Privacy policy for the Lidl website and the Lidl App

Last revised: October 2024

Version: 1.0

1. Contact details of the controller and the Data Protection Officer

The company Lidl Malta Limited, having registered office at Vassallo Business Park, Burmarrad Road, Naxxar NXR 6345, Malta, which may be contacted at the e-mail address privacymt@lidl.com.mt (hereinafter also referred to as "Lidl Malta" or "Lidl") and the company Lidl Stiftung & Co. KG, having registered office at Stiftsbergstraße 1, 74172 Neckarsulm, Germany, which may be contacted at the e-mail address privacy@lidlplus.com.mt (hereinafter also "Lidl Stiftung") hereby provide the following information on the processing of personal data (hereinafter also "Privacy policy") pursuant to articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter also “GDPR”) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any subsidiary legislation issued under the same as may be amended from time to time, in relation to the processing of your personal data carried out on the website www.lidl.com.mt and in the Lidl App (hereinafter also “Services”).

Based on the foregoing, the processing activities described in this Privacy policy are considered to be carried out either together as joint controllers or in the capacity of independent controllers by Lidl Stiftung and Lidl Malta, respectively. The respective capacities are set out below for each processing activity.

The Data Protection Officer of Lidl Malta can be contacted at the postal address above or by e-mail at privacymt@lidl.com.mt. The Data Protection Officer of Lidl Stiftung can be contacted at the postal address above or at privacy@lidlplus.com.mt .

Please do not use the above e-mail addresses for non-privacy related issues (e.g. applications and customer service contact requests).

If you have any questions about our website or the Lidl App or would like to exercise your rights with regard to the processing of your data (see section 15), you can contact our Customer Services via the contact form .

2. Involvement of third parties as data processors

Unless otherwise stated, the recipients or categories of recipients named below act as data processors. They are carefully selected and contractually bound in accordance with article 28 GDPR. This means that they may only process personal data on the basis of our instructions and not for purposes other than those stated.

3. Transfers to recipients in third countries

Under certain circumstances, it may be necessary for us to transfer your personal data to recipients in a third country or several third countries outside the European Union (EU) and the European Economic Area (EEA).

The EU Commission has certified some third countries as having a level of data protection comparable to the GDPR by means of an adequacy decision. You can find an overview of adequacy decision here . For service providers based in the USA, this only applies if they are certified in accordance with the EU-US Data Privacy Framework.

If there is no adequacy decision, we secure the transfer by other measures. These can be, for example, binding company regulations, standard contractual clauses of the European Commission, certifications or recognised codes of conduct.

Unless otherwise stated below, the transfer to a third country takes place either on the basis of an adequacy decision or one of the measures listed above. If you have any questions, please contact the Data Protection Officer.

4. Accessing our Services

Data controller

The processing of your personal data in the context of your navigation within our Services is carried out by Lidl Malta Limited and Lidl Stiftung & Co. KG as joint data controllers.

Purposes of data processing/legal basis

When you access our Services automatically and without your intervention, your browser/device sends the following:

IP address of the requesting web-enabled device used,
date and time of access,
name and URL of the retrieved file,
website/app from which access is made (referrer URL),
browser you are using and, if applicable, the operating system of your web-enabled computer,
name of your access provider,
in general your browsing data in accordance with the cookie policy available at section 9 of this Privacy policy.

Our server stores them temporarily in a log file for the following purposes:

ensure a smooth connection set-up,
ensure convenient/appropriate use of our website/app,
evaluate system security and stability,
comply with legal obligations.

If you have consented in your browser or in the operating system or other setting in your device to geolocalisation, we use this feature to offer you individualized services related to your current location (e.g. the location of the nearest store). We only process your location data in this way for this function.

The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available within our Services (article 6, paragraph 1, letter b) GDPR), to protect of our systems and prevent unauthorised access (article 6, paragraph 1, letter f) GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).

Storage period/criteria for determining the storage period

The data is stored for a seven-day period, except in case where the storage for a further period is required for any claims, requests from the competent authorities or for compliance with a legal obligation. However, your browsing data may be further stored in accordance with the cookie policy available at section 8 of this Privacy policy. Geolocation data is deleted once you have finished browsing our site.

5. Customer Service requests/customer surveys

Data controller

Within the context of Customer service requests and/or customer surveys relating to products/services offered by Lidl Malta Limited, your personal data is processed by Lidl Malta Limited.

If your contact request concerns the website and/or the Lidl App, your personal data will be processed by Lidl Malta Limited together with Lidl Stiftung & Co. KG as joint data controllers.

If your contact request is submitted as a Lidl Plus member, your personal data will be processed by Lidl Malta Limited on behalf of Lidl Stiftung & Co. KG.

Purposes of data processing/legal basis

Personal information that you provide to us when filling out contact forms, by telephone or submitted by e-mail, letter, fax, through social media or messenger services is of course treated confidentially. For this purpose we may process, for example, your name, surname, e-mail address, mailing address, telephone number.

We use your data solely for the purpose of processing your inquiry, resolving complaints and disputes as well as for complying with applicable legal obligations.

The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you when filling out our contact form, by telephone or submitted by e-mail, letter, fax, through social media or messenger services (article 6, paragraph 1, letter b) GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).

In the event of requests for assistance relating to non-food and/or textile products, regardless of whether you wish to make use of the legal warranty or are interested in purchasing spare parts, we inform you that your personal identification and contact data will be transmitted to the technical assistance centre specifically appointed by Lidl which will contact you to handle your request for assistance in the best possible way. The said data transfer takes place for the sole purpose of handling your request for assistance for products purchased at Lidl (article 6, paragraph 1, letter b) GDPR).

