Privacy Protection

PRIVACY POLICY

Your privacy is important to us

Thank you for visiting our website. We take the protection of your personal data very seriously and therefore endeavour to not only provide you with a comprehensive online offering but in the process to safeguard the control of your own data.

In interacting with you, our customers, we will at times collect and process various categories of your personal data. This is only ever the right bits of your data, the right amount of it and for the right reasons as explained in this notice. We do so in order to provide you with the best possible Lidl experience and we commit to protect your personal data that is collected and processed when interacting with us and always tell you about what is being collected. When you interact with us you should never feel anything less than safe and secure in how your data is handled.

The following data protection information will inform you about the nature and scope of the processing of your personal data by Lidl Stiftung & Co. KG (hereafter referred to as Lidl). Personal data relates to information that is or can be directly or indirectly attributed to your person. The General Data Protection Regulation (GDPR) serves in particular as the legal foundation for data protection.

1. Overview

When you access the Lidl website, app and other Lidl platforms, certain information is exchanged between your device and our server. This may also be personal data. Data collected in this way can for instance be used to optimise our website or to display advertising in the browser of your device.

2. Accessing our website

Purpose of data processing / legal basis:

When you access our website, the browser used on your terminal device will, automatically and without any action on your part, send

• the IP address of the requesting web-enabled device,
• the date and time of access,
• the name and URL of the requested file,
• the website/ application from which the access was made (referrer URL),

the browser you are using and possibly the operating system of your web-enabled computer as well as the name of your access provider to our website server where they are temporarily stored in a so-called log file for the following purposes:

• ensuring a smooth establishment of the connection;
• ensuring convenient use of our website / application;
• evaluation of system security and stability.

The legal basis for the processing of the IP address is for the legitimate interests as explained in the above-listed purposes of data processing.

Storage duration / criteria for specifying the storage duration:

The data is stored for seven days and automatically deleted thereafter.

3. Use of Cookies and similar Techniques for the Processing of Usage Data

We, Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany, are the controller with respect to data processing in connection with the use of “cookies” and other similar technologies to process usage data on all ( sub-)domains at https://lidl-service.com.

Cookies are small text files that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any harm to your end device, nor do they contain any viruses, trojans or other malware. The cookie stores certain information that results in connection with the specific end device deployed. This does not, however, mean that we will immediately become aware of your identity.

Cookies and the other technologies used to process usage data are deployed for the following purposes, depending on the categories of cookie/other technologies:

• Technically necessary: these are cookies and similar technologies that are necessary for you to use our services ( for example to correctly display our website/the functions you request, to record you signing in or to fill your shopping cart when making online purchases, etc.).
• Statistics: these technologies enable us to tailor the design of our services by producing anonymized statistics about how they are used. For example, we can use them to determine how better to adapt our website to user habits.

Please click here for an overview of the cookies we use, including the respective purposes of processing, storage periods and any third party providers involved.

Depending on the purpose, the use of cookies to process usage data involves processing the following types of personal data in particular:

Technically necessary:

• consent to cookie preferences.

Statistics:

• pseudonymized usage profiles containing information on the use of our website. These contain in particular:
• browser type/browser version;
• operating system used;
• referrer URL (i.e., the previously visited page);
• host name of the accessing computer (IP address);
• time of the server request;
• individual user ID; and
• events triggered on the website (web browsing behavior).
• The IP address is routinely anonymized, which in principle means it is no longer possible to identify you.

The legal basis for using preference, statistics and marketing cookies is your consent given pursuant to Article 6(1)(a) GDPR. The legal basis for using technically necessary cookies is Article 6(1)(f) GDPR because we have a legitimate interest in offering you a fully functional website.

You may withdraw/modify your consent at any time with effect for the future without this affecting the lawfulness of the processing based on consent before its withdrawal. Click here to make your selection. Simply uncheck the respective box to withdraw your consent for the given data processing purpose.

Recipients/categories of recipient:

When using cookies to process usage data, we may on occasion retain specialized service providers, particularly from the field of online marketing, to process data. They process your data on our behalf as processors. Each has been carefully selected and bound by contract in accordance with Article 28 GDPR. All of the companies listed as service providers in our cookie policy act as processors on our behalf.

If you have consented to processing for marketing purposes, we may potentially share your User ID and the associated user profiles with third parties via the providers of advertising networks.

Storage time/criteria for determining storage time:

For information on the duration of storage for cookies, see our cookie policy. If “persistent” is entered in the “expiration” column, the cookie will be stored permanently until the corresponding consent is withdrawn. The storage period for data stored in session storage is limited to the respective session and ends when the browser is closed.

4. Email contact

Personal information that you provide to us by e-mail is, of course, treated confidentially. We use your data exclusively earmarked to process your request. The legal basis for data processing is Article 6 (1) (f) GDPR. Our and your concurrent (legitimate) interest in the data processing results from the goal of answering your request.

Recipients / Categories of recipients:

We generally exclude the transfer of data to third parties. Exceptionally, data on our behalf will be processed by contracted processors. These are carefully selected, and are audited and contracted by us in accordance with Article 28 of the GDPR.

Storage duration / criteria for specifying the storage duration:

All personal information that you send to us as queries (suggestions, compliments or complaints) will be deleted by us no later than 90 days after the final response has been given to you, or securely anonymised.

5. Receiver outside the EU

Data are not transferred to recipients outside of the European Union.

