Upon entering the website of Lidl Cyprus, various items of data are exchanged between your terminal and our server. In this event, personal data may also be processed. Data collected in this manner will also be used to improve our website or for advertisement on your terminal’s web browser. 

Purpose of data processing / Legal basis:

Upon entering our website your terminal’s web browser will automatically send, with no action on your part,

• the IP address of the device with internet access from which the request was submitted,
• the date and time of access,
• the name and the URL of the file requested,
• the website/ application from which the access was carried out (referrer-URL),
• the browser used and the operating system of the computer you are using with Internet access, as well as the access provider

to our website’s server; this information will temporarily be stored on a log file for the following reasons:

• to guarantee a correct connection,
• to guarantee comfortable use of our website/ application, 
• to evaluate the security and stability of our system. 

If you have consented to geolocation on your browser or your operating system or in other settings on your terminal, we will use this function to be able to provide you with tailored services regarding your current position (e.g. the location of our nearest store). We will process your location data that was received in this way exclusively for this function.
The legal basis for processing your IP address is Article 6(1)(f) of the General Data Protection Regulation (hereinafter: GDPR). Our legitimate interest arises from the data processing aims mentioned above.

Recipients/ Categories of recipients:

As a rule, we do not transfer this data to third parties.

Duration of storage/ criteria for determining the duration of storage:

The data are temporarily stored during the session and then automatically deleted. As soon as you stop using our website your geolocation data are deleted.

Purpose of data processing / legal basis:

The personal data you provide while filling out a contact form, by telephone or e-mail, will automatically be treated confidentially by us. We will use your data exclusively for the specific purpose of processing your request. The legal basis for data processing is Article 6(1)(f) of the GDPR. Both our and your concurrent (legitimate) interest in the processing in question derives from the goal of offering you an answer and, possibly, resolving any problems you may be facing, and in this way maintaining and providing further satisfaction to you as a customer or a user of our website.

If you participate in our customer surveys, this is purely on a voluntary basis. During such anonymous surveys, data that will allow conclusions to be drawn regarding the survey participant are not stored. Only the date and time of your participation is stored. All personal data provided in your responses to our survey will be considered to have been provided voluntarily and will be stored in accordance with the GDPR. Please do not mention your name or other similar information which will allow for conclusions to be drawn regarding yourself or other persons in the free text fields. If you provide your consent in the framework of a customer survey, the legal basis for data processing based on consent is Article 6(1)(a) of the  GDPR. If you have provided your consent in the framework of a customer survey, the consent in question can be withdrawn at any moment henceforth. More detailed provisions regarding these cases can be found in the special data protection principles of each customer survey.

Recipients/ Categories of recipients:

As a rule, we do not transfer data to third parties. Exceptionally, the data may be processed by third parties at our request.  Those parties are selected carefully each time, checked by us, and are contractually bound in accordance with Article 28 of the GDPR.

Furthermore, we may be required to transfer excerpts of your request to parties contracted with us (e.g. suppliers, with respect to requests regarding products), in order to process your request.  If transmission of your personal data is required in isolated cases we will contact you in order to obtain your consent.

As a rule, the results of our customer surveys are only used for internal evaluations. As a rule, we do not transfer data to third parties. We do not transfer your personal data to third parties, unless we receive your explicit consent.

Duration of storage/ criteria for determining the duration of storage:

All personal data you provide us with in the framework of requests (proposals, praise, or criticism) through this website or via e-mail, will be deleted by us or will become anonymous 90 days after the final reply provided. Our experience has shown that, as a rule, no further clarifications regarding your answers are requested after 90 days.

