Social Media Privacy Policy
(Version 1.4; dated October 24, 2022)
The following privacy policy will inform you of how and to what extent Lidl Malta Limited (hereinafter also ‘Lidl’) processes your personal data in accordance with Article 13 of the General Data Protection Regulation (GDPR) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any Subsidiary Legislation issued under the same as may be amended from time to time.
Pursuant to Article 4, paragraph 1, number (7) GDPR the data collection and processing described below is controlled partly by us,
Lidl Malta Limited
Vassallo Business Park, Burmarrad Road, Naxxar NXR 6345, Malta
E-mail address: privacymt@lidl.com.mt
and partly by the respective operator of the social media platforms. For certain processing operations we and the platform operator act as Joint Controllers within the meaning of Article 26 GDPR (processing under section 4).
Lidl Malta Limited operates on the following social media pages:
As Data Controller, the platform operator is responsible for the data processing (e.g. handling of the users and of the shared information) carried out by himself on the social media platform. Where possible, we try to ensure that the operator of the social media platform processes the data in accordance with the data protection legislation. However, in many cases, we have no possibility to influence the processing of personal data by the social platform operator and we do not even know exactly which data are processed by the said social platform operator.
The platform operator manages the entire IT infrastructure of the service, has its own privacy policy, and maintains its own user relationship with you (if you are a registered user of the social media service). In addition, the operator alone is responsible for all questions regarding the data of your user profile, to which Lidl has no access.
Further information on the data processing carried out by the social media platform operators, including information on how to object, are provided in the operators' privacy policies:
- Facebook: https://www.facebook.com/privacy/explanation
- Instagram: https://help.instagram.com/519522125107875
- YouTube: https://policies.google.com/privacy?hl=en&gl=en
- LinkedIn: https://www.linkedin.com/legal/privacy-policy
When using the platform, your personal data is usually also processed by the respective operator on servers located in third countries, in particular in the USA.
a) Lidl content on social media platforms
Purpose of data processing and legal basis:
The purpose of data processing by us on the social media platforms is (i) to inform customers about offers, products, services, promotions, prize draws, factual issues, and company news, (ii) to interact with visitors of social media presences on these topics, and (iii) to respond to corresponding questions, praise, or criticism. We only reserve the right to (iv) delete content, if this becomes necessary, (v) share your data on our page, if this is a function of the social platform, and communicate with you via the social media platforms. In this context, the data are processed in the interests of our relations with the public and our communications.
The processing of your personal data for the purposes referred to in points (i), (ii), (iv) e (v) above is carried out pursuant to Article 6, paragraph 1, letter f) GDPR to pursuit of the legitimate interest of Lidl, which is fairly balanced with your interest in the protection of your data, since the processing of personal data is limited to what is strictly necessary for the exercise of the rights of Lidl and for the execution of the required economic operations. Processing for such purposes is not mandatory and you may object to such processing using the methods set out in this privacy policy. However, if you object such data processing, your personal data will not be used for the aforementioned purposes, unless the legitimate interests of Lidl do not appear to prevail over you interests or fundamental rights and freedoms.
In addition to the above, the processing of data for the purposes referred to in point (iii) is necessary with reference to the above-mentioned purposes given its essential nature in order to provide the service requested by you in compliance with Article 6, paragraph 1, letter b) GDPR.
The operator has no influence on the processing of your data by Lidl within the scope of customer communication or prize draws.
Where the operator of the social media platform offers the possibility, we undertake to configure our social media pages in a manner that complies as much as possible with the data protection legislation.
The data you enter on our social media pages, such as comments, videos, images, likes, public messages, etc., are published for this purpose by the social media platform and is not used or processed by us for other purposes at any time. We merely reserve the right to delete illegal content if necessary. This is for example, the case with infringing or illegal posts, hate comments, lewd comments (explicit sexual content) or attachments (e.g. images or videos), which may breach copyrights, individual rights to privacy, criminal laws, or the ethical principles of Lidl.
Recipients / Categories of Recipients:
We may share your contents on our page and communicate via social media if this are functions of the social media platform. If you submit a query on the social media platform, we may refer you to other secure communication channels that guarantee confidentiality, depending on the response required. You always have the option of sending confidential inquiries to the address provided in section 1 or through the dedicated channels available on the website www.lidl.com.mt.
