Data protection on www.corporate.lidl.com.mt

(Version 3.0; dated 09.11.2020)

Privacy policy

Thank you for your interest in the data protection on our website www.corporate.com.mt. When you visit our website we want you to feel safe and comfortable and for you to see our implementation of data protection as a customer-oriented quality feature.

The following privacy policy will inform you of how and to what extent Lidl Malta Limited (hereinafter also ‘Lidl’), having registered office in Triq il-Karmnu, Luqa LQA 1311, Malta (as a Data Controller) processes your personal data. ‘Personal data’ refers to information that can be directly or indirectly attributable to or assigned to you (as a Data Subject).

The processing of personal data in this context is carried out in accordance with the Regulation (EU) 2016/679 (hereinafter ‘GDPR’) and the national legislation on data protection namely, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any subsidiary legislation issued under the same as may be amended from time to time.

Our full details, including contact details, can be read below.

1. Applicable laws

As an entity established in Malta (EU) the main privacy laws that are applicable to Lidl Malta Limited in so far as you are concerned, are as follows:

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the ‘GDPR’.
The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same – the ‘DPA’;

2. Overview

When you visit the website of Lidl, various information is exchanged between your device and our server. This may also include personal data. Information collected in this way is used for reasons including optimizing our website and to pursue the purposes set out in this privacy policy.

3. Visiting our website

Purpose of data processing and legal basis:

When you visit our website, the browser used on your device sends the following information automatically and without any action on your part to our website’s server:

the IP address of the requesting web-enabled device;
the date and time of access;
the name and URL of the viewed file;
the website/application from which access is made (referrer URL);
the browser you are using and, if applicable, the operating system of your Internet-enabled; computer and the name of your access provider;
in general your browsing data in accordance with the Cookie Policy available at section 4 of this privacy policy.

and stores it temporarily in log files for the following purposes:

to browse the website;
to ensure a smooth connection and that our website is easy to use;
to evaluate system security and stability;
to comply with legal obligations.

The processing of the aforementioned personal data is necessary as essential in order to provide the service requested by you through the features available on our website (article 6, paragraph 1, letter b), GDPR) and fulfil the obligation to comply with the applicable legislation (article 6, paragraph 1, letter c) GDPR).

Recipients/Categories of recipients:

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (ii) companies of the group to which Lidl belongs; (iii) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.

Storage period / Criteria for determining the storage period:

The data described in this section will be stored as long as you browse the website and in any case for the period necessary to pursue the purposes set out in this policy. After then the personal data are automatically deleted.

4. Use of cookies and similar technologies

Data Controller, purpose of data processing and legal basis:

Lidl Malta Ltd., with registered office in Triq il-Karmnu, Luqa LQA 1311, Malta, is the controller for data processing activities in the context of the use of cookies and other similar technologies on all (sub-) domains under www.lidl.com.mt.

Cookies are small text files that are placed on your device (laptop, tablet, smartphone or similar) when you visit our websites. Cookies do not cause any damage to your device, do not contain viruses, trojans or other types of malware. In the cookie, information is stored which is related to the specific device you use. This does not mean though, that we are directly informed about your identity. The other similar technologies for processing usage data are in particular the pixel tracker and local storage.

The use of cookies and other technologies serves the following purposes, depending on the category of the cookie or other technology:

Technically necessary: These are cookies and similar technologies, without which you cannot use our services (e.g. to display our website/functions you have requested correctly).
Convenience: These technologies allow us to take into account your actual or assumed preferences for the convenient use of our websites. For example, your preferences allow us to display our web pages in a language that is appropriate for you.
Statistics: These technologies enable us to compile anonymous statistics on the use of our services in order to tailor them to your needs. This enables us to determine, for instance, how we can adapt our websites even better to the habits of the users.
Marketing: These technologies enable us to display advertising content that is suitable for you, based on the analysis of your pattern of use. In this context, your pattern of use can also be tracked via different websites, browsers or terminal devices using a User ID (unique identifier).

You can find an overview of the cookies and other similar technologies used, including the respective processing purpose, the storage period and any third-party provider involved, here below.

Within the scope of the use of cookies and similar technologies, depending on the purpose, the following categories of personal data are processed:

Technically necessary:

User entries to remember the input over several sub-pages (e.g. to display our website/functions you have requested correctly);
Security-relevant incidents (e.g. detection of multiple failed login attempts);
Data to play multimedia content (e.g. playback of (product) videos selected by the user).

Convenience:

User interface customization settings that are not linked to a permanent identifier (e.g. the active language selection or the specific display of search queries).

Statistics:

Pseudonymized User profiles with information about the use of our websites. These include in particular:
- browser-typ/ -version,
- the operating system used,
- referrer URL (the previously visited website),
- host name of the accessing computer (IP address),
- time of the server request,
- individual user ID and
- triggered events on the website (browsing patterns).
The IP address is anonymized, so that it cannot be traced back to your person.
Based solely on the user ID itself, we cannot draw any conclusions about your person.

Marketing:

Pseudonymized user profiles with information about the use of our website. These include in particular:
- IP address,
- individual user ID,
- potential product interest and
- triggered events on the website (browsing patterns).
The IP address is anonymized, so that it cannot be traced back to your person.
Based solely on the user ID itself, we cannot draw any conclusions about your person.

The legal basis for the use of convenience, statistical and marketing cookies and of similar technologies is your consent in accordance with article 6, paragraph 1, letter a) GDPR. The legal basis for the use of technically necessary cookies and similar technologies is article 6, paragraph 1, letter b) GDPR, i.e. we process your data to provide our services in the course of initiation or performance of the contract.

You can withdraw / adjust your consent for future processing at any point, without impacting the lawfulness of the processing based on the consent until the moment of withdraw. Simply click here and make your selection. By removing the corresponding check marks, you can easily withdraw your consent to the respective processing purposes.

Cookies can be blocked at a general level. However, this block would have an impact on the use of the website and the services offered therein. All the latest browsers allow you to change the settings on cookies that are usually found in the menu of your browser under 'options' or 'preferences'. To understand how to set them up, you can consult the following links:

For information on how to manage cookies through other browsers, it is useful to consult the online help files. If this information is not sufficient, we advise you to consult the "Help" section of the browser for more details.

Recipients / Categories of recipients:

Within the scope of data processing by means of cookies and similar technologies, we use specialised service providers, especially from the sector of online marketing. These service providers process your data on our behalf as processors, are in each case carefully selected and contractually obliged in accordance with article 28 GDPR. All the companies listed as providers in our list of cookies are acting for us as processors.

Storage period / Criteria to determine the storage period:

You can find the storage period for cookies and other similar technologies in our list of cookies. If "persistent" is stated in the "expiration" column, the cookie or other similar technology is stored permanently until the corresponding consent is revoked.

5. Processing of further information

Purpose of data processing and legal basis:

In order to maintain an overview on how the information we provide to you in the context of our collaboration is used, we process additional relevant information, including publications, contributions, articles, etc. We obtain your data from generally accessible sources such as, but not limited to, websites or other means of communication, like similar websites or social media platforms.

The legal basis for the processing of your personal data for the aforementioned purposes is article 6, paragraph 1, letter f) GDPR, as we have a legitimate interest to know how the information we have released is used. Lidl's legitimate interest is balanced with your legitimate interest, as the processing of personal data is limited to what is strictly necessary for the purposes described above.

Recipients / Categories of recipients:

Storage period / Criteria to determine the storage period:

The data are kept for a period of 07 (seven) days, except in the case in which the retention for a further period is required for any disputes, requests from the competent authorities or in accordance with the applicable legislation.

6. Communication of the personal data to external media

Purpose of data processing and legal basis:

If, as a party or data subject of one of our communication contributions, you have signed a contract or provided your consent to the disclosure of your personal data to external media (e.g. journalists), the data processing takes place on the basis of the signed contract (article 6, paragraph 1, letter b) GDPR) or on the basis of your express consent (article 6, paragraph 1, letter a) GDPR). The data is only transmitted to the external media specified in the contract or in the declaration of consent, which may proceed with the publication of the contributions as independent Data Controllers.

If the legal basis is your consent, you can decide, at any time and with effect for the future, to withdraw the consent provided by means of a specific communication which must be sent to the e-mail address press@lidl.com.mt, without affecting the lawfulness of the processing based on the consent before its withdrawal. The withdrawal of consent determines the cancellation of your personal data on our part. In this respect, we have no influence on the processing or the cancellation of your personal data by external media.

Recipients / Categories of recipients:

For the aforementioned purposes, your personal data may be transferred to the following categories of recipients: (i) external media (e.g. journalists, editors of newspapers). It should be noted that the external media will act as independent Data Controllers for all subsequent processing activities carried out by them. Furthermore, in the event of publication by the external media, your data may also be viewed by subjects based outside the EU or the EEA (for details, please read the specific privacy policy); (ii) third-party suppliers of assistance and advice for Lidl with reference (e.g.) to the following sectors: technological, accounting, administrative, legal, insurance, IT; (iii) companies of the group to which Lidl belongs; (iv) subjects and authorities which right of access to personal data is recognized by law, regulations or provisions issued by the competent authorities. Depending on the specific case, these recipients will process such personal data as data controllers or processors.

Storage period / Criteria to determine the storage period:

The data are processed for the sole purpose of transmitting them to external media. However, for reasons related to internal documentation, your data are kept for a period of 07 (seven) days, except in the case in which conservation for a further period is required for any disputes, requests from the competent authorities or pursuant to applicable legislation.

In this respect, we have no possibility to influence the retention of data by external media. Further information on the data processing by the external media that may have received the data from us are provided in their own privacy policy.

7. Transfers of personal data to third countries

The recipients / categories of recipients, including those located in a third country, outside the European Union (EU) or the European Economic Area (EEA), are indicated in correspondence with each type of processing activity described in this privacy policy. Some third countries are certified by the European Commission through the so-called adequacy decisions, when they guarantee a level of protection of personal data comparable to that within the EU and the EEA. The list of these third countries is available at the following link https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. If a comparable level of protection is not guaranteed in a third country, it will be our concern to verify that the level of protection of personal data is adequately guaranteed through other measures. These are for example binding corporate rules, standard data protection clauses adopted by the Commission, certificates or codes of conduct. For more information, please contact our Data Protection Officer.

8. Your rights as data subject

8.1 Overview
In addition to the right to revoke the consent you may have granted us, you also have the following rights provided the respective statutory requirements are met:

The right of access to information about your personal data in accordance with article 15 GDPR.
The right to rectification of inaccurate data or to have incomplete data completed in accordance with article 16 GDPR.
The right to erasure of your data stored with us in accordance with article17 GDPR.
The right to restriction of processing of your data in accordance with article 18 GDPR.
The right to data portability in accordance with article 20 GDPR.
The right to object in accordance with article 21 GDPR.

8.2 The right of access to information in accordance with article 15 GDPR

You have the right, pursuant to article 15, paragraph 1 GDPR, upon request us to confirm whether or not we are processing personal data that concerns you and, if we are, to receive information free of charge on the personal data about you that have been stored with us. This includes in particular:

the purposes for which the personal data are processed;
the categories of personal data which are processed;
the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
the planned duration of the storage of your personal data or, if specific details are not possible, the criteria used to determine the period;
the right to rectification or erasure of your personal data, to restrict the processing by us (the controller) or to object to such processing;
the right to lodge a complaint with a supervisory authority;
any available information about the source of the data, if the personal data are not collected from you (the data subject);
the existence of automated decision-making, including profiling, in accordance with article 22, paragraph 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to article 46 GDPR relating to the transfer.

8.3 The right to rectification in accordance with article 16 GDPR

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of a supplementary statement.

8.4 The right to erasure in accordance with article 17 GDPR

You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they was collected or otherwise processed;
you withdraw the consent on which the processing was based in accordance with article 6 paragraph 1, letter a) or article 9 paragraph 2, letter a) GDPR, and there is no other legal ground for the processing;
you object to the processing pursuant to article 21, paragraph 1 or 2 GDPR, and there are no overriding legitimate reasons for processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation;
the personal data has been collected in relation to the offer of information society services to children as referred to in article 8, paragraph 1 GDPR.

In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary:

for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
for the establishment, exercise or defence of legal claims.

There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.

Where we have made the personal data public and are obliged to erase it, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform third parties which are processing your personal data that you have requested the erasure by such third parties of any links to, or copy or replication of, that personal data.

8.5 The right to restriction of processing in accordance with article 18 GDPR

You have the right to ask us to restrict (that is, store but not further process) your personal data but only where:

The accuracy of your personal data is contested (see the right to data rectification above), for a period enabling us to verify the accuracy of the personal data; or
The processing is unlawful and you oppose the erasure of your personal data; or
We no longer need the personal data for the purposes for which they were collected but you need the personal data for the establishment, exercise or defence of legal claims; or
You exercised Your right to object and verification of our legitimate grounds to override your objection is pending.

Following your request for restriction, except for storing your personal data, we may only process your personal data:

Where we have your consent; or
For the establishment, exercise or defence of legal claims; or
For the protection of the rights of another natural or legal person; or
For reasons of important public interest.

8.6 The right to data portability in accordance with Article 20 GDPR

You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:

The processing is based on your consent or on the performance of a contract with you; and
The processing is carried out by automated means.

8.7 Right to object in accordance with article 21 GDPR

Under the conditions set out in article 21, paragraph 1 GDPR, you have the right to object to data processing on grounds relating to your particular situation.

In those cases where we only process your personal data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, you shall have the right to object to processing of your personal data by us. Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.

When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.

For the avoidance of all doubt, when we process your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which we are subject or when processing is necessary to protect your vital interests or those of another natural person, this general right to object shall not subsist.

In any case you also have the right to lodge complaints at any time with the competent data protection supervisory authority (see below).

8.8 What we may require from you

As one of the security measures we implement, before being in the position to help you exercise your rights as described above, we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.

8.9 Time limit for a response

We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if you send us multiple requests), it may take us longer than a month. In such cases, we will notify you accordingly and keep you updated.

9. Contact

9.1 Contacts for questions or to exercise your data protection rights

If you have any questions about our website or the Lidl shop(s) or would like to exercise your rights with regard to the processing of your data (data protection rights), you can contact our Customer Services:

https://www.lidl.com.mt/en/Contact-Form.htm

9.2 Contacts for questions on data protection

If you have any further questions concerning the processing of your data, you can contact our data protection officer at the following email address privacymt@lidl.com.mt. Please do not use this e-mail address for issues that do not present privacy-relevant profiles (e.g. applications and customer service contact requests).

9.3 Right to lodge a complaint with the data protection supervisory authority

You also have the right, at any time, to lodge a complaint with the competent data protection supervisory authority. You can contact the Office of the Information and Data Protection Commissioner, the data protection supervisory authority of Malta by email on: idpc.info@idpc.org.mt or by telephone on (+356) 2328 7100.

We kindly ask that you please attempt to resolve any issues you may have with us first (even though, as stated above, you have a right to contact the competent authority at any time).

10. Name and contact details of the controller responsible for the processing and contact details of the company's Data Protection Officer

This privacy policy applies to the data processing carried out on the website www.corporate.lidl.com.mt by Lidl Malta Limited, the Administration Office, Triq Il-Karmnu, Luqa, LQA1311 (“Data Controller”). The data protection officer for Lidl Malta Limited can be contacted using the above address.