Purpose of data processing / Legal basis:

You can participate in competitions through our website, our newsletter or the Lidl application. If there is no other provision in the special data protection principles of each competition, or if you have not additionally provided us with your explicit consent, the personal data that you transfer to us in the context of your participation in the competition will be used exclusively in order to carry out the competition (e.g. announce the winners, inform the winners, send the prize). The legal basis for data processing is primarily Article 6(1)(b) of the GDPR. If you provide your consent in the context of a competition, Article 6(1)(a) of the GDPR is the legal basis for data processing based on consent. If you provided your consent in the context of a competition, you may withdraw your consent at any time, with effect for the future. More detailed provisions regarding these cases can be found in the special data protection principles of each customer competition.

Recipients/ Categories of recipients:

Transfer to third parties is only carried out if it is necessary for the implementation of the competition (e.g. despatching the prize via a cooperating company). As a rule, we do not transfer data to further third parties.

Duration of storage/ Criteria for determining the duration of storage:

After the end of the competition and the announcement of the winners, the personal data of the participants are deleted. If the prize is a material item, winner data are saved for as long as there are legitimate guarantee claims, so that it is possible to repair or exchange the item in case of a defect at a later date.

Purpose of data processing / Legal basis:

With your consent we analyse user behaviour in the framework of our online presence, as well as in the newsletters we send you. User behaviour evaluation, more specifically, includes the sections of the website that you visit and which links you use there.  With this information we create tailored usage profiles that are categorised by person and/or e-mail address, in order for the advertisement offers of Lidl Cyprus in the form of newsletters, advertisement messages on our website and our printed advertisements to be better adapted to your personal interests and to improve our online offers.

The legal basis for the aforementioned processing is Article 6(1)(f) of the GDPR, or, in the case of consent provided in the same context, Article 6(1)(a) of the GDPR. Processing the data of existing customers for advertisement reasons or advertisement reasons of third parties, must be perceived as being of legitimate interest.

Right to object

You can object to the processing of your data for the aforementioned reasons at any time and at no cost, separately for each channel of communication, with effect for the future. All you have to do is send an e-mail message or a letter addressed to the contact information found in section 14.

Recipients/ Categories of recipients:

As a rule, we do not transfer these data to third parties.

Duration of storage/ criteria for determining the duration of storage:

If you withdraw your consent to individual advertisement media or if you object to certain advertisement media, your data will be deleted from the corresponding e-mail delivery systems.

If you object, the contact address in question will be blocked from future advertisement data processing. We would like to point out that in exceptional cases we may temporarily continue to send advertisement material even after receiving the opt-out request.  This is technically dependent on the required delivery time of advertisement messages and it does not mean that we are not complying with your request to object. Thank you for your understanding.

Purpose of data processing / Legal basis:

On our website we provide you with the opportunity to subscribe to our newsletter. If you consent to receiving our newsletter we will use your e-mail address and, possibly, your name in order to send (if it is possible, personalised) information regarding products, promotional actions, competitions and news regarding offers of live streaming, stores, as well as regarding customer satisfaction surveys. We will save and process these data in order to send newsletters.

By agreeing to receive the newsletter, you declare that you are at least 16 years old. Subject to the provisions of Article 8 (1) of the GDPR (Conditions applicable to child's consent in relation to information society services).

The contents of the newsletter include promotional actions (offers, discounts, competitions, etc.), as well as products and services of Lidl Cyprus stores as well as information about the products and services of the (partner) companies affiliated with www.lidl.com.cy. These are currently in particular:

Lidl Stiftung & Co KG (https://www.lidl.com.cy/en)

With your consent, we analyse your user behaviour on websites linked to www.lidl.com.cy, mobile applications, and newsletters. Assessment of user behaviour includes, in particular, the parts of the respective website, mobile application or newsletter of ours and our partner Lidl Stiftung & Co KG (https://www.lidl.com.cy/en) that you visited, and the links you activated. With this information we create usage profiles which are categorised by person and/or e-mail address, in order for the advertisement offers of Lidl Cyprus in the form of newsletters, advertisement messages on our website and our printed advertisements to be better adapted to your personal interests and to improve our online offers.