In order to verify your identity as a customer or user and to process your requests to our customer service in the best possible way, we may also use the personal data you have already provided by yourself within the scope of your use of the Lidl App and/or within your subscription to the loyalty program Lidl Plus. The legal basis for this processing is article 6, paragraph 1, letter f) GDPR. Lidl Malta's legitimate interest in the processing of your personal data arises from our intention to answer your request as efficiently as possible, thereby maintaining and promoting customer satisfaction.

If you participate in one of our customer surveys, you do so on a purely voluntary basis. No information from these anonymous surveys is stored which will enable a connection to the participants to be established. We only store the date and time of your participation. Any personal information which you provide when answering to our survey questions is considered to be given voluntarily and in accordance with the provisions of the GDPR. Please do not insert any names or similar information into free text fields which could allow a connection to you or other persons to be established. Should you request to be contacted by our Customer Service and therefore provide your personal data such as name, surname, e-mail address or telephone number, these data will be processed for the exclusive purpose of fulfilling your request. For this specific data processing, article 6, paragraph 1, letter b) GDPR applies as the legal basis. For more information in this regard, please read the specific privacy policy for the said customer survey.

Recipients/categories of recipients

For the abovementioned purposes, your personal data may be transferred to the following categories of recipients: (i) business partners who will provide you with technical assistance for non-food and / or textile products in order to process your request (legal warranty or purchase of spare parts); (ii) where necessary, contracting parties (e.g. suppliers, where inquiries are product-specific) in order to process your inquiry (in these cases, not included under i) above, your inquiry will be anonymized in advance to ensure that the third party cannot relate it to you. If sharing your personal data is necessary in an individual case, we will inform you of this and obtain your consent), (iii) third-party suppliers of assistance and advice for Lidl Malta with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; call centre services (e.g. IN&OUT S.p.a., viale Bramante 29, Fiumicino, Roma, Italy), (iv) companies of the group to which Lidl Malta belongs; (v) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor.

As far as surveys are concerned, these are usually used for internal evaluations only. Any personal information that may be provided during the survey will not be passed on to third parties, except in the event of a request for any litigation, requests from the competent authorities or pursuant to applicable law.

Storage period/criteria for determining the storage period

All the personal data that you provide us in inquiries (suggestions, praise or criticism), when filling out contact forms, by telephone or submitted by e-mail, letter, fax, through social media will be stored as long as necessary to pursue the purposes set out in this policy and will be deleted, as a general rule, no later than 90 days after the final response is sent, or anonymized, unless their retention is necessary for a longer period due to a critical nature or importance of the specific request or except for the case in which storage for a further period is required for any claims, requests by the competent authorities or for compliance with a legal obligation.

In our experience, we generally receive no further inquiries to our responses after 90 days. However, in the event of a critical nature or importance of the specific request (e.g. formal complaints), our company policies provide for a retention period of up to 3 years after the final response is sent, while if you exercise your rights as a data subject, your personal data will be stored for a period of 5 years from our response, as evidence of the completeness of the information provided to you and of compliance with legal requirements. We also provide for a 10-year retention period after the final response is sent for requests made in connection with a product recall or product liability.

The retention period of the personal data that you may provide in the context of customer surveys is indicated in advance by means of the specific privacy policy for the said survey. However, data may be stored for a further period if required for any claims, requests from the competent authorities or for compliance with a legal obligation.

6. Competitions

Data controller

The data controller for the processing in connection with the organisation of competitions is Lidl Malta Limited.

Purposes of data processing/legal basis

You have the option of taking part in various Lidl Malta prize draws through our website, our newsletter or via the Lidl App. The personal data collected in the context of the prize draw will be indicated by Lidl Malta when you sign up to the draw. Unless otherwise specified in specific data protection policies for the prize draw in question or if you have not given us additional express consent, the personal data you provided to us when entering the prize draw will be processed exclusively to execute the prize draw (e.g. determination of the winner(s), notification of the winner(s), sending of the prize) and to comply with applicable law obligations.

The processing of the aforementioned personal data is necessary as essential in order to consent your participation in the prize draw (article 6, paragraph 1, letter b) GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR). The data may also be processed in the event that it is necessary to exercise or defend a right of Lidl Malta and/or third parties (Article 6, paragraph 1, letter f) GDPR).

Further details are provided in the specific privacy policy for the prize draw.

Recipients/categories of recipients

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta with reference, for example, to the technological sector (e.g. (e.g. agency that takes care of hosting participant data as well as managing competition procedures) and legal sector (e.g. law firms); (ii) companies of the group to which Lidl Malta belongs; (iii) third party suppliers involved in the awarding of prizes (e.g. travel agency, car dealerships), (iv) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities (e.g. The Malta Gaming Authority). Depending on the specific case, these recipients will process such personal data as data controllers or processor.

Storage period/criteria for determining the storage period

Your personal data processed in the context of the prize draw will be stored as long as necessary to pursue the purposes set out in this Privacy policy. After the end of the prize draw and the identification of the winners, the personal data of participants are deleted, except in case where the storage for a further period is required for any claims, requests from the competent authorities or for compliance with a legal obligation. In case of material prizes, the data of the winners are stored for the duration of the statutory warranty in order to arrange for rectification or replacement if there is any defect in the prize.

7. Sending of marketing and advertising communications

Data controller

The processing of your personal data as part of sending of marketing and advertising communications is carried out by Lidl Malta Limited and Lidl Stiftung & Co. KG as joint data controllers.

