Lidl Plus Data Protection Notice
Last revised: October 2024
Version: 2.0
Lidl Plus is a loyalty programme (the "Service" or "Lidl Plus") that offers you deals and discounts tailored to your interests from the companies of the Lidl Group and selected partners.
You can use Lidl Plus by registering for selected online services of the Lidl Group ("Online Services", e.g. online stores, click and collect service, apps). Please note that some functionalities are only available via the Lidl App. For example, you must identify yourself with the Lidl App at the checkout so that your purchases in Lidl stores are assigned to your Lidl Plus profile.
Unless otherwise stated below, Lidl Stiftung & Co. KG with registered office in Stiftsbergstraße 1, 74172 Neckarsulm, Germany ("Lidl Stiftung", "we", "us") is the Data Controller for the processing of your personal data in the context of Lidl Plus.
Lidl Stiftung's Data Protection Officer can be contacted at the above postal address or at privacy@lidlplus.com.mt.
3.1 Registration for Lidl Plus and account management
Purposes of data processing/legal basis
Once you have registered, you can use Lidl Plus in all connected Online Services with the same user name and password and access your customer master data, shopping history and Lidl Plus functions in your Lidl Plus account.
The following data is processed when registering for Lidl Plus:
- First name,
- Date of birth,
- Email address,
- Mobile phone number,
- Password,
- Title (optional),
- Gender (optional),
We need your date of birth, as participation in Lidl Plus requires a minimum age of 18 years (see Section 2 of the Terms and Conditions Lidl Plus) and for certain products (e.g. alcoholic beverages) age limits under youth protection laws must be taken into account.
You can also choose to enter your address and surname in your Lidl Plus account. However, providing this data is mandatory for specific functions.
If you have registered for Lidl Plus in the Lidl App, we will also process data on your preferred store. In addition to the above-mentioned data, we receive information from the Online Service you use – if available – about the payment methods stored there and your purchase and order history. You can access this data in your Lidl Plus account. You can find out which Online Services transfer your payment history to your Lidl Plus account in the Online Services' data protection notice.
We process the data collected during registration for the following specific purposes:
- Communicating with you,
- Verifying your identity as the account holder (e.g. when resetting the password),
- Uniquely assigning your purchase and usage behaviour to your customer profile.
We also use your email address to send you a notification when your account is accessed via a new device.
The following data is processed to secure the registration/login procedure:
- Email address or mobile phone number,
- IP address,
- Mouse movements,
- Length of time spent on the registration page,
- Online identifiers such as device ID,
- Browser details (browser name and version),
- Name and version of the operating system of the device on which the browser is installed,
- Network-based location of your device when you log in,
- Date and time of the registration/login attempt,
- Information on whether registration/login attempts were successful.
The legal basis for the above-mentioned data processing is Article 6, paragraph 1, letter b) and (f) GDPR, i.e. we process your data in order to provide you with our Services in accordance with the contract. Our legitimate interest is based on the purposes of data processing described above.
Recipients/categories of recipients
If you log in to Online Services as a Lidl Plus user, we pass on to the respective operator of the Online Service the data required to provide the Service you have requested. These data vary depending on the offer and can include:
- Verified login data (e.g. email address, password, mobile phone number),
- Master data (e.g. name, address, date of birth),
- Stored payment methods,
- Information stored in the "About me" section.
We also pass on your customer master data to those companies in the Lidl Group that you contact in the context of customer service enquiries.
3.2 Store visits
Purposes of data processing/legal basis
If you use Lidl Plus, you can either identify yourself at the till when you visit a store. In this case, we collect the following data:
- The store you have visited,
- The products you have purchased or returned by type, quantity and price,
- The coupons and vouchers you have redeemed,
- The purchase receipt amount,
- The time of the payment transaction and which means of payment you used.
When making purchases in Lidl stores, you can collect digital points and exchange them for reward coupons in Lidl Plus. The points collected are assigned to your customer number for the reward exchange. Product returns are also taken into account when calculating the number of points.
The legal basis for this is Article 6, paragraph 1, letter b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.
In order to prevent economic damage to Lidl Group companies, we analyse your purchasing behaviour for fraud prevention purposes. In particular, we analyse whether and how often items are returned. The legal basis for this is Article 6, paragraph 1, letter f) GDPR. Our legitimate interest is based on the purposes of processing described above.
In the event of product recalls, we will check whether you have purchased the affected product so that we can inform you of the recall. This processing is carried out to protect your health (Article 6, paragraph 1), letter d) GDPR) and because we have a legitimate interest in informing you of any product recalls (Article 6, paragraph 1, letter f) GDPR).