The legal framework for the processing of data in the framework of newsletter dispatches is consent in accordance with Article 6(1)(a) of the GDPR.

In order to ensure that you have not made an error while entering your e-mail address, we have put into place a double-opt-in process: After entering your e-mail address in the specified field, we send you a confirmation link. Only if you select the confirmation link in question will your e-mail address be sent to our delivery systems.

You may withdraw your consent for receiving our newsletter, for participating in customer satisfaction questionnaires, and in the creation of personalised usage profiles at any time henceforth, e.g. if you unsubscribe from our newsletter through our website. The link to the page where you can unsubscribe can be found here or at the end of every newsletter. By unsubscribing from our newsletter you are revoking your consent for the creation of a personalised usage profile and receiving the tailored newsletter. In this event, your data are deleted by us.

7.1 Cookies – General information

On our websites we use cookies, based on Article 6(1)(f) of the GDPR. Our interest in optimising our website must be considered legitimate, in the sense of the aforementioned provision. Cookies are small files which are stored on your terminal (laptop, tablet, smart phone, etc.) when you visit our website. Cookies do not harm your device, they do not contain viruses, trojans, or other harmful programmes. Cookies collect data which are produced separately in relation to the specific device used. This does not mean that we have direct knowledge of your identity through them. The use of cookies aims, on the one hand, at offering you a more comfortable use. For that reason we use the so-called session cookies to recognise that you have already visited separate pages on our website. They are automatically deleted when you leave our website. Apart from that, we use temporary cookies in order to facilitate use, which are stored for a determined period of time on your device. If you visit our website again in order to use our services, we automatically recognise that you have already visited us in the past, what entries you made / settings you changed, so that you don’t have to execute the same actions again.  

On the other hand, we use cookies to statistically analyse the use of our website, aiming at optimising our offers, as well as promoting information that is tailored to you. The cookies in question allow us to automatically recognise that you have visited us before upon your next visit to our website. The cookies in question are automatically deleted after a predetermined period of time. Most browsers automatically accept cookies. However, you can adjust the settings on your browser in such a way that they do not save cookies on your computer or that a notification appears before every new cookie is saved. However, full deactivation of cookies may result in the inability to use certain functions of our website. 

You will find a summary of the cookies used with additional information (e.g. how long they will be saved for) and the possibility to object to the Cookie Terms.

7.2 Google Analytics 

Purpose of data processing / Legal bases:

In order to constantly optimise and adjust our websites in accordance with your needs, we use Google Analytics, an online analysis service of Google Inc. (‘Google') based on Article 6, paragraph 1, item f) of the GDPR. Our legitimate interest originates from the aforementioned aims. In this context, 'pseudonymised' usage profiles are created and cookies are used. Cookies record the following data regarding the use of this website:

• type/ edition of browser
• operating system used
• Referrer-URL (the previous website you visited),
• Host name of access computer (IP address), 
• time of server request.

The information is used to evaluate the use of our websites, to compile reports regarding website activity, and to provide additional services connected to website and internet use for purposes of market research and to adjust the websites in question depending on the needs. IP addresses are made anonymous, so that it is impossible to match them (so-called IP masking). 

You can obstruct cookie installation through the corresponding setting on your browser programme. However, we should point out that in such a case you may not be able to use all the functions of that website. You can also obstruct data analysis created by cookies concerning the use of this website (including the IP address) as well as the processing of the data in question by Google, if you load and install this browser extension. Instead of this browser extension you can also stop analysis by Google Analytics, especially on mobile device browsers, if you click on this link. An opt-out cookie is created which blocks future analysis of your data during your visit to this website. The opt-out cookie is only in effect in this browser and only for our website and is only stored on your device. If you delete the cookies from this browser you must save the opt-out cookie again. More information regarding data protection in relation to Google Analytics can be found at the Google Analytics website. 