Purposes of data processing/legal basis

On our website, in our Lidl App, on the websites or in the mobile apps of our business partners and via embedded content on our social media presences/profiles, you have the opportunity to subscribe and receive marketing and advertising communications of Lidl Stiftung, Lidl Malta and other business partners, by email and other electronic communication channels (e.g. SMS, WhatsApp and push notifications).

If you subscribe to our marketing and advertising communications, we use your e-mail address and, in certain cases, your name and surname to send you information about products, services, promotions, prize draws and news from our shops, the Lidl Plus loyalty program, as well as to conduct customer satisfaction surveys (see section 7.1 "Advertising content"), taking into account your user profile (see section 7.2 "Personalised user profile").

In order to ensure that no errors have been made when entering the email address, we use the double opt-in procedure. After you have entered your email address in the registration field, we will send you a confirmation link. Only when you click on this confirmation link will your email address be added to our mailing list. We will do the same with your mobile phone number if you have provided it to us as part of the Lidl Plus registration process.

If you have requested our marketing and advertising communications service, the processing of your personal data as set out above is necessary as it is essential to provide you with communications relating to products and services offered by Lidl and the business partner identified above. The legal basis for the processing shall therefore be your express consent provided under article 6, paragraph 1, letter a) GDPR.

You may decide to withdraw your consent by unsubscribing from the marketing and advertising communications at any time. This shall not affect the lawfulness of processing based on consent before its withdrawal. You may find the link to unsubscribe at the end of each newsletter. If you would like to contact us regarding your cancellation request, you can contact the Customer Service of Lidl Malta via the contact form . When you unsubscribe, we consider your consent to the creation of this personalised user profile and the receipt of marketing and advertising communications based on it to be withdrawn.

Recipients/categories of recipients

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl Malta or Lidl Stiftung with reference (e.g.) to the following sectors: technological, marketing and advertising networks; (ii) service supplier for sending the marketing and advertising communications; (iii) companies of the group to which Lidl Malta and Lidl Stiftung belong. If external processors are commissioned for the dispatch of the marketing and advertising communications, these are bound by contract pursuant to article 28 GDPR.

Storage period/criteria for determining the storage period

If you don’t confirm the signing up to our newsletter by the double opt-in procedure, your personal data will be erased after 7 days.

If instead you decide to unsubscribe to the marketing and advertising communications, your data will be deleted from the corresponding distribution lists within 48 hours and you will no longer receive the aforesaid communications.

Your registration data will then be stored for 10 years as proof that we have complied with legal requirements.

Further data processing for marketing purposes

Furthermore, we process data concerning you for marketing purposes using cookies and similar technologies as described in section 8 below in more detail.

7.1 Personalised user profile

With your consent, the above mentioned data controllers record your user behaviour within the websites and the Lidl App, that is:

Lidl Malta Limited
Lidl Stiftung & Co. KG

The evaluation of user behaviour includes in particular the following information:

Used areas of the respective website, mobile app or newsletter,
activated links,
time of opening,
time, duration and frequency of use,
participation in surveys,
frequency and timing of your in-store purchases when using Lidl Plus.

We use this data to create personalised user profile by associating your name and/or email address or mobile phone number with your personal data, in order to be able to better tailor advertising to your personal interests via newsletters, SMS, WhatsApp, push notifications, on-site, in-app and print advertising, and to improve our offers and digital presence.

We may also supplement this user profile with information about your age and gender if you have given us your consent to do so.

If you have completed the "About me" section in the loyalty program Lidl Plus , this data will also be used to tailor our services to your interests. The legal basis for this is article 6, paragraph 1, letter b) GDPR.

7.2 Advertising content

The content of our marketing and advertising communications includes information about promotions, products and services (e.g. offers, discount promotions, competitions, streaming offers, services, surveys, product reviews) from our website, the Lidl App and the Lidl Plus loyalty program. These are currently in particular:

Lidl Malta Limited. (in-store, www.lidl.com.mt),
Lidl Stiftung & Co. KG ( www.lidl.com.mt, www.lidlplus.com.mt ).

7.3 Push notifications

Purposes of data processing/legal basis

To receive regular updates on news, offers and promotions, you can sign up to receive push notifications.

To do this, you will need to confirm the request from your device to receive push notifications. The registration time and a push token or your device ID will be stored. This data is used to send push notifications and as proof of activation.

The Lidl App will only use push notifications if you enable push notifications when installing the app or later in the settings of your device. You can deactivate the receipt of push notifications at any time in the Lidl App or in the device settings.

We statistically analyse push notifications to determine if and when push notifications have been viewed and clicked. This enables us to determine the presumed interests of the recipients and thus optimise the push messages.

The legal basis for processing your data to send push messages is your consent in accordance with article 6, paragraph 1, letter a) GDPR.

Recipients/categories of recipients

If external processors are commissioned to send push notifications, these are bound by contract pursuant to article 28 GDPR.

Storage period/criteria for determining the storage period

Your data will be stored as long as you have activated push notifications.

8. Use of cookies and similar technologies to process usage data

Cookies and other similar technologies (hereinafter also referred to jointly as “Cookies”) to process usage data are files that are sent to your device (laptop, tablet, smartphone or similar) when you visit our website ( www.lidl.com.mt), some of the subdomains (especially account.lidl.com) and the Lidl App (collectively: “these services”) in order to be stored and retransmitted to the same websites, subdomains and/or Lidl App when you visit them the following time. Cookies and other similar technologies do not cause any damage to your device, do not contain viruses, trojans or other types of malware. In the cookie, information is stored which is related to the specific device you use. This does not mean though, that we are directly informed about your identity. The other similar technologies for processing usage data are in particular the pixel tracker, the local storage, the session storage and the cache storage.

8.1 Data controller

The processing of your personal data collected by means of so-called cookies and other similar technologies is carried out by Lidl Malta Limited and Lidl Stiftung & Co. KG as joint data controllers.

In light of the above, please refer to the remainder of this paragraph for further information regarding individual cookies.

8.2 Data controller for the use of cookies for own marketing purposes

For some of the data processing associated with the marketing cookies we use so-called ‘’own‘’ or ‘’first party‘’ cookies, i.e. cookies set directly by us (or by data processors acting on our behalf) and used for our own independent purposes, including the creation of a user profile to which we may associate such data together with your age, gender, browsing and usage behaviour in relation to the website or the Lidl App.

However, we also use so-called “third party” Cookies on our website and in the Lidl App, i.e. Cookies that are set by third parties other than us. These Cookies are used both for advertising purposes within the lidl.com.mt domain and Lidl App and for advertising purposes outside the lidl.com.mt domain and app, i.e. on third party digital media (not belonging to our websites), such as other websites, apps, smart TVs and the like. As part of this collaboration with third parties who install these types of Cookies, we use, with your consent, certain technologies of these partners to understand your browsing behaviour and to show you personalised advertisements on our websites or on our partners' platforms. Our partners may also match the data collected on our website and in the Lidl App with their own databases.

For certain personal data processing activities associated with the use of marketing Cookies we act jointly with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta” or “Facebook”) within the meaning of article 26 of the GDPR (for more information on these third-party cookies, please see the list of cookies under “marketing” in our Cookie policy ).

In the Lidl App, your personal data is also partly processed by the advertising partner The UK Trade Desk Ltd., c/o The Trade Desk, Inc., 42 N. Chestnut Street, Ventura, CA 93001, USA ("TTD") as a separate controller for displaying personalized advertising and measuring success. In order to be able to link your usage behaviour with you, the identifiers (MAID, hashed email address and/or hashed telephone number) are forwarded to TTD on the basis of your consent. In TTD's privacy policy you will find further information on data processing and how you can exercise your rights as a data subject.

We also use Microsoft Advertising and Microsoft Clarity Services of the provider Microsoft Ireland Operations Limited (Microsoft), One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland as well as Google Advertising of the provider Google Ireland Limited (Google), Gordon House, Barrow Street, Dublin 4, Ireland. Microsoft and Google also process user data as part of their advertising services under their own, independent, controllership.

In the Lidl App we also use the "Facebook Custom Audience" service of Meta. In this respect, we are joint controllers with Meta pursuant to Article 26 GDPR.

8.3 Purposes/data processing

8.3.1 General presentation

The use of Cookies serves the following purposes, depending on the category of the cookie or other technology:

Technically necessary: These are cookies and similar technologies without which you cannot use our Services (for example, to display our Services correctly, including font and colour, to provide the functions you have requested and to take your settings into account, to save your registration in the login area, etc.).
Convenience: These technologies allow us to take into account your preferences to offer you the best user experience on our website and the Lidl App. For example, your preferences allow us to display our web pages in a language that is appropriate for you. It also helps us to avoid showing you offers that may not be available in your area.
Statistics: These technologies enable us to compile pseudonymised or anonymous statistics on the use of our Services. This allows us to determine, for example, how we can customise our Services even better to users’ habits. We use your IP address as well as online identifiers, log files and your location (based on network) to prevent misuse and to prevent and identify any security breaches and other prohibited or illegal activities. For example, if you log in from a new/unknown device, we can inform you of such a login attempt.
Marketing - for own advertising purposes: This enables us and other data controllers (see above) to display suitable advertising content based on the analysis of user behaviour and information from your customer account (age, gender, in-store purchase data when using the Lidl Plus loyalty program, if applicable). Your usage behaviour can also be tracked via various websites, apps, browsers and end devices using a user ID (unique identifier).

You can find an overview of the cookies and other similar technologies used, including the respective processing purpose, the storage period and any third-party provider involved, here .

8.3.2 Selected Services

Google Ads Customer Match

We use the Google Ads Customer Match service provided by Google. Lists of user data are sent to Google's servers using the tracking technologies we use. Google then compares the user data submitted to see if it matches the data of Google's customers and then creates audiences that can be used to target ads. The ads may be shown within the Google network (YouTube, Gmail or within the search engine) as well as across devices (known as remarketing or retargeting).

We have entered into a data processing agreement with Google for the use of Google Ads Customer Matching in accordance with article 28 GDPR. Through this agreement, Google guarantees that it will process the personal data in accordance with our instructions and guarantee the protection of data subject rights.

You can find more information on how Google uses the personal data it receives through the integration of services and on the setting options to customize your ads experience here , while information on how to control the ads currently shown to you and on data collection can be found here . Finally, you can find further information by reading Google's privacy policy .

Meta/Facebook

Facebook Custom Audience allows the creation of target groups and the design and display of personalised advertisements on Facebook in accordance with specified requirements.

This process entails the uploading of lists of user data to Facebook, which then compares the transmitted data with existing data from Facebook users. Based on this comparison, target groups are created for the purpose of targeting advertisements on Facebook. With Custom Audience, we ensure that only individuals who have previously engaged with our app or demonstrated interest in our products are shown advertisements on Facebook. Additionally, Facebook utilises the data for its own advertising purposes and for the advertising purposes of third parties.

Further selected data processing in connection with our own advertising purposes

With your consent, we use special technologies from partners to track your browsing behaviour and to display ads tailored to you on our website, the Lidl App or our partner's platform (Facebook, TTD ). Our partners may also match the data collected through these services with their own databases.

Google Advertising can be used to serve targeted ads across the Google network (YouTube, Gmail or within the search engine), to optimise these ads and to track users' activities within our Services if they have come to our website through advertising. Microsoft Clarity can be used to track and visualise user interactions with our website.

We also use Microsoft and Google Advertising to collect information that allows us to track target audiences using remarketing lists. Microsoft and Google Advertising may recognise that these Services have been visited and may serve an advertisement when Microsoft and Google network is subsequently used. We also use this information to compile conversion statistics, i.e. to track how many people have visited these services after clicking on an ad. This tells us the total number of users who clicked on our ads and were directed to these Services. However, we do not receive any information by which users can be personally identified.

8.4 Categories of personal data processing

Within the scope of the use of cookies and similar technologies, depending on the purpose, the following categories of personal data are processed:

Technically necessary:

User input to retain input across multiple subpages (e.g. selecting your preferred store in the store finder);
Authentication data to identify a user after login in order to gain access to authorised content on subsequent visits (e.g. access to the data from Lidl Plus );
Security-related events (e.g. detection of frequently failed login attempts);
Data required to play multimedia content (e.g. play of (product) videos selected by the user);
Information to display our Services correctly, including font and colour, to provide the functions you have requested and to take your settings into account, such as the choices you have made regarding cookies and similar technologies, to save your registration in the login area, etc.

Convenience:

User interface customisation settings that are not linked to a permanent identifier (e.g. language selection or the specific display of search queries or maps in the store finder).

Statistics:

Pseudonymised user profiles with information about the use of our websites. These include in particular:
Browser type/version,
operating system used,
previously visited page (referrer URL),
host name of the accessing computer (IP address),
time of the server request,
individual user ID and events triggered on the website (surfing/browsing behaviour).
The IP address is anonymized, so that it cannot be traced back to your person.
We only merge the user ID with other data from you (e.g. name, e-mail address, etc.) with your express consent. The user ID itself does not allow us to draw any conclusions about your person.

Marketing - Self-promotion:

Pseudonymized user profiles with information about the use of our website. These include in particular:
IP address,
individual user ID,
potential product interests,
access information,
device identifiers,
information about device and browser settings,
mouse/scroll movements,
triggered events on the website and Lidl App (surfing behaviour).
The IP address is anonymized, so that it cannot be traced back to your person.
The user ID (including cookie identifier) or other identifiers (email address, telephone number, address) are only merged with other data from you (e.g. name, email address, age, gender, etc.) with your express consent. The user ID itself does not allow us to draw any conclusions about your person. We may share the user ID and the associated user profiles with third parties via the providers of advertising networks.
We use the following advertising identifiers for in-app analysis and the display of personalised advertising: (i) the IDFA (Identifier for Advertising) for iOS devices or (ii) the Android advertising ID or (iii) the Huawei ID, the IP/MAC address, the HTTP header as well as the email address, telephone number, address and a fingerprint of your end device (additionally: time of access, country, language, local settings, operating system and version as well as the app version). We also include user device and web activity information as well as app and event tokens in this analysis. This data is processed exclusively on a pseudonymised/anonymised basis. You can reset or deactivate the IDFA or Google GAID, the Android advertising ID and the Huawei ID at any time via your operating system. In the event that the IDFA is not available, we use the SkAdNetwork (Apple’s attribution API) to assign the installations of our app to an advertising campaign.
Store purchasing data from the Lidl Plus loyalty program.

Specific to the Lidl App:

In order to display interest-based information to you, we must be able to associate the above information with you as an individual. For this purpose, we establish a link to your customer number from the time you complete your registration for the loyalty program Lidl Plus. Your consent to the provision of personalised information also covers this processing activity.

8.5 Legal basis/Recipient/Storage period

Legal bases

The legal basis for the use of convenience, statistical and marketing cookies and of similar technologies is your consent in accordance with article 6, paragraph 1, letter a) GDPR. The legal basis for the use of technically necessary cookies and similar technologies is article 6, paragraph 1, letter b) GDPR, i.e. we process your data to provide our services in the course of initiation or performance of the contract.

Facebook bases the processing of data for Facebook Custom Audience on the consent of Facebook users in accordance with article 6, paragraph 1, letter a) GDPR and the legitimate interests of Facebook in accordance with article 6, paragraph 1, letter f) GDPR, in order to ensure accurate and reliable reports and accurate performance statistics for Facebook advertisers. You can find more information on this in Facebook's privacy policy or here . You can contact Facebook’s Data Protection Officer here.

Recipients/categories of recipients:

As part of the data processing using cookies and similar technologies to process usage data, we may use specialist service providers, in particular from the online marketing sector. They process your data on our behalf as data processors, are carefully selected and contractually bound in accordance with Article 28 GDPR and act as data processors for us, unless they are named as (joint) controllers in this Privacy policy.

As part of our cooperation with Google Ireland Limited, Meta Platforms Ireland Limited, The UK Trad Limited and Microsoft Ireland Operations Limited, the above-mentioned data is generally also processed on servers in the USA and the UK for statistical and marketing purposes (see further explanations on third country transfers under section 3 of this Privacy policy).

Storage period/criteria for determining the storage period:

The storage period for cookies can be found in our cookie policy. If "persistent" is specified in the "lifespan" column, the cookie is stored permanently until the corresponding consent is withdrawn.

Your data can remain in a Facebook Custom Audience for a maximum of 180 days. After 180 days, your data belonging to the website’s custom audience will be removed if you do not visit the website again.

8.6 Cancellation/opt-out option/further information

You can withdraw/adjust your consent for future processing at any point, without impacting the lawfulness of the processing based on the consent until the moment of withdraw, e.g. via preference management. You may also notify your withdrawal either to us or to those jointly responsible with us.

Website

You can also block the technologies explained here by rejecting certain or all cookies in the cookie setting in your browser. We would like to point out that you may then not be able to use all the functions of these Services. To understand how to set them up, you can consult the following links:

For information on how to manage cookies through other browsers, it is useful to consult the online help files. If this information is not sufficient, we advise you to consult the "Help" section of the browser for more details.

Additionally, our site includes third party content. These third parties may use, with prior consent (where necessary), their own cookies as part of the content integrated on our site. Although these cookies are included in the overview of the cookies and other technologies used, we have no access to these cookies and we are in no way (joint) data controllers.

You can withdraw/adjust your consent for future processing at any point, without impacting the lawfulness of the processing based on the consent until the moment of withdraw. Simply click here and make your selection.

Lidl App:

If you wish to withdraw your consent to tracking in the Lidl App, you can do so at any time for future processing at any point, without impacting the lawfulness of the processing based on the consent until the moment of withdraw, via the opt-out in the app under "More" -> "Legal information" -> "Tracking ".

You can object to the use of the Custom Audiences Service globally on the Facebook website. After logging in to your Facebook account, you will be taken to the settings for Facebook adverts.

You can deactivate personalised advertising with Google or set it individually. Details can be found on the respective support page: https://support.google.com/My-Ad-Center-Help/answer/12155451.

You can also find setting options for personalised advertising at https://youradchoices.com/ and here.

Further information on data processing by the companies listed below and on exercising your rights as a data subject can also be found in the following data protection policies:

Meta (Facebook): https://www.facebook.com/privacy/explanation
Google: https://policies.google.com/privacy?hl=en&gl=en

You can find an overview of the cookies and other similar technologies used, including the respective processing purpose, the storage period and any third-party provider involved here . Further details on processing can also be found in the preferences manager.

9. Map services

Data controller

The processing of your personal data within the scope of the map services is carried out by Lidl Malta Limited and Lidl Stiftung & Co. KG as joint data controllers.

9.1 Bing Maps

Purposes of data processing/legal basis

On our website we use the services offered by Bing Maps, a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA. In this way you can view and use the interactive maps directly from our website to find, for example, the Lidl stores closer to you. To use the Bing Maps functions, it is necessary to consent in your browser or operating system or in other settings on your device to so-called geolocation in accordance with article 6, paragraph 1, letter a) GDPR.

As part of browsing our website, the Bing Maps provider, i.e. the Microsoft Corporation, receives the information if you access the relevant page on our website. To use the functions of Bing Maps, your IP address is usually processed on Microsoft server in the USA. We have no possibility to influence the processing carried out through Bing Maps.

Further information on the purpose and scope of data processing by Bing Maps can be found in the Microsoft privacy policy . There you will also receive further information about your rights and the setting options to protect your privacy.

9.2 Google Maps, Apple Maps, Huawei Map kit

Purposes of data processing/legal basis

In our app, you have the option of using the map service of your mobile device’s operating system to find Lidl stores in your local area, for example. This allows interactive maps to be displayed directly in the app.

In order to be able to use map services, it is necessary to process your IP address. This is usually processed on a server of the respective operating system provider. We have no influence over the specific data processing. Further information on the purpose and scope of data processing can be found in the privacy policy of the respective provider. There you will also find further information about your rights and settings to protect your privacy.

Providers, addresses, privacy policies and terms of service:

Google Maps
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland,
Privacy policy: https://www.google.com/policies/privacy/,
Terms of service: https://maps.google.com/help/terms_maps.html,

Apple Maps
Apple Inc, One Apple Park Way, Cupertino, California, USA,
Privacy policy: https://www.apple.com/legal/privacy/en-ww/,
Terms of service: https://www.apple.com/legal/internet-services/maps/terms-en.html,
Huawei Map kit
Huawei Aspiegel SE, 1F, Simmonscourt House, Ballsbridge, Dublin D04 W9H6, Ireland,
Privacy policy: https://www.huawei.com/en/privacy-policy,
Terms of service : https://developer.huawei.com/consumer/es/hms/huawei-MapKit/.

The use of map services is based on our contractual relationship with you, article 6, paragraph 1, letter b) GDPR, as well as on our legitimate interest within the meaning of article 6, paragraph 1, letter f) GDPR in presenting our offers in an attractive manner and making it easy to find the locations specified by us in the app. If you use the map services in the Lidl App or have agreed to geolocalisation in the settings of your mobile device via the "give permissions" dialogue, we use this function to be able to offer you individual services based on your current location. In particular, we process your GPS and network-based location for the "store search" and "partner benefits search" functions, in order to show you the stores closest to you. We do not store geolocalisation data permanently.

10. Google reCAPTCHA

Data controller

The processing of your personal data within the scope of Google reCaptcha is carried out by Lidl Malta Limited.

Purposes of data processing/legal basis

We use the Google reCaptcha service provided by Google LLC ("Google") in order to protect your personal data and ensure the security of data transfers, particularly in the context of participating in competitions and registering for marketing and advertising communications. to protect your data and the transmission of forms from attacks or misuse by automated programmes (known as bots). Bots are used, for example, to obtain passwords for customer accounts or to restrict the functionality of the website through mass data transfers.

Google reCAPTCHA determines whether the interaction with the website is by a human user or a bot. For this purpose, usage behaviour (time spent on the page or mouse movements made) is analysed and the IP address is read by Google and checked to see whether it could be assigned to a bot in the past. If the IP address has already been assigned to a bot, Google transmits this information to us. We then store these IP addresses for defence against future attacks. This analysis starts automatically as soon as you open the registration page.

The processing of data is thus carried out on the basis of article 6, paragraph 1, letter f) GDPR, as we have a legitimate interest in protecting your personal data and guaranteeing the security of the aforementioned transfers.

Recipients/categories of recipients

When using Google reCAPTCHA, the above-mentioned data is also processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA to provide the Service. We have no influence over the processing and use of data by Google. Further information on data processing by Google can be found here: https://policies.google.com/privacy.

11. Links to other websites and apps

Data controller

The processing of your personal data within the scope of providing you with links to other websites and apps is carried out by Lidl Malta Limited and Lidl Stiftung & Co. KG.

Purposes of data processing/legal basis

Our website and the Lidl App contain links to other websites and apps operated by other group companies, selected business partners or other third parties. If you click on one of these links, for example in the Lidl App via an in-app banner, you will be redirected to the website/app or to your respective app store. The links may also contain special tracking techniques that enable the operators of the websites/apps mentioned to understand and measure where the user has learnt about them. Please note that neither Lidl Stiftung nor Lidl Malta nor any other company belonging to the group to which the companies belong are data controllers for any processing carried out on the websites/apps of third parties. We recommend that you check the relevant terms and conditions, cookie policy and privacy policy of each website/app you are redirected to in order to understand what information about you is processed by the operator.

If we redirect you to one of these websites/apps, we process your personal data in order to fulfil your (technical) request to visit the respective app or website (article 6, paragraph 1, letter b) GDPR) and on the basis of the operator’s legitimate interest in carrying out advertising (article 6, paragraph 1, letter f) GDPR ).

12. Access to functions and sensors on your mobile device

Data controller

The processing of your personal data within the scope of accessing functions and sensors on your mobile device is carried out by Lidl Malta Limited and Lidl Stiftung & Co. KG as joint data controllers.

Purposes of data processing/legal basis

Location data

If you have agreed to geolocalisation via the "give permissions" dialogue when using the Lidl App or in the settings of your mobile device, we use this function to be able to offer you individual services based on your current location. In particular, we process your GPS and network-based location as part of the "store search" function in order to show you the stores closest to you.

Photos/media/files on your mobile device/USB memory contents (read, change, delete)

If you create a shopping list via the Lidl App, these will be saved directly in the memory of your mobile device or on a connected storage medium, depending on the installation location of the app and the available storage space.

Camera (taking pictures and videos)

The camera on your mobile device is used to scan QR codes.

WLAN connection information

The Lidl App uses your mobile device’s WLAN connection to establish a connection to the Internet.

Other device functions or device sensors

By accessing the other device functions and device sensors of your mobile device, the Lidl App is able to retrieve data from the Internet and process error messages. It also allows the Lidl App to be executed at start-up and the device’s sleep mode to be deactivated. Finally, if you have given your consent, the Lidl App can send you push notifications to inform you about current offers and promotions.

13. Embedded third-party content

Data controller

The processing of your personal data related to embedded third-party content is carried out by Lidl Malta Limited and Lidl Stiftung & Co. KG as joint data controllers.

Purposes of data processing/legal basis

We have integrated YouTube videos into our website, which are available at https://www.youtube.com and can be played directly from the Services. These are all integrated in "extended data protection mode", i.e. no data about you as a user is transferred to YouTube if you do not play the videos. The data is only transferred when you play the videos. We have no influence over the data processing by the operator of YouTube.

Further information on the purpose and scope of data collection and its processing by YouTube can be found in the provider’s privacy policy. There you will also find further information on your rights in this regard and setting options to protect your privacy. Address and privacy policy of YouTube: Google LLC, 1600 Amphitheatre Parkway. Mountain View, CA 94043, USA; https://www.google.de/intl/de/policies/privacy/.

14. Purchase in our stores

Data controller

The data controller for the processing of data relating to your purchases in our stores is Lidl Malta Limited.

14.1 Age check

When selling products with age restriction, such as alcohol (17 years) / sale of computer and console games, DVDs, videos with age restriction, a visual check of your personal data (usually an identity card) is carried out by our cashiers in compliance with our legal obligations (article 6, paragraph 1, letter c) GDPR).

14.2 Security cameras

When you visit our stores, we may occasionally process your personal data for the prevention and detection of criminal offences (article 6, paragraph 1, letter f) GDPR), for the protection of our customers, employees and property.

The use of a video surveillance system, where necessary and provided for, will be indicated by clearly visible signs.

The images are kept for up to 7 days, without prejudice to specific requirements for longer retention in the event of a specific request by the judicial authorities or the police and, in the event criminal offences have been committed, for the time strictly necessary to investigate the criminal offences and to protect the rights of defence of the persons affected.

Any request to download CCTV footage must be sent as soon as possible to Lidl Malta Customer Service at cctv@lidl.com.mt.

The downloading of images requires the intervention of specialised providers, carefully selected and contractually bound in accordance with article 28 GDPR.

Please understand that both Lidl Malta Customer Service and the aforementioned providers operate during business hours and that the download of images requires the intervention of qualified personnel on site, therefore the request for any download of images must be sent as soon as possible to the aforementioned Lidl Malta contact details in order to be fulfilled.

Furthermore, in the event that the request is made pursuant to article 15 GDPR (right of access of the data subject), please note that the personal data (e.g. faces, number plates) of any third parties present in the footage will be obscured in accordance with the applicable legislation.

For more information in this regard, including your rights, please read the specific privacy policy, which is available on request.

14.3 Payment procedure

Every time you make a card payment, we process your personal data as contained on such card and in connection with that transaction for the sole purpose of managing the payment itself (article 6, paragraph 1, letter b) GDPR). This concerns your card data (IBAN in the case of bank cards, card number, security code, card type as well as the expiration date of the card) and the data referred to the payment (amount, date, time, identification of the card reading device, this means place, company and store where you paid, PIN and, if necessary, your signature as well as your name and surname).

The card data and the data referred to the payment will be immediately transmitted, after the card is read from the card reading terminal (through the terminal manager) by the acquirer bank to your bank. Such data may also be transmitted, in the cases determined by the law, to the law enforcement authorities and to the Financial Intelligence Units.

We do not retain your card data unless this is necessary to ensure the payment transfer. For purposes concerning the document archiving, some data referred to the payment (type of card, date, time, number of the POS terminal, authorization code, place, company, branch, amount and if necessary your signature as well as your name and surname) will be processed according to the provisions of the law to fulfil our legal obligations (article 6, paragraph 1, letter c) GDPR) and held by us for the duration of the statutory retention periods. However, a card payment is not possible without the data. You can alternatively pay at any time with cash.

15. Your rights as data subject

15.1 Overview

In addition to the right to withdraw the consent you may have granted us; you also have the following rights provided the respective statutory requirements are met:

the right of access to information about your personal data in accordance with article 15 GDPR.
the right to rectification of inaccurate data or to have incomplete data completed in accordance with article 16 GDPR.
the right to erasure of your data stored with us in accordance with article 17 GDPR.
the right to restriction of processing of your data in accordance with article 18 GDPR.
the right to data portability in accordance with article 20 GDPR.
the right to object in accordance with article 21 GDPR.

15.2 The right of access to information in accordance with article 15 GDPR

You have the right, pursuant to article 15, paragraph 1 GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:

the purposes for which the personal data are processed;
the categories of personal data which are processed;
the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
the right to lodge a complaint with a supervisory authority;
any available information about the source of the data, if the personal data are not collected from you (the data subject);
the existence of automated decision-making, including profiling, in accordance with article 22, paragraph 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to article 46 GDPR relating to the transfer.

15.3 The right to rectification in accordance with article 16 GDPR

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.

15.4 The right to erasure in accordance with article 17 GDPR

You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
you withdraw the consent on which the processing was based in accordance with article 6 paragraph 1, letter a) or article 9 paragraph 2, letter a) GDPR, and there is no other legal ground for the processing;
you object to the processing pursuant to article 21, paragraph 1 or 2 GDPR, and there are no overriding legitimate reasons for processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation;
the personal data has been collected in relation to the offer of information society services to children as referred to in article 8, paragraph 1 GDPR.

In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:

for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
for the establishment, exercise or defence of legal claims.

There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.

Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.

15.5 The right to restriction of processing in accordance with article 18 GDPR

You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:

the accuracy of your personal data is contested (see the right to data rectification above), for a period enabling us to verify the accuracy of the personal data; or
the processing is unlawful, and you oppose the erasure of your personal data; or
we no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
you exercised Your right to object and verification of our legitimate grounds to override your objection is pending.
Following your request for restriction, except for storing your personal data, we may only process your personal data:
where we have your consent; or
for the establishment, exercise or defence of legal claims; or
for the protection of the rights of another natural or legal person; or
for reasons of important public interest.

15.6 The right to data portability in accordance with Article 20 GDPR

You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:

the processing is based on your consent or on the performance of a contract with you; and
the processing is carried out by automated means.

15.7 Right to object in accordance with article 21 GDPR

Under the conditions set out in article 21, paragraph 1 GDPR, you have the right to object to data processing on grounds relating to your particular situation.

In those cases where we only process your personal data when this is 1) necessary for the performance of a task carried out in the public interest or 2) when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.

When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.

For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.

In any case you also have the right to lodge complaints at any time with the competent data protection supervisory authority (see below).

15.8 What we may require from you

As one of the security measures we implement, before being in the position to help you exercise your rights as described above, we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.

15.9 Time limit for a response

We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.

15.10 Right to lodge a complaint with the data protection supervisory authority

You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. You can contact the Office of the Information and Data Protection Commissioner, the data protection supervisory authority of Malta by email on: idpc.info@idpc.org.mt or by telephone on (+356) 2328 7100.

We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).

15.11 Information on joint controllership in accordance with article 26 GDPR

With this Privacy policy we have outlined to you certain processing activities carried out jointly by Lidl Malta and Lidl Stiftung as joint data controllers within the meaning of article 26 GDPR. Upon your request (e.g. via the contact details set out in section 1), we will be glad to provide you with the details of the respective agreement on the aforementioned joint controllership. In order to exercise your rights as a data subject, you may contact us or - for the individual data processing concerned - our joint data controllers indicated in this Privacy policy.

Download the Privacy policy

You may download a PDF version of this Privacy policy here:

For viewing the PDF file you will need the Adobe Acrobat Reader.