3.3 Determining your product interests and personalised advertising approach
Purposes of data processing/legal basis
In Lidl Plus, we determine which products, promotions and services could potentially be of interest and relevance to you. This is done in particular on the basis of the following data:
- Store purchases (e.g. products purchased or returned by type, quantity and price),
- Demographic information (e.g. age, gender, place of residence),
- Data stored in the Lidl Plus account,
- Information about life circumstances and interests, which are stored in the "About me" section,
- Activated and/or redeemed coupons,
- Participation in competitions and promotions,
- Product reservations,
- Use of our partner offers described in Section 3.9 (e.g. time, quantity, location),
- Use of the Digital Services described in Section 3.13 (e.g. information about your access authorisation to Services of our partners, length of use of the Services, termination date of the free month, activation and use of the discount collector for Digital Services),
- Use of functions in Lidl Plus.
In addition, the following information from Online Services is processed to determine your interests:
- Usage data of the Lidl App, e.g.
- visited app sections,
- viewed articles,
- version of the operating system,
- device labelling,
- system language and selected country,
- Lidl App version used,
- Tracking data, e.g.
- advertising identifiers (iOS IDFA, Android advertising ID or Huawei ID, email address, address, mobile phone number),
- IP/MAC address,
- HTTP header,
- Fingerprint of your end device,
- information about the use of apps and websites (links clicked on, areas visited, duration and frequency of use, number of clicks and scrolls),
- App and event tokens,
- Information from the Online Service of the Lidl Group companies, e.g.
- products purchased/reserved in Online Services by type, quantity and price,
- receipt amount and time of payment,
- payment method used,
- selected delivery method,
- participation in surveys and competitions,
- products stored in the shopping basket,
- frequency of purchase transactions,
- web tracking data of the Online Services,
- Your usage behaviour in relation to marketing communication of Online Services, e.g.
- time at which the newsletter was opened,
- clicked links or areas,
- duration and frequency of use.
We use mathematical-statistical methods to determine your interests. For this purpose, your personal data is also compared with the data of other customers. Based on this comparison, we can work out which products and campaigns are relevant for customers with similar interests.
We use this information to provide you and other customers of the Online Services with personalised advertising tailored to your interests and to offer you the best possible individual offers and discounts. Where possible, you will also receive personalised information about products, promotions, competitions, new services, customer surveys and the latest streaming, store, online shop, flower and travel offers. We also use these findings to optimise the Lidl Plus programme.
The legal basis for this is Article 6, paragraph 1, letter b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.
Recipients/categories of recipients
In addition, we may transfer the data described in this paragraph to other companies in the Lidl Group or other third parties if there is a legal basis for this (in particular your consent to the use of tracking technologies in our Online Services).
3.4 Advertising optimisation measures, the store network and store design
Purposes of data processing/legal basis
If you provide us with your address as part of the registration process or at a later date in your Lidl Plus account, we will use it to optimise our advertising (e.g. leaflet distribution, poster advertising) and to optimise the store network.
This data is processed on the basis of our legitimate interest in optimising sales channels (Article 6, paragraph 1, letter f) GDPR).
3.5 Google reCaptcha
Purposes of data processing/legal basis
To protect our registration/login process from attacks or misuse by automated programmes (known as bots), we use Google reCaptcha. Bots are used, for example, to obtain customer account passwords or to restrict the functionality of the website through mass data transfers.
Google reCaptcha determines whether the interaction with the website is by a human user or a bot. For this purpose, usage behaviour (time spent on the page or mouse movements made) is analysed and the IP address is read by Google and checked to see whether it could have been assigned to a bot in the past. If the IP address has already been assigned to a bot, Google transmits this information to us. We then store these IP addresses for defence against future attacks. This analysis starts automatically as soon as you open the registration page.
The legal basis for this data processing is Article 6, paragraph 1), letter f) GDPR. Our legitimate interest is based on the purposes of processing mentioned above.
Recipients/categories of recipients
When using Google reCaptcha, the above-mentioned data is also processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA to provide the Service. We have no influence over the processing and use of data by Google. Further information on data processing by Google can be found here: https://policies.google.com/privacy.
3.6 Competitions
Purposes of data processing/legal basis
As a Lidl Plus user, you can take part in various competitions. Unless otherwise specified in the respective competition, your data will be used in the context of your participation in the competition in order to run the competition (e.g. determining the winner, notifying the winner, sending the prize) and for the purposes described under Section 3.3 to determine your interests as described in Section 3.3.
The legal basis for this is Article 6, paragraph 1, letter b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.
Recipients/categories of recipients
Apart from the above-mentioned determination of your interests and the personalised advertising approach, your data will only be passed on to companies of the Lidl Group or third parties if this is necessary to run the competition (e.g. to send the prize via a logistics company).