This website uses the "Google Signals" function to expand statistical reports created with Google Analytics to include a cross-device evaluation of visitor flows. Google signals only applies to users who are logged into the sessions with a Google account and have activated the "Personalized advertising" function in the Google account. Google signals do not give us any more in-depth information about specific individuals or ways to uniquely identify you or the device you are using. Google only provides us with general demographic information (gender, age group), possible interests and, if applicable, information on whether stationary Lidl branches have been visited. If you wish to deactivate this function for yourself, you can set this in your Google account. You can find more information about the customization options for Google advertising settings at https://support.google.com/ads/answer/2662856. You can find more information about Google signals here.

Recipients/ Categories of recipients:

Data created by cookies are transmitted to a Google server in the USA and are stored there. In no case is your IP address merged with other Google data. Also, the data in question may be transferred to third parties if it is foreseen by law or if the third parties have been authorised to process these data. 

Duration of storage/ Criteria for determining the duration of storage:

After the masking of the IP address it is no longer possible for it to be connected to your person. The data created for statistical reasons are deleted by Google Analytics after 50 months. The reports compiled based on Google Analytics no longer refer to individuals.

7.3 Targeting on the website and website optimisation

Purpose of data processing / legal bases:

Data may be analysed and evaluated on our website with the use of cookies, in order to optimise our websites and the advertisements shown on them. In this way we ensure that only an advertisement that is tailored to your real or speculated interests will be displayed on your terminal, based on your use up to that point. The information processed to this end will include, for example, data regarding the products you have shown an interest in. The legal basis for processing the data in question is Article 6, paragraph1, item f) of the GDPR. Therefore, the optimisation of our websites in order to improve your shopping experience and avoid displaying advertisements that are of no interest to you, is both in our interest and yours. Analysis and evaluation is carried out exclusively using a nickname and does not allow us to identify you. Specifically, the data is not merged with your personal data.

Recipients/ categories of recipients:

Data recipients are the aforementioned service providers who process your data on a contractual basis, only for a specific destination and in accordance with our guidelines.

Duration of storage/ criteria for determining the duration of storage:

The Cookies used here and the data contained in them are stored in accordance with the Cookie Terms and are deleted immediately if you object.

7.4 Re-targeting

Purpose of data processing / Legal Basis:

We also use re-targeting technology from various providers. This allows us to shape our online offer in a way that is interesting to you. To that end a cookie is created which collects data that are of interest with the use of a nickname. Specifically, data are anonymously collected regarding web browsing for commercial promotion aims and are stored in cookie data files on your computer and analysed via an algorithm. Then targeted product recommendations and tailored banners with products of ours that may be of interest to you can be displayed on the websites of our partners. In no case can these data be used to identify visitors to the website. No processing of direct personal data is carried out and usage profiles are not merged with personal data. The processing in question is carried out based on Article 6(1)(f) of the GDPR. With the use of targeting measures we aim to ensure that only advertisements that are tailored to your real or speculated interests will be displayed on your terminals. It is both in our interest and yours not to encumber you with advertisements of no interest to you.

If, however, you do not wish to see Lidl’s e-shop tailored banners displayed, you can object to the collection and storage of data in question in the future by carrying out the following action:

• By clicking on the symbol that appears on each advertisement banner (e.g.  “i”) you can jump to the website of each individual provider. The systematics of re-targeting technology is clarified anew there and the possibility to opt out is made available. If you unsubscribe from a provider, the so-called opt-out cookie is saved on your computer, which blocks the display of each provider’s advertisement banner in the future.  Please take into account that opting out can only be carried out from your computer and that the opt-out cookies may not be deleted from your computer.
• Alternatively, you can use the opt out options presented in section 7.5 of the data protection terms.

Recipients/ Categories of recipients:

We use re-targeting technologies on our websites from various providers who process the aforementioned data in the framework of re-targeting. You can find further information regarding the cookies used by the providers in question in the Cookie Terms.

Duration of storage/ criteria for determining the duration of storage:

The cookies used for re-targeting and the data contained in them are stored for the amount of time mentioned in the Cookie Terms and are then deleted automatically.

7.5 Opting-out

You can block the targeting technologies analysed in sections 7.3 and 7.4 by adjusting the cookie settings on your browser (see also section 7.1). At the same time you have the opportunity to block interest based tailored advertisements  with the help of a so-called Preference manager or the activation of opt-out cookies submitted in accordance with section 7.4.

Responsible entities for and purposes of data processing / legal bases:

We, the Lidl Cyprus, Pigasou Street 2, CY-7100, Industrial Area of Aradippou, Larnaca are the controller for data processing activities in the context of the use of cookies and other similar techniques to process usage data on all (sub-) domains under www.lidl.com.cy.

Cookies are small text files that are placed on your device (laptop, tablet, smartphone or similar) when you visit our websites. Cookies do not cause any damage to your device, do not contain viruses, trojans or other types of malware. In the cookie, information is stored which is related to the specific device you use. This does not mean though, that we are directly informed about your identity. The other similar technologies for processing usage data are in particular the pixel tracker, the local storage, the session storage and the cache storage.

As part of the use of the so-called Facebook pixel, cookies are used on our website with your consent (see cookies with provider or name "Facebook" in our Cookie Policy). For the processing of data related to the Facebook pixel, Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Facebook), is also jointly with us a data controller in accordance with Article 26 GDPR. You can access the contract governing the cooperation with Facebook here. The Facebook pixel collects data about your use of our website and compares it with data from Facebook in order to show you ads from us that are tailored to you on Facebook websites. Facebook also uses the data for its own online purposes and for third-party advertising purposes, in accordance with Facebook's Data Policy. It also contains further information on how you can exercise your rights as a data subject, as described below, directly against Facebook in relation to your data processed by Facebook.

The use of cookies and other technologies serves the following purposes, depending on the category of the cookie or other technology:

• Technically necessary: These are cookies and similar methods, without which you cannot use our services (e.g. to display our website/functions you have requested correctly, to remember your registration in the login area etc.).
• Convenience: These technologies allow us to take into account your actual or assumed preferences for the convenient use of our websites. For example, your preferences allow us to display our web pages in a language that is appropriate for you. It also helps us to avoid showing you offers that may not be available in your area.
• Statistics: These technologies enable us to compile anonymous statistics on the use of our services in order to tailor them to your needs. This enables us to determine, for instance, how we can adapt our websites even better to the habits of the users.
• Marketing: This enables us to display advertising content that is suitable for you, based on the analysis of your pattern of use. In this context, your pattern of use can also be tracked via different websites, browsers or terminal devices using a User ID (unique identifier).

You can find an overview of the cookies and other similar technologies used, including the respective processing purpose, the storage period and any third-party provider involved, here.

Within the scope of the use of cookies and similar techniques to process usage data, depending on the purpose, in particular the following categories of personal data are processed:

Technically necessary:

• User entries to remember the input over several sub-pages (e.g. to select your preferred store in the Lidl Store Finder);
• Data to play multimedia content (e.g. playback of (product) videos selected by the user).
• Saves the user consent status for the use of cookies in the current domain.

Convenience:

• User interface customization settings that are not linked to a permanent identifier (e.g. the active language selection or the specific display of search queries or maps in the section “Store finder”)

Statistics:

• Pseudonymized User profiles with information about the use of our websites. These include in particular:
  • browser-typ/ -version,
  • the operating system used,
  • referrer URL (the previously visited website),
  • host name of the accessing computer (IP address),
  • time of the server request,
  • individual user ID and
  • triggered events on the website (browsing patterns).
• The IP address is anonymized on a regular basis, so that it generally cannot be traced back to your person.

• We only combine the user ID with other data from you (e.g. name, email address, etc.) with your express consent (see e.g. section 12 of this privacy policy). Based solely on the user ID itself, we cannot draw any conclusions about your person.

Marketing:

• Pseudonymized user profiles with information about the use of our website. These include in particular:
  • IP address,
  • individual user ID,
  • potential product interest,
  • triggered events on the website (browsing patterns). 
• The IP addresses are anonymized on a regular basis, so that it generally cannot be traced back to your person.
•  

The legal basis for the use of convenience, statistical and marketing cookies and of similar technologies is your consent in accordance with article 6, paragraph 1, letter a) GDPR. The legal basis for the use of technically necessary cookies and similar technologies is article 6, paragraph 1, letter b) GDPR, i.e. we process your data to provide our services in the course of initiation or performance of the contract.

You can revoke / adjust your consent vis-à-vis all controllers (i.e. next to us Lidl Stiftung & Co. KG) at any time with effect for the future, without affecting the legitimacy of the processing based on the consent until the moment of revocation. Simply click here and make your selection. By removing the corresponding check marks, you can easily revoke your consent for the respective processing purposes.

For advertising purposes, we cooperate with partner companies, which within the scope of the integrated contents, may use their own cookies on their own responsibility and, where necessary, obtain consent. Notwithstanding the fact that these cookies are also included in the above-mentioned outline of information for technical reasons, we have no access to these cookies and are not (jointly) responsible for the data processing activities. You can find further information on this in the privacy policy of these partners.

Recipients/ Categories of recipients:

Within the scope of data processing by means of cookies and similar techniques to process usage data, we use specialised service providers, especially from the sector of online marketing. These service providers process your data on our behalf as processors, are in each case carefully selected and contractually obliged in accordance with Article 28 GDPR. All the companies listed as providers in our cookie regulations are acting for us as processors, unless they are named as (joint) controller at the beginning of this paragraph.

To the extent covered by your respective consent, your data will also be collected as described above by Lidl Stiftung & Co. KG as separately or joint controller. If you have consented to processing for marketing purposes, we may share your user ID and the associated user profiles with third parties via providers of advertising networks.

In the context of our cooperation with Google LLC and Facebook Ireland Limited, the processing of the above-mentioned data for statistical and commercial purposes is usually also carried out on servers in the USA.

Storage period/ Criteria to determine the storage period:

You can find the storage period for cookies and other similar technologies in our Cookie policy. If "persistent" is stated in the "expiration" column, the cookie or other similar technology is stored permanently until the corresponding consent is revoked.

Purpose of Data Processing / Legal Basis

Apart from the information you share with us directly via social networks, we also use Social Listening tools in order to get a better picture of our products and services, and to identify any areas for improvement. We therefore use online platforms (Facebook, Instagram, etc.), as well as search requests (e.g. for a new range of products). Only your public posts, which are accessible to the broad public, can be shown here.

The extent of the data collected depends mainly on the nature and content of the corresponding post, which can, for example, be in the form of a text or image posted by you. In certain isolated cases, the corresponding user ID may be relevant if Lidl wishes to offer a solution to a potential problem. We also receive information from the platform operators regarding the impact of each of our posts.

The legal basis for the processing of personal data as part of Social Listening is Article 6(1)(f) GDPR, since we have a legitimate interest in identifying any shortcomings in our products and services in openly accessible statements so that we may respond accordingly.

Recipients / Categories of Recipients:

Personal data processed as part of Social Listening are not disclosed to external third parties.

Storage period / Criteria determining the storage period:

The relevant data are not permanently stored by Lidl, but are only analysed in a targeted manner in relation to any required countermeasures.

If we transfer data to recipients in a third country (registered office outside the European Economic Area), you can refer to the information on the recipients/categories of recipients in the description of the respective data processing. For some third countries, the European Commission certifies by means of so-called adequacy decisions a data protection standard that is comparable to the level in the European economic area. A list of these countries can be found at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html  If there is no comparable data protection standard in a country, we ensure that data protection is adequately guaranteed by other measures. This is possible, for example, via binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates, or recognized codes of conduct. Please contact our data protection officer (Section 14) if you need more information.