6. Embedded Content

We’ve added YouTube videos to our online offering at http://www.YouTube.com are stored and are directly playable from our website. These are all embedded in the “advanced privacy mode”, which means that if you do not play the videos, no information about you as user will be transferred to YouTube. Only when you play the videos, the data will be transferred. We have no control over this data transfer.

For more information on the purpose and scope of your data collection and processing through YouTube, please refer to the provider’s privacy policy. There you will also find further information about your rights and settings options for the protection of your privacy. YouTube’s address and privacy policy: Google LLC, 1600 Amphitheater Parkway. Mountain View, CA 94043, USA; https://www.google.de/intl/de/policies/privacy/.

7. Your Rights

7.1 Overview

In addition to the right to withdraw your consent, the following further rights are available to you if the respective legal requirements are met:

• Right to information about your personal data stored by us in accordance with Article 15 GDPR and the Data Protection Act 2018 s.45,
• Right to rectification of incorrect or incomplete data in accordance with Article 16 GDPR and Data Protection Act 2018 s.46,
• The right to erase your stored data according to article 17 GDPR and Data Protection Act 2018 s.47,
• The right to restrict the processing of your data in accordance with Article 18 of the GDPR and Data Protection Act 2018 s.47,
• Right to data portability in accordance with Article 20 of the GDPR,

Right to object according to Article 21 GDPR.

7.2 Right to information under Article 15 of the GDPR and Data Protection Act 2018 s.94

You have the right, pursuant to Article 15 (1) of the GDPR, to obtain, free of charge, information about the personal data stored by us about you. This includes in particular:

• the purposes of and legal basis for the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data has been or will be disclosed;
• the planned period of storage of personal data concerning you or, if specific information is not available, criteria for determining the duration of storage;
• the existence of your rights to rectification and erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
• the existence of a right to lodge a complaint with the supervisory authority;
• all available information as to the source of the data if the personal data are not collected from the data subject;
• the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved and the scope and envisaged impact of such processing on the data subject.

If personal data are transferred to a third country or to an international organization, you have the right to be informed about the appropriate safeguards under Article 46 of the GDPR in connection with the transfer.

7.3 Right to correction under Article 16 of the GDPR

You have the right to request that we correct your incorrect personal data without delay. In consideration of the purposes of processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

7.4 Right to erasure under Article 17 of the GDPR

You have the right to ask us to delete your personal information without delay if one of the following applies:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• you withdraw your consent, on which the processing was based pursuant to Article 6 (1) (a) or Article 9 (2) (a) GDPR, and there is no other legal basis for the processing;

you object to the processing in accordance with Article 21 (1) or (2) GDPR and there are no compelling legitimate grounds for processing in the case of Article 21 (1) GDPR;

• the personal data were processed unlawfully;
• the erasure of personal data is required to fulfil a legal obligation;
• the personal data were collected in relation to information society services offered pursuant to Article 8 (1) of the GDPR.

If we have made the personal information public and are required to delete it, taking due account of the technology available and the implementation costs, we will take reasonable steps to inform the third parties processing your data that you also require them to delete all links to such personal data or copies or replications of such personal data.

7.5 Right to limit processing in accordance with Article 18 GDPR

You have the right to ask us to restrict processing if one of the following conditions is met:

• the accuracy of your personal information is disputed by you;
• the processing is unlawful and you ask for the restriction of the use of your personal data instead of deletion;
• the controller no longer needs the personal data for the purposes of processing, but the data subject requires it to assert, exercise or defend legal claims or
• you have lodged an objection to the processing pursuant to Article 21 (1) of the GDPR, pending determination as to whether the legitimate grounds of the controller prevail over those of the data subject.

7.6 Data portability under Article 20 of the GDPR

You have the right to receive the personal information you provide to us in a structured, common and machine-readable format, and you have the right to transfer that information to another person without hindrance, provided that

the processing is based on a consent under Article 6 (1) (a) or Article 9 (2) (a) or on a contract under Article 6 (1) ( b) GDPR and processing is done by automated methods.

In exercising your right to data portability, you have the right to have your personal information transmitted directly by us to another controller, where technically feasible.

7.7 Right to object according to Article 21 GDPR

Under the conditions of Article 21 (1) of the GDPR, data processing may be objected to for reasons that arise from your particular situation.

The above general right to object applies to all processing described in this Privacy Policy, which is based on Article 6 (1) (f) of the GDPR. Unlike the special right of objection to data processing for commercial purposes (see section 3.6 above), according to the GDPR we are only obliged to implement such a general objection if you give us reasons of overriding importance, e.g. a potential danger to life or health.

8. Contact

8.1 Contact for questions or to exercise your data protection rights

If you have questions about the website or the exercise of your rights in relation to the processing of your data (data protection rights), you can contact our customer service:

https://www.lidl.de/de/kontakt/s2483

8.2 Contact for questions about data protection

If you have further questions about the processing of your data, you can contact the company data protection officer of Lidl (see section 9).

8.3 Right to lodge a complaint with the supervisory authority

You also have the right to lodge a complaint with the supervisory authority competent in your country or with the data protection authority of the Bundesland Baden-Württemberg in Germany, where Lidl has its head offices.

9. Name and contact details of the controller and contact details of the company data protection officer

This privacy policy applies to data processing by

Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany („Controller“) and for the website www.lidl-service.com. The corporate data protection officer of Lidl Stiftung & Co. KG can be contacted at datenschutz@lidl.com