3.7 Reservation of products
Purposes of data processing/legal basis
If you reserve products via Lidl Plus and purchase them in-store at a later date, we process this information so that you can
- purchase these later in a Lidl store,
- view a history of reservations,
- view special offers tailored to your preferences and interests as well as participate in promotions.
The legal basis for this is Article 6, paragraph 1, letter b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.
Recipients/categories of recipients
We will send a list of the reserved products and your order number to the relevant Lidl Group company. The Lidl company uses this data under its own responsibility for the subsequent processing of the purchase contract.
3.8 Partner offers
Purposes of data processing/legal basis
Lidl Plus gives you the opportunity to take advantage of discounted offers from selected partners. Some of these offers require you to identify yourself as a Lidl Plus customer with your digital customer card. In this case, the partner informs us about your use of the special offer including the associated information (e.g. time, quantity, location).
If special offers are made within Lidl Plus for contracting services from our partners, we will receive your contact details (e.g. email address and mobile phone number) from them so that we can correctly assign the special offer to your account.
We use the information on the use of the partner offers to determine your interests as described above and to display personalised advertising.
The legal basis for this is Article 6, paragraph 1, letter b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.
Recipients/categories of recipients
If you make use of partner offers via Lidl Plus, we only send the partner the information that you are a Lidl Plus user so that the partner can assign the corresponding offer to you.
4.1 Overview
Your personal data will only be passed on without your prior consent in the cases mentioned in Sections 3.1 - 3.13 if this is permitted by law. This is the case, for example, if:
- we have a legitimate interest in sharing your personal data for administrative purposes within the Lidl Group and your rights and interests in protecting your personal data within the meaning of Article 6, paragraph 1, letter f) GDPR do not outweigh this interest
or
- we use third parties as data processors who we have carefully selected and that are contractually obliged to process your personal data exclusively in accordance with our instructions.
4.2 Transfer within the Lidl Group
The data provided during registration will be passed on within the Lidl Group for internal administrative purposes, including joint customer support.
Any disclosure of personal data is justified by the fact that we have a legitimate interest in disclosing the data for administrative purposes within our Group (Article 6, paragraph 1, letter f) GDPR).
4.3 Transfers to recipients in third countries
Under specific circumstances, it may be necessary for us to transfer your personal data to recipients in a third country or several third countries outside the European Union (EU)/the European Economic Area (EEA).
The EU Commission has certified some third countries as having a level of data protection comparable to the GDPR by means of an adequacy decision. You can find an overview of third countries with an adequacy decision here. For service providers based in the USA, this only applies if they are certified in accordance with the EU-US Data Privacy Framework.
If there is no adequacy decision, we secure the transfer by other measures. These can be, for example, binding company regulations, standard contractual clauses of the European Commission, certificates or recognised codes of conduct.
Unless otherwise stated, the transfer to a third country takes place either on the basis of an adequacy decision or one of the measures listed above. If you have any questions, please contact our data protection officer (Section 2).
We delete or anonymise your personal data as soon as it is no longer required for the purposes stated above. As a rule, we store your personal data for the duration of your participation in Lidl Plus. If you are inactive for 24 months or actively delete your Lidl Plus account, we will notify you of the pending cancellation. Within 72 hours, you have the option of reversing the cancellation by logging in again. If your data must be stored for a longer period of time due to statutory retention periods or to secure, assert or enforce legal claims, we will store your data beyond the cancellation of the account. The data will only be stored for as long as is legally permissible.
All personal data that you send us in the context of customer service enquiries will be deleted or anonymised by us no later than 90 days after the final response. Experience has shown that there are usually no more queries after 90 days. If data subjects assert their rights, personal data will be stored for five years after the final reply has been given to you as proof that we have provided you with comprehensive information and that the legal requirements have been met.
We store the log files in which we record your interactions with Lidl Plus (your registration, password reset, etc.) for a period of up to 90 days.
You have the right to request information about the personal data stored about you free of charge in accordance with Article 15, paragraph 1) GDPR.
If the legal requirements are met, you also have the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR). If you have provided us with the processed data, you have a right to data portability in accordance with Article 20 GDPR.
If data processing is carried out on the basis of Article 6, paragraph 1), letter e) or f) GDPR, you have the right to object in accordance with Article 21 GDPR. If you object to data processing, this will only be continued if we can demonstrate compelling legitimate grounds for further processing that outweigh your interest in objecting. You can send your objection to privacy@lidlplus.com.mt at any time.
If the data processing is based on consent in accordance with Article 6, paragraph 1), letter a) or Article 9, paragraph 2), letter a) GDPR, you can withdraw your consent at any time with future effects without affecting the lawfulness of the previous processing.
You also have the right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority of the country in which you live or in which the controller has its registered office is responsible.
Data protection notice on downloads
You can download the Lidl Plus data protection information as a PDF version here: