Thank you for using the Lidl App application (hereinafter: the app) and for your interest in the data protection terms. We want you to feel safe and secure when using our app and consider the implementation of data protection as a customer-centred quality feature.

The following data protection terms provide you with information about the type and extent of personal data processing by Lidl Cyprus (for the purpose of this data protection notice referred to as "Lidl", "we" or "us"). Personal data is information that is or can be attributed directly or indirectly to you. The legal basis for data protection is, in particular, the General Data Protection Regulation (GDPR).

Linking with Lidl Plus

In order to identify you as a Lidl Plus App user, we will forward your advertising identifiers: (i) IDFA (Identifier for Advertising = advertising identification for iOS devices) or (ii) the Android advertising ID or (iii) Huawei ID, if you have consented to our tracking technologies, to Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74167 Neckarsulm (“Lidl Stiftung”). The legal basis for this processing is Article 6 (1) (f) GDPR. The legitimate interest is to identify overlaps in the use of the Lidl Plus App and the Lidl Shopping App. This comparison is not personal.

Overview of content

1. Summary

2. Downloading our app from the App Store

3. Using our app

4. Accessing the functions and sensors of your mobile terminal device

5. Usage analysis and personalized advertising

6. Recipients outside the EU

7. Rights of data subjects

8. Contact person

9. Name and contact details of the controller and contact details of the business data protection officer

1. Summary

Data processing by Lidl Cyprus when using our app can be divided essentially into three categories:

When downloading our app the necessary information is transmitted to the respective App Store.

Our app needs to have access to various functions and sensors of your mobile terminal device so that you can use different features, such as finding Lidl stores in your area.

When using our app various information is exchanged between your mobile terminal device and our server. Such information concerns personal data. Information collected in this way is used inter alia

to facilitate your purchases at Lidl stores;

to improve our app, and

to display advertisements on your mobile terminal device's browser through so-called push notifications.

2. Downloading our app from the App Store

Each App Store provider (Apple App Store or Google Play) automatically processes the following data when you download our app:

the App Store username;

the e-mail address entered in the App Store;

your App Store account number;

the loading time;

payment information, and

the individual device ID number.

We do not have any influence on this data collection and are not responsible for it. More information about the data processing in question can be found in the respective App Store manager's data protection terms:

Google Play Store: https://policies.google.com/privacy?hl=el&gl=el

Apple App Store: https://www.apple.com/legal/privacy/en-ww/

3. Using our app

Data protection objectives/legal bases:

When using our app, the following are automatically forwarded to the servers without our own action:

the mobile terminal device from which you used our app;

the IP address of your mobile terminal device;

login date and time;

client request;

the http response code;

the volume of data transmitted, and

the version of the app you are using.

These are temporarily stored in a log for the following purposes:

protecting our systems;

error analysis;

abuse or fraud prevention.

The legal basis of the IP address processing is Article 6(1)(f) of the GDPR. Our legitimate interest derives from the above-mentioned purposes of data processing.

Storage duration/criteria for setting the storage duration:

The data is stored for a period of fourteen days and then deleted automatically.

4. Accessing the functions and sensors of your mobile terminal device

Data protection objectives/legal bases:

Locations

If you have given your consent to the use of so-called "geolocation" when using our app or the settings of your mobile terminal device through the "allow access" box, we will use this feature so we can provide you with personalised services related to your current location. We process your location as part of the "find a store" feature via GPS and network so we can show you the store that is closer to you.

Photos/media/data on your mobile terminal device/USB storage contents (read, modify, delete)

When you create a shopping list through our app, it is stored directly on your mobile terminal device or on a connected storage medium, regardless of where your app is installed and the available storage space.

Wireless network connection information

Our app uses your mobile terminal device's wireless network to establish a connection to the Internet

Other features or sensors on the device

By accessing the other features and sensors of your mobile terminal device, our app can in particular retrieve data from the internet and process error messages. In addition, the app can run on startup and the device's idle state can be deactivated. Once you have given the required consent, the app can send you push notifications to update you on current offers and promotions.

The legal basis for processing your locations is your consent under Article 6(1)(a) of the GDPR.

Storage duration/criteria for setting the storage duration:

Your location information is deleted after closing our app.

5. Usage analysis and personalized advertising

Purposes of data processing / legal bases

With your consent we create and process pseudonymized user profiles for the following purposes:

• Optimization of our services and your functions,
• Improving our offers and promoting our products through advertising campaigns,
• Display ads according to your interests (e.g. through notifications and banner ads on third party services).

At the same time, the following types of personal data are processed:

• Name of the mobile device from which you start our application,
• Fingerprint of your terminal device for identification, consisting of

- Time of access,

- Country and language,

- Local settings,

- Operating system and its version as well as the version of the application,

• Browser type / version,
• Transfer Protocol Code (HTTP-Header)
• IP address or MAC in anonymized form,
• Mobile session IDs,
• Apple Device IDs (Apple IDFA) or Google (Google GAID) (iOS or Android OS Identification Number for Advertising Purposes. Can be removed or disabled at any time via the operating system),
• Request time on the server,
• Installation and event data related to our services, in particular:

- Which parts of the application / website you visited and

- What actions you took there.

• Application and event token
• Token of notifications

With your consent we create these pseudonymized user profiles with your personal data from the Lidl client account and we evaluate your behavior as a user on the websites linked to the page www.lidl.com.cy, mobile applications as well as Newsletters from us and our partner companies (Lidl Dienstleistung GmbH & Co. KG, Lidl Digital International GmbH & Co. KG) for advertising purposes.

The legal basis for the above processing is your consent in accordance with article 6 par. 1 point a) of the GDPR.

You can revoke your consent at any time for all of the above or for individual purposes from the "Legal Notices / Tracking" menu of this application with future validity.

This application additionally uses the "Google Signals" feature to extend the evaluation of the traffic flows from the devices with the statistical reports of Google products. The Google Signals feature only applies to users who during sessions are signed in with a Google Account and have enabled "personalized advertising" on their Google Account. With Google Signals, we do not receive in-depth information about specific individuals or have the ability to clearly identify you or your terminal device. If you want to disable this feature, you can set up your Google Account accordingly. Additional information on how to customize Google Ads settings can be found at https://support.google.com/ads/answer/2662856?hl=en Additional information on Google Signals can be found here

https://support.google.com/analytics/answer/7532985?hl=en#zippy=%2Cin-this-article

Recipients / categories of recipients:

In the context of the processing of usage data we use the services of special providers, especially from the field of Online-Marketing. They process your data on our behalf as processors, are carefully selected each time and are contractually bound in accordance with Article 28. Your data may be passed on to further third parties, to the extent that there is a corresponding legal provision.

As part of our collaboration with Facebook, aggregate events are transferred to Facebook through our applications. Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (Facebook) is jointly responsible with us for the processing related to this process in accordance with Article 26 GDPR. You can see here the agreement based on this partnership with Facebook. The link collects data on your use of our application and compares it with Facebook data, so that the appropriate ads on the websites and applications of Facebook and partner companies are displayed to you. Facebook also uses the data for its own advertising purposes as well as for third party advertising purposes in accordance with Facebook's data policy. In it you can find additional information on how you can assert as a data subject your rights listed below, directly against Facebook in relation to the processing of your data by Facebook.

As part of our partnership with Google LLC, the above data is also being processed on a Server in the USA.

Storage time / criteria for determining the storage time:

Your personal data is processed in an anonymized form, up to the point where it is feasible and meaningful according to the purpose of the processing. After anonymization, it is no longer possible to draw conclusions about you. Besides that, the above data will not be kept for more than 26 months, in particular if you revoke your consent.

6. Recipients outside the EU

Except for the processing by Google Analytics, described in item 5, we do not transfer your data to recipients located outside the European Union or the European Economic Area. The above data processing involves data transfer to Google Inc.'s servers in the USA. By decision of 12.7.2016, the European Commission ruled, regarding the USA, that there is a reasonable level of data protection based on the EU-US Privacy Shield rules (so-called "adequacy decision" in accordance with Article 45 of the GDPR). Our service provider is Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, which is certified in accordance with the EU-US Privacy Shield.

7. Rights of data subjects

7.1 Overview

In addition to the right to withdraw the consent you have given us, you also have the following rights, provided the legal requirements are met:

Right to access your stored personal data pursuant to Article 15 of the GDPR;

Right to rectify erroneous or inaccurate data in accordance with Article 16 of the GDPR;

Right to erase your personal data stored in accordance with Article 17 of the GDPR;

Right to restrict processing of your data in accordance with Article 18 of the GDPR;

Right to data portability in accordance with Article 20 of the GDPR;

Right to object in accordance with Article 21 of the GDPR.

7.2 Right of access in accordance with Article 15 of the GDPR

You have the right to be informed free of charge, at your request, in accordance with Article 15(1) of the GDPR, of ​​the personal data we have stored for you. The information shall in particular concern:

the purposes of the processing of personal data;

the categories of personal data we process;

the recipients or categories of recipients to whom your personal data have been or will be disclosed;

the period for which your personal data will be stored or, if not possible, the criteria used to determine that period;

the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

the existence of the right to lodge a complaint with a supervisory authority;

any available information about their origin when personal data are not collected by the data subject;

the existence of an automated decision-making process including profiling provided for in Article 22(1) and (4) of the GDPR and, at least in these cases, significant information on the rationale followed and the significance and foreseeable consequences of the processing in question for the data subject.

Where personal data is transmitted to a third country or an international organisation, the data subject shall have the right to be informed, in accordance with Article 46 of the GDPR of ​​the existence of appropriate safeguards on such transfer.

7.3 Right to rectification in accordance with Article 16 of the GDPR

You have the right to ask us to immediately rectify any inaccuracy in your personal data. Taking into account the purposes of the processing, you have the right to ask for any incomplete personal data to be filled in, including by means of a supplementary declaration.

7.4 Right to erasure in accordance with Article 17 of the GDPR

You have the right to ask us to immediately erase the personal data concerned if one of the following reasons is true:

your personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;

you withdraw your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal ground for processing;

you object to processing under Article 21(1) or (2) of the GDPR and there are no compelling legitimate grounds for the processing in accordance with Article 21(1) of the GDPR;

the personal data were illegally processed;

the personal data must be erased in order to comply with a legal obligation;

the personal data have been collected in connection with the provision of information society services in accordance with Article 8(1) of the GDPR.

When we have published your personal data and are obliged to erase it, taking into account available technology and application costs, we will take reasonable steps to inform third parties processing your personal data that you require and ask them to erase any links with such data or copies or reproductions of such personal data.

7.5 Right to restrict processing in accordance with Article 18 of the GDPR

You have the right to ask us to restrict processing when one of the following conditions is true:

you question the accuracy of personal data;

processing is illegal and, instead of erasure, you are requesting restriction of use of personal data;

the data controller no longer requires personal data for the purpose of processing, but such data is required by the data subject to establish, exercise or support legal claims, or

you have objections to processing pursuant to Article 21(1) of the GDPR, pending verification that the legitimate grounds of the controller override the data subject's grounds.

7.6 Right to data portability in accordance with Article 20 of the GDPR

You have the right to receive the personal data provided to us in a structured, commonly used and machine readable format, as well as the right to transfer such data to another controller without objection by us when:

processing is based on consent in accordance with Article 6(1)(a) or Article 9(2)(a) or a contract in accordance with Article 6(1)(b) of the GDPR, and

processing is carried out by automated means.

When exercising the right to data portability, you have the right to request that personal data be transmitted directly from us to another controller, if this is technically feasible.

7.7 Right to object in accordance with Article 21 of the GDPR

You may object to data processing for other reasons resulting from the specificity of the situation, under the conditions of Article 21(1) of the GDPR

The above general right to object applies to all data processing purposes described in these data protection terms, regarding data which is processed pursuant to Article 6(1)(f) of the GDPR. Unlike the special right to object to data processing for advertising purposes (see above, in particular points 9 and 7.6), we have an obligation to apply the general right to object under the GDPR only if you state to us grounds of overriding importance, e.g. a potential risk to life or health. In addition, you can contact the supervisory authority responsible for Lidl Cyprus or the data protection officer of Lidl Cyprus.

8. Contact person

8.1 Contact person for enquiries or for exercising your rights in relation to data protection

For enquiries regarding the webpage or the Lidl app or for exercising your rights when processing your data (data protection rights), you can contact customer service:

Customer Service

8.2 Contact person for enquiries regarding data protection

If you have any other enquiries about processing your data, you can contact your business data protection officer of Lidl Cyprus (see Point 10).

8.3 Right to lodge a complaint with the supervisory data protection authorities

In addition, you have the right to lodge a complaint at any time with the competent data protection supervisory authority. You can contact the data protection supervisory authority, in particular in the Member State where you have your habitual residence or place of work or the place where the suspected infringement has been committed or the authority of the State where the controller is located.

9. Name and contact details of the controller and contact details of the business data protection officer

These data protection terms apply to data processing via LIDL Cyprus, Industrial Area, Emporiou Street 19, CY- 7100, Aradippou - Larnaca ("Controller") including the lidl app. You can contact the business data protection officer of Lidl Cyprus at the above address, attention Data Protection Officer or at dataprotection@lidl.com.cy.