which generally also processes the collected data on servers in the USA.
Storage period/criteria for determining the storage period
We do not store the above-mentioned data permanently, and only analyse it specifically with regard to potentially necessary measures. If necessary, we will retain the data for annual comparative analyses for up to two years if you have not already deleted the data from the platform yourself.
9. Use of cookies and similar technologies to process usage data
The use of cookies and similar technologies for processing usage data (in particular local storage) means that when you visit our website (www.lidl.ie) and some of the web pages embedded there (in particular account.lidl.com) and the Lidl app, files are stored locally on your end device (laptop, tablet, smartphone or similar). Sometimes a so-called tag is used to display personalized advertising, which is integrated into these services (hereinafter referred to as “similar technologies for processing usage data”). This is a code that collects usage data.
9.1 Responsibility
Lidl Ireland and Lidl Stiftung are joint controllers for most data processing in connection with the use of cookies and other similar technologies (uniformly referred to as "cookies") to process usage data on these Services.
Beyond this, the responsibility relationships are as follows:
9.2 Responsibility for cookies for self-promotion purposes
For some of the data processing associated with the marketing cookies for self-promotion (see cookies under the category "Self-promotion" in our cookie notices), in addition to us, the following are also involved: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Facebook), TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, EC1A 9HP, United Kingdom (TikTok), They are joint controllers pursuant to Article 26 GDPR.
We use cookies and carry out associated data processing for the purposes of self-promotion. We can combine these with your age, your gender and your usage behaviour on the website or in the Lidl app to create a profile.
In addition, in this context, data in the Lidl app about you is also partially processed by the advertising partner The UK Trade Desk Ltd., c / o The Trade Desk, Inc., 42 N. Chestnut Street, Ventura, CA 93001, USA (“TTD”) ) as a separately responsible person for displaying personalized advertising and for measuring success. In order to be able to link your usage behavior with you, the identifiers (MAID, hashed e-mail address and / or hashed telephone number) are forwarded to TTD on the basis of your consent. You will find further information on data processing as well as how you can assert your rights as a data subject in TTD's data protection information.
We also use the Microsoft Advertising and Microsoft Clarity Services of the provider Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (Microsoft) and the Google Advertising Service of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google) for self-promotion in our Services. Microsoft and Google also process your data as part of the Microsoft and Google Advertising Services under their own responsibility.
We use the "Facebook Custom Audience" Service of Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta", "Facebook") in the Lidl app. In this respect, we are joint controllers with Meta pursuant to Article 26 GDPR.
9.3 Purposes/data processing
9.3.1 General presentation
We place cookies on your end device, by means of which the data specified below is collected and then processed for the purposes stated below.
Technically necessary: These are cookies and similar technologies without which you cannot use our Services (for example, to display our Services correctly, including font and colour, to provide the functions you have requested and to take your settings into account, to save your registration in the login area, etc.).
Convenience: These technologies allow us to take into account your preferences to offer you the best user experience on our website and the Lidl app. For example, we can use your settings to display our Services in a language that suits you. In this way, we also avoid showing you products that may not be available in your region.
Statistics: These technologies enable us to compile pseudonymised/anonymised? statistics on the use of our Services. This allows us to determine, for example, how we can customise our website or the Lidl app even better to users’ habits. We use your IP address as well as online identifiers, log files and your location (based on network) to prevent misuse and to prevent and identify any security breaches and other prohibited or illegal activities. For example, if you log in from a new/unknown device, we can inform you of such a login attempt.
Marketing - Self-promotion: This enables us and other data controllers (see above) to display suitable advertising content based on the analysis of user behaviour and information from your customer account (age, gender, store purchase data from the Lidl Plus Service, if applicable). Your usage behaviour can also be tracked via various websites, apps, browsers and end devices using a user ID (unique identifier).
Further details on the processing purposes can be found in the preferences manager.
9.3.2 Selected Services
Google Ads Customer Match:
We use the "Google Ads Customer Match" Service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Lists of user data are sent to Google servers with the help of the tracking technologies we use. Google then compares whether the transmitted user data matches data from Google customers and then creates target groups that can be used to target adverts. The adverts can be displayed within the Google network (YouTube, Gmail or within the search engine) as well as across devices (known as remarketing or retargeting).
We have concluded an order processing contract with Google for the use of Google Ads Customer Matching in accordance with Article 28(3) GDPR. Through this contract, Google guarantees that it will process the personal data in accordance with the/our instructions and guarantee the protection of data subject rights.
Information on how Google uses personal data transmitted to Google by integrating Services and on your setting options for personalised advertising and data collection can be found at here and here. General information on data processing by Google can be found in the Google Privacy Policy.
Meta/Facebook:
Facebook Custom Audience enables us to create target groups and to design and display personalised advertisements on Facebook in line with requirements.
This involves uploading lists of user data to Facebook. Facebook then compares whether the transmitted user data matches data from Facebook users and then creates target groups that can be used to target adverts on Facebook. With Custom Audience, we ensure that only people who have previously visited our app or are interested in our products are shown adverts on Facebook. Facebook also uses the data for its own advertising purposes and for the advertising purposes of third parties.
Further selected data processing in connection with self-promotion:
With your consent, we use special technologies from partners so that we can record your surfing/browsing behaviour and display advertising tailored to you on our website, the Lidl app or our partners' platform (Facebook, RTB House and TikTok). Our partners can also compare the data collected on these Services with their own databases.
Microsoft Advertising and Google Advertising can be used to display targeted advertisements via the Microsoft and Google networks (e.g. in search engines and email programs), optimise them and track the activities of users on our website if they have reached our website via advertisements. Microsoft Clarity can be used to track and visualise user interactions with our services.
We also use Microsoft and Google Advertising Services to collect information that allows us to track target groups using remarketing lists. Microsoft Advertising and Google Advertising can recognise that these Services have been visited and an advertisement can be displayed when Microsoft or Google networks are subsequently used. The information is also used to create conversion statistics, i.e. to record how many users have accessed these Services after clicking on an advert. This tells us the total number of users who clicked on our advert and were redirected to these Services. However, we do not receive any information with which users can be personally identified.
9.4 Data categories
When cookies and similar technologies are used to process usage data, the following types of personal data in particular are processed, depending on the purpose:
Technically necessary:
User input to retain input across multiple subpages (e.g. selecting your preferred store in the Lidl store finder);
Authentication data to identify a user after login in order to gain access to authorised content on subsequent visits (e.g. access to the Lidl Plus customer account);
Security-related events (e.g. detection of frequently failed login attempts);
Data required to playback multimedia content (e.g. playback of (product) videos selected by the user);
Information to display our website correctly, including font and colour, to provide the functions you have requested and to take your settings into account, such as the choices you have made regarding cookies and similar technologies, to save your registration in the login area, etc.
Convenience:
User interface customisation settings that are not linked to a permanent identifier (e.g. language selection or the specific display of search queries or maps in the store finder).
Statistics:
Browser type/version,
Operating system used,
Previously visited page (referrer URL),
Host name of the accessing computer (IP address; this is regularly anonymised so that it cannot be traced back to you),
Time of the server request,
Individual user ID and events triggered on the website (surfing/browsing behaviour). We only merge the user ID with other data from you (e.g. name, email address, etc.) with your express consent (see e.g. Section 8 of this Data Protection Notice). The user ID itself does not allow us to draw any conclusions about your person.
Marketing - Self-promotion:
Information about the use of our website, in particular:
o IP address (this is regularly anonymised so that it cannot be used to identify you personally),
o Individual user ID (including cookie identifier) or other identifiers (email address, telephone number, address); we only merge the user ID with other data from you (e.g. name, email address, age, gender, etc.) with your express consent. The user ID alone does not allow us to draw any conclusions about your person. We may share the user ID and the associated user profiles with third parties via the providers of advertising networks.
o Potential product interests,
o Access information,
o Device identifiers,
o Information about device and browser settings,
o Mouse/scroll movements,
o Triggered events on the website (surfing behaviour).
We use the following advertising identifiers for in-app analysis and the display of personalised advertising: (i) the IDFA (Identifier for Advertising) for iOS devices or (ii) the Android advertising ID or (iii) the Huawei ID, the IP/MAC address, the HTTP header as well as the email address, telephone number, address and a fingerprint of your end device (additionally: time of access, country, language, local settings, operating system and version as well as the app version). We also include user device and web activity information as well as app and event tokens in this analysis. This data is processed exclusively on a pseudonymised/anonymised basis. You can reset or deactivate the IDFA or Google GAID, the Android advertising ID and the Huawei ID at any time via your operating system. In the event that the IDFA is not available, we use the SkAdNetwork (Apple’s attribution API) to assign the installations of our app to an advertising campaign.
Store purchasing data from the Lidl Plus loyalty programme
Specific to the Lidl app:
In order to display interest-based information to you, we must be able to assign the above-mentioned information to you as a person. For this purpose, we establish a connection to your customer number from the time you complete your Lidl Plus registration. Your consent to the provision of personalised information also covers this processing step.
9.5 Legal basis/Recipient/Storage period
Legal bases:
The legal basis for the use of convenience, statistics and marketing cookies is your consent in accordance with Article 6(1)(a) GDPR. The legal basis for the use of technically necessary cookies is Article 6(1)(b) GDPR, i.e. we process your data to provide our Services in the course of contract initiation or contract processing.
Facebook bases the processing of data for Facebook Custom Audience on the consent of Facebook users in accordance with Article 6(1)(a) GDPR and the legitimate interests of Facebook in accordance with Article 6(1)(f) GDPR in order to ensure accurate and reliable reports and accurate performance statistics for Facebook advertisers. You can find more information on this in Facebook's Privacy Policy or here. You can contact Facebook’s data protection officer here.
Recipients/categories of recipients:
As part of data processing using cookies and similar technologies for processing usage data, we may use specialist service providers, in particular from the online marketing sector. They process your data on our behalf as data processors, are carefully selected and contractually bound in accordance with Article 28 GDPR. All companies listed as providers in our cookie notice are, unless they have been named as (joint) controllers in this data protection notice, acting as data processors for us.
As part of our cooperation with Google Ireland Limited, Meta Platforms Ireland Limited, The UK Trade Desk Limited, Microsoft Ireland Operations Limited and TikTok Information Technologies UK Limited, the above-mentioned data is generally also processed on servers in the USA and the UK for statistical and marketing purposes (see the separate explanations on third country transfers under Section 3).
Storage period/criteria for determining the storage period:
The storage period for cookies can be found in our cookie notices. If "persistent" is specified in the "Expiry" column, the cookie is stored permanently until the corresponding consent is withdrawn.
Criteo SA will store your data for a maximum of 13 months.
Your data can remain in a Facebook Custom Audience for a maximum of 180 days. After 180 days, your data belonging to the website’s custom audience will be removed if you do not visit the website again.
9.6 Cancellation/opt-out option/Further information
You can withdraw your consent at any time, for example via the preferences manager. You can report your withdrawal either to us or to those jointly responsible with us.
Website:
You can also block the technologies explained here by rejecting certain or all cookies in the cookie setting in your browser. We would like to point out that you may then not be able to use all the functions of these Services.
Lidl app:
If you wish to withdraw your consent to tracking in the Lidl app, you can do so at any time with effect for the future by doing so after completing registration via the opt-out in the app under "More" -> "Legal information" -> "Tracking".
You can object to the use of the Custom Audiences Service globally on the Facebook website. After logging in to your Facebook account, you will be taken to the settings for Facebook adverts.
You can deactivate personalised advertising with Microsoft and Google or set it individually. Details can be found on the respective support pages:
Microsoft: https://help.ads.microsoft.com/#apex/3/en-en/51029
and https://account.microsoft.com/privacy/ad-settings/signedout.
Google: https://support.google.com/My-Ad-Center-Help/answer/12155451 .
You can also find setting options for personalised advertising at https://youradchoices.com/ and here.
Further information on data processing by the companies listed below and on exercising your rights as a data subject can also be found in the following data protection policies:
Meta (Facebook): https://de-de.facebook.com/policy.php
RTB House: https://www.rtbhouse.com/privacy-center/services-privacy-policy/
TikTok: https://www.tiktok.com/legal/privacy-policy-row
AWIN: https://www.awin.com/de/datenschutzerklarung
lead alliance: https://www.lead-alliance.net/dataprotection2
Ladenzeile: https://company.ladenzeile.de/datenschutzerklaerung/
Solute: https://www.solute.de/ger/datenschutz/
Kelkoo: https://www.kelkoo.de/unternehmen/datenschutzrichtlinie/
moebel.de: https://www.moebel.de/datenschutz
Microsoft: https://privacy.microsoft.com/de-de/privacystatement
Google: https://policies.google.com/privacy?hl=de
Criteo: https://www.criteo.com/de/privacy/
Virtual Minds: https://virtualminds.de/datenschutz/
The UK Trade Desk: https://www.thetradedesk.com/de/privacy
An information overview of the individual cookies and similar technologies used, together with the respective processing purposes, the respective storage period and any third-party providers involved can be found here. Further details on processing can also be found in the preferences manager.
10. Map services
10.1 Bing Maps
Purposes of data processing/legal basis
On this website we use map material from Bing Maps, a Service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA. This allows us to display interactive maps directly on the website and enables you to conveniently use the map function, e.g. to find Lidl stores in your local area.
The use of Bing Maps serves to provide an attractive presentation of our offers and an easy method of finding the places indicated by us on the website. This constitutes a legitimate interest within the meaning of Article 6(1)(f) GDPR.
When you visit our website, the provider of Bing Maps, Microsoft Corporation, receives the information that you have accessed the corresponding page of our website. To use the functions of Bing Maps, your IP address is processed as part of the Internet communication. This is usually processed on a Microsoft server in the USA.
We have no influence over the specific data processed by Bing Maps. Further information on the purpose and scope of data processing by Bing Maps can be found in the Microsoft Privacy Policy. There you will also receive further information about your rights and the setting options to protect your privacy.
10.2 Google Maps, Apple Maps, Huawei Map kit
Purposes of data processing/legal basis
In our app, you have the option of using the map service of your mobile device’s operating system to find Lidl stores in your local area, for example. This allows interactive maps to be displayed directly in the app.
In order to be able to use map services, it is necessary to process your IP address as part of the Internet communication. This is usually processed on a server of the respective operating system provider. We have no influence over the specific data processing. Further information on the purpose and scope of data processing can be found in the data protection notice of the respective provider. There you will also find further information about your rights and settings to protect your privacy.
Providers’ addresses and data protection notices:
Google Maps
o Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland,
o Privacy Policy: https://www.google.com/policies/privacy/,
o Terms of Service: https://maps.google.com/help/terms_maps.html,
Apple Maps
o Apple Inc, One Apple Park Way, Cupertino, California, USA.
o Privacy Policy: https://www.apple.com/legal/privacy/de-ww/
o Terms of Use: https://www.apple.com/legal/internet-services/maps/terms-de.html,
Huawei Map kit
o Huawei Aspiegel SE, 1F, Simmonscourt House, Ballsbridge, Dublin D04 W9H6, Ireland. Huawei
o Privacy Policy: https://www.huawei.com/en/privacy-policy
o Terms of use: https://developer.huawei.com/consumer/es/hms/huawei-MapKit/.
The use of map services is based on our contractual relationship with you, Article 6(1)(b) GDPR, as well as on our legitimate interest in presenting our offers in an attractive manner and making it easy to find the locations specified by us in the app. This constitutes a legitimate interest within the meaning of Article 6. If you use the map services in the Lidl app or have agreed to geolocalisation in the settings of your mobile device via the "Give permissions" dialogue, we use this function to be able to offer you individual services based on your current location. In particular, we process your GPS and network-based location for the "store search", "e-charging station search" and "partner benefits search" functions in order to show you the stores closest to you. We do not store geolocalisation data permanently.
The legal basis for the data processing described above is Article 6(1)(b) and (f) GDPR. The legitimate interest lies in presenting our offers in an attractive manner and making it easy to find the locations specified by us in the app.
Controller
Lidl Ireland is responsible for the data processing for Google reCAPTCHA.
Purposes of data processing/legal basis
We use Google reCAPTCHA to protect your data and the transmission of forms, in particular in the context of participating in competitions and registering for newsletters on the website, from attacks or misuse by automated programmes (known as bots). Bots are used, for example, to obtain passwords for customer accounts or to restrict the functionality of the website through mass data transfers.
Google reCAPTCHA determines whether the interaction with the website is by a human user or a bot. For this purpose, usage behaviour (time spent on the page or mouse movements made) is analysed and the IP address is read by Google and checked to see whether it could be assigned to a bot in the past. If the IP address has already been assigned to a bot, Google transmits this information to us. We then store these IP addresses for defence against future attacks. This analysis starts automatically as soon as you open the registration page.
The legal basis for this data processing is Article 6(1)(1)(f) GDPR. Our legitimate interest follows from the above-mentioned purposes of processing.
Recipients/categories of recipients
When using Google reCAPTCHA, the above-mentioned data is also processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA to provide the Service. We have no influence over the processing and use of data by Google. Further information on data processing by Google can be found here: https://policies.google.com/privacy.
Our website and the Lidl app contain links to other websites and apps operated by other Lidl companies, selected partners or other third parties. If you click on one of these links, for example in the Lidl app via an in-app banner, you will be redirected to the website/app or to your respective app store. The links may also contain special tracking techniques that enable the operators of the websites/applications mentioned to understand and measure where the user has learnt about them. We have no influence over data processing by these websites/apps. We recommend that you check the relevant privacy policy of each website/app you are redirected to in order to understand what information about you is processed by the operator.
If we redirect you to one of these websites/apps, we process your personal data in order to fulfil your (technical) request to visit the respective application or website (Article 6(1)(b) GDPR) and on the basis of the operator’s legitimate interest in carrying out advertising (Article 6(1)(f) GDPR).
Purposes of data processing/legal basis
Location data
If you have agreed to geolocalisation via the "Give permissions" dialogue when using the Lidl app or in the settings of your mobile device, we use this function to be able to offer you individual services based on your current location. In particular, we process your GPS and network-based location as part of the "store search" function in order to show you the stores closest to you.
Photos/media/files on your mobile device/USB memory contents (read, change, delete)
If you create a shopping list or a shopping basket via the Lidl app, these will be saved directly in the memory of your mobile device or on a connected storage medium, depending on the installation location of the app and the available storage space.
Camera (taking pictures and videos)
The camera on your mobile device is used to scan QR codes.
WLAN connection information
The Lidl app uses your mobile device’s WLAN connection to establish a connection to the Internet.
Other device functions or device sensors
By accessing the other device functions and device sensors of your mobile device, the Lidl app is able to retrieve data from the Internet and process error messages. It also allows the Lidl app to be executed at start-up and the device’s sleep mode to be deactivated. Finally, if you have given your consent, the Lidl app can send you push notifications to inform you about current offers and promotions.
The legal basis for the processing of your location data is your consent in accordance with Article 6(1)(a) GDPR.
We have integrated YouTube videos into our website, which are available at https://www.youtube.com and can be played directly from these Services. These are all integrated in "extended data protection mode", i.e. no data about you as a user is transferred to YouTube if you do not play the videos. The data is only transferred when you play the videos. We have no influence over the data processing by the operator of YouTube.
Further information on the purpose and scope of data collection and its processing by YouTube can be found in the provider’s privacy policy. There you will also find further information on your rights in this regard and setting options to protect your privacy. Address and privacy policy of YouTube: Google LLC, 1600 Amphitheatre Parkway. Mountain View, CA 94043, USA; https://www.google.de/intl/de/policies/privacy/.
Lidl collects information from job applicants who apply via our online careers portal. This information is uploaded onto our applicant database and is held solely with applicants’ consent. All applicant information is processed by a third party on behalf of Lidl. We are committed to keeping your personal information safe and secure. We have put in place adequate security and technical measures, which we review on a regular basis, to ensure the safety and security of your personal information.
You have the right to request information about the personal data stored about you, free of charge in accordance with Article 15(1) GDPR.
If the legal requirements are met, you also have the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR). If you have provided us with the processed data, you have a right to data portability in accordance with Article 20 GDPR.
If data processing is carried out on the basis of Article 6(1)(1)(e) or (f) GDPR, you have the right to object in accordance with Article 21 GDPR. If you object to data processing, this will only be continued if we can demonstrate compelling legitimate grounds for further processing that outweigh your interest in objecting. You can send your objection at any time to data.controller@lidl.ie and Customer.service@lidl.ie.
If the data processing is based on consent in accordance with Article 6(1)(1)(a) or Article 9(2)(a) GDPR, you can withdraw your consent at any time with effect for the future without affecting the lawfulness of the previous processing.
You also have the right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority of the state in which you live or in which the controller has its registered office is responsible.
We have presented numerous relationships of joint responsibility in accordance with Article 26 GDPR in this data protection notice. Upon your request (e.g. via the contact options specified in Section 1), we will be happy to provide you with the essentials of the respective agreement on joint responsibility. To exercise your rights as a data subject, you are welcome to contact us or – for the data processing in question – those jointly responsible with us.
Should you have any questions or wish to exercise your data protection rights, you can contact our data protection officer using the following information:
Data Controller
Lidl Ireland GmbH
Main Road
Tallaght
Dublin 24
Ireland
data.controller@lidl.ie