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) where necessary contracting parties (e.g. suppliers, where inquiries are product-specific) in order to process your inquiry (in these cases, your inquiry will be anonymized in advance to ensure that the third party cannot relate it to you. If sharing your personal data is necessary in an individual case, we will inform you of this and obtain your consent); (ii) third-party suppliers of assistance and advice for Lidl Malta with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (iii) companies of the group to which Lidl Malta belongs; (iv) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor.
Storage Period / Criteria for Determining the Storage Period:
All the personal data that you provide us in inquiries (suggestions, praise or criticism) via the social media will be stored as long as necessary to pursue the purposes set out in this policy and will be deleted, no later than 90 days after the final response is sent, or anonymized, excepting for the case in which storage for a further period is required for any claims, requests by the competent authorities or for compliance with a legal obligation. In our experience, we generally receive no further inquiries to our responses after 90 days.
Your public posts on this social media presence will remain on the timeline indefinitely unless we delete them because of an update of the underlying topic, violations of the law or infringements of our guidelines or you delete the post yourself.
Lidl has no influence on the deletion of your data by the operator itself. The data protection provisions of the respective operator therefore also additionally apply.
b) Prize Draws
Purpose of data processing and legal basis:
You have the option of taking part in various Lidl prize draws through our website, our newsletter, our social media presences or via the Lidl app. Unless otherwise specified in the privacy policy for the prize draw or if you have not conferred your express consent, the personal data you provided to us when entering the prize draw will be processed exclusively to execute the prize draw (e.g. determination of the winner(s), notification of the winner(s), sending of the prize) and to comply with applicable law obligations.
The processing of the aforementioned personal data is necessary as it is essential in order to allow your participation in the prize draw (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).
Further details are provided in the specific privacy policy for the prize draw.
Recipients / Categories of recipients:
Your personal data are shared with third parties only if this is necessary for running the prize draw or sending the prize (e.g. for the promoter of a prize draw to send the prize or sharing the data with a logistics company) or you have given us your express consent to do so. For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processor. Please note that in the case of some social media presences, entry may also be possible directly on the publicly visible web presences (e.g. on the board or via comments) and thus other users can also see the fact you have entered publicly through your interaction with us. Moreover, in such cases the fact you have won may also be identifiable on the respective social media presence. If you operate under your real name in the relevant social media network or are identifiable through photos in your profile, we cannot exclude identification by other users.
Storage period / Criteria for determining the storage period:
Your personal data processed in the context of the prize draw will be stored as long as necessary to pursue the purposes set out in this policy. After the end of the prize draw and the identification of the winners, the personal data of the participants are deleted, except in case where the storage for a further period is required for any claims, requests from the competent authorities or for compliance with a legal obligation. In case of material prizes, the data of the winners are stored for the duration of the statutory warranty claims in order to arrange for rectification or replacement if there is any defect in the prize. In the case of entry into a prize draw on a social media site (e.g. by means of a post or comment), we have no influence on the deletion of your data by the operator. The data protection provisions of the respective operator of the social media site therefore also additionally apply.
c) Newsletter
Purpose of data processing and legal basis:
Via social media frames, you have the opportunity to subscribe to the Lidl newsletter. If you subscribe to our newsletter, we use your e-mail address and, in certain cases, your name to send you information about products, promotions, prize draws and news from our shops, the Lidl Plus App as well as to conduct customer satisfaction surveys. We collect and process your data for the sole purpose of sending you our newsletter.
Newsletter content includes promotional offers (deals, discounts, prize draws, etc.) as well as products and services of Lidl Malta Ltd. (www.lidl.com.mt) and Lidl Stiftung & Co. KG ( www.lidlplus.com.mt).
If you have requested our newsletter service, the processing of your personal data as set out above is necessary as it is essential to provide you with commercial communications relating to products and services offered by Lidl and the business partner identified above. The legal basis for the processing shall therefore be your express consent provided under Article 6, paragraph 1, letter a) GDPR.
In order to ensure that your e-mail address is entered correctly, we apply the so-called double opt-in procedure: once you have entered your e-mail address in the registration field, we will send you a confirmation link, by clicking on which you confirm the request to register your e-mail address in our system.
You may decide to withdraw your consent by unsubscribing from the newsletter section on our website at any time. This shall not affect the lawfulness of processing based on consent before its withdrawal. You may find the link to unsubscribe here or at the end of each newsletter.
Recipients / Categories of recipients:
For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, marketing and advertising networks; (ii) service supplier for sending the newsletter; (iii) companies of the group to which Lidl Malta Ltd. belongs. If external processors are commissioned for the dispatch of the newsletter, these are bound by contract pursuant to article 28 GDPR.
Storage period / Criteria for determining the storage period:
If you don’t confirm the signing up to our newsletter by the double opt-in procedure, your personal data will be erased after 7 days. If instead you decide to unsubscribe to the newsletter, your personal data will be deleted from the systems within 6 months, without prejudice to such cases in which the storage for a further period is required in order to handle any disputes, requests from the competent authorities or for compliance with a legal obligation.
d) Social Listening and Social Media Monitoring
Purpose of data processing and legal basis:
In addition to the information we have directly shared with you through social networks, we also use the option of ‘Social Listening’ and ‘Social Media Monitoring’ in order to get an idea of perceptions of our products and services, to evaluate our marketing activities and to identify any potential for improvement. Contributions made public by you on social media platforms (Facebook, Instagram, etc.) are reviewed and evaluated according to a search request (for example in relation to a new product line) or according to certain values (e.g. views, number of clicks). Only contributions that have been made publicly available will be viewed here.
The extent of the data processed is primarily determined by the nature and content of the said contribution such as e.g. a posting in text form or an uploaded image file. In single cases, the respective user ID may also be processed if Lidl would like to offer help with any problems.
The legal basis for the processing of personal data in the context of social listening is our legitimate interest in being able to identify any deficiencies in our products and services and to react to them in an appropriate manner (article 6, paragraph 1, letter f) GDPR). Lidl's legitimate interest is equally balanced with your legitimate interest, as the said data processing is limited to what is strictly necessary for the aforementioned purpose namely, to analyze the content made publicly accessible by the data subject.
Recipients / Categories of recipients:
For the aforementioned purposes, your personal data may be transferred, in the context of ‘Social Listening’ and ‘Social Media Monitoring’, to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: marketing, technological, accounting, administrative, legal, insurance, IT. Our third-party suppliers may process the personal data also on servers based in the USA (e.g. as part of our collaboration with Socialbakers a. s.); (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.
Storage period / Criteria for determining the storage period:
Personal data is not stored by Lidl, but rather analysed for the sole purpose of recognising any shortcomings in our products or services and identifying potential for improvement. If necessary, we may keep personal data as part of our annual comparative evaluations for up to 2 years from their collection, provided that you have not already deleted your data from the platform.
Lidl has a Joint Controller relationship pursuant to art. 26, paragraph 1 GDPR with the following social media platform operators:
- Facebook: https://en-gb.facebook.com/legal/terms/page_controller_addendum
- LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum
In particular, Lidl and the platform operators act as Joint Controllers for the web tracking methods used by operators of the social media platforms. The web tracking may also take place regardless of whether you are registered or have logged on to the social media platform. As previously stated, Lidl has no influence over the web tracking methods used on the social media platforms. For instance, we cannot disable them.
The legal basis for the processing carried out by means of the web tracking methods is your express consent provided pursuant Article 6, paragraph 1, letter a) GDPR.
Further information on the recipients and/or categories of recipients and the storage period and/or the criteria for determining the storage period can be found in the platform operators' privacy policies. We have no influence on these.
For more information on your rights to withdraw your consent to the web tracking methods please refer to the privacy policies of the platform operators listed in section 2. You can also contact the platform operators using the contact details provided in their legal notice.
With reference to the processing activity performed by the social media platform operators for statistical purposes, Lidl has limited possibilities of influence and cannot prevent them. However, we are committed to ensure that optional statistics are not transmitted to Lidl.
The platform operators may use your profile and navigation data according to their terms & condition and privacy policy, in order to evaluate your habits, personal interactions and preferences. Lidl has no influence on the processing of such data by the operators of the social media platforms.
The recipients / categories of recipients, including those located in a third country, outside the European Union (EU) or the European Economic Area (EEA), are indicated in correspondence with each type of processing activity described in this privacy policy. Some third countries are certified by the European Commission through the so-called adequacy decisions, when they guarantee a level of protection of personal data comparable to that within the EU and the EEA. The list of these third countries is available here. If a comparable level of protection is not guaranteed in a third country, it will be our concern to verify that the level of protection of personal data is adequately guaranteed through other measures. These are for example binding corporate rules, standard data protection clauses adopted by the Commission, certificates or codes of conduct. For more information, please contact our Data Protection Officer.
The use of the social media platform may also involve the processing of your personal data in a third country (based outside the European Economic Area) by the platform operators. Lidl has no influence on this processing activity. For more information, please refer to the privacy policy of the operators listed in section 2.
6.1 Overview
In addition to the right withdraw the consent you may have granted us, you also have the following rights provided the respective statutory requirements are met:
- The right of access to information about your personal data in accordance with article 15 GDPR.
- The right to rectification of inaccurate data or to have incomplete data completed in accordance with article 16 GDPR.
- The right to erasure of your data stored with us in accordance with article17 GDPR.
- The right to restriction of processing of your data in accordance with article 18 GDPR.
- The right to data portability in accordance with article 20 GDPR.
- The right to object in accordance with article 21 GDPR.
6.2 The right of access to information in accordance with article 15 GDPR
You have the right, pursuant to article 15, paragraph 1 GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:
- the purposes for which the personal data are processed;
- the categories of personal data which are processed;
- the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
- the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
- the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- any available information about the source of the data, if the personal data are not collected from you (the data subject);
- the existence of automated decision-making, including profiling, in accordance with article 22, paragraph 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to article 46 GDPR relating to the transfer.
6.3 The right to rectification in accordance with article 16 GDPR
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.
6.4 The right to erasure in accordance with article 17 GDPR
You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw the consent on which the processing was based in accordance with article 6 paragraph 1, letter a) or article 9 paragraph 2, letter a) GDPR, and there is no other legal ground for the processing;
- you object to the processing pursuant to article 21, paragraph 1 or 2 GDPR, and there are no overriding legitimate reasons for processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation;
- the personal data has been collected in relation to the offer of information society services to children as referred to in article 8, paragraph 1 GDPR.
In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:
- for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
- for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.
Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.
6.5 The right to restriction of processing in accordance with article 18 GDPR
You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:
- The accuracy of your personal data is contested (see the right to data rectification above), for a period enabling us to verify the accuracy of the personal data; or
- The processing is unlawful, and you oppose the erasure of your personal data; or
- We no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
- You exercised Your right to object and verification of our legitimate grounds to override your objection is pending.
Following your request for restriction, except for storing your personal data, we may only process your personal data:
- Where we have your consent; or
- For the establishment, exercise or defence of legal claims; or
- For the protection of the rights of another natural or legal person; or
- For reasons of important public interest.
6.6 The right to data portability in accordance with Article 20 GDPR
You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:
- The processing is based on your consent or on the performance of a contract with you; and
- The processing is carried out by automated means.
6.7 Right to object in accordance with article 21 GDPR
Under the conditions set out in article 21, paragraph 1 GDPR, you have the right to object to data processing on grounds relating to your particular situation.
In those cases where we only process your personal data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.
When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.
For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.
In any case you also have the right to lodge complaints at any time with the competent data protection supervisory authority (see below).
6.8 What we may require from you
As one of the security measures we implement, before being in the position to help you exercise your rights as described above, we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.
6.9 Time limit for a response
We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.
7.1 Contacts for questions or to exercise your data protection rights
If you have any questions about our website or the Lidl shop(s) or would like to exercise your rights with regard to the processing of your data (data protection rights), you can contact our Customer Services: Contact form
7.2 Contacts for questions on data protection
If you have any further questions concerning the processing of your data, you can contact our data protection officer at the following email address privacymt@lidl.com.mt. Please do not use this e-mail address for issues that do not present privacy-relevant profiles (e.g. applications and customer service contact requests).
7.3 Right to lodge a complaint with the data protection supervisory authority
You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. You can contact the Office of the Information and Data Protection Commissioner, the data protection supervisory authority of Malta by email on: idpc.info@idpc.org.mt or by telephone on (+356) 2328 7100.
We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).
This privacy policy applies to the data processing carried out on the website www.lidl.com.mt by Lidl Malta Limited, the Administration Office, Triq Il-Karmnu, Luqa, LQA1311 (“Data Controller”). The data protection officer for Lidl Malta Limited can be contacted using the above address.