Contractual relationships with business partners

The following data protection notice apply to you if you are a business partner of Lidl or its legal representative, employee, shareholder (where applicable) of the business partner or financial beneficiary. The business partners are legal or natural persons who are in negotiations with Lidl for the establishment of a business relationship or who are already parties in a corresponding business relationship with Lidl. Employment or training contracts are expressly excluded.

Purposes of data processing/ legal basis

To fulfill our contractual obligations (Art. 6 par. 1 b) GDPR)

If you, as a natural person, are a business partner of Lidl, the purposes of the data processing result from the implementation of pre-contractual measures, which precede a contractually regulated business relationship and in the fulfilment of the obligations under contract.

To comply with our legal obligation (Art. 6 par. 1 c) GDPR)

In addition, the processing of personal data in the business partner context may be necessary in individual cases to meet legal requirements. The specific purposes of data processing then result from the relevant legal requirements. These legal obligations include the fulfillment of storage and identification obligations, for example within the framework of anti-money laundering prescriptions, tax control and reporting obligations as well as data processing in the context of requests from relevant authorities or compliance checks in conjunction with the relevant mandatory laws.

To fulfill our legitimate interests (Art. 6 par. 1 f) GDPR)

If you are an employee, legal representative (e.g. managing director or authorized signatory), shareholder or beneficial owner of one of our business partners, we collect and process your above data in the context of the business partner relationship to fulfill our legitimate interests.

The legitimate interests here are in particular the selection of suitable business partners, the implementation of social audits to check compliance with social standards, the implementation of surveys on evaluations of company, the processing of contact details for contact persons, the assignment of work results to individual business partners, the booking of business transactions, negotiating with contact persons who are not or will not be direct business partners as well as processing as part of the digitization process. Other legitimate interests are the invitation to events, exercise of legal claims and avoidance of legal disadvantages (e.g. in the case of bankruptcies), legitimation checks, defense against dangers and liability claims and avoidance of legal risks and economic disadvantages, detection and processing of potentially harmful e-mails, physical and logistical access controls, clarification of possible compliance violations through internal compliance investigations (e.g. documentation of behavior contrary to antitrust law), prevention of criminal acts, regulation of damage resulting from the business relationship, efficient and fast digital processing of contract signing, the corresponding logging of the signature process for verification purposes as well as the validity check of the qualified electronic signature and other internal administrative purposes (e.g. user and contract management, project control and approval calculation, process and workflow optimization, processing in ticket systems and IT portals).

Based on consent (Art. 6 par. 1 a) GDPR)

In addition, the processing of your personal data can be based on your voluntary consent within the meaning of Art. 6 Para. 1 a) GDPR.

Categories of data

The particular personal data that are processed in each single case depends on the service contact; therefore not all parts of this specific privacy policy might be relevant to you.

We usually collect your data from you. However, it could also be necessary to process personal data about you which we obtain from other companies or tax offices due to legal regulations or legitimate interests (e.g. in the context of business partner compliance checks), Authorities, credit agencies, insolvency registers, publicly available sources (internet research) or other third parties. This also includes reports on possible compliance breach through our channels.

Relevant personal data may be:

Personal details (e.g. name, surname, address and other contact details, date and place of birth as well as nationality), legitimacy and authentication data (e.g. commercial register extracts, identification data, specimen signature), company as well as position and work department in the company, chief, data in the context of our business relationship (e.g. payment data, order data), company structure and propriety relationship, photo and video recording (e.g. for the delivery of the goods) username and user ID, compliance data (e.g. referral information, bankruptcy information, negative reports, criminal investigation information on the subject of the service) as well as other data comparable to the mentioned categories. 

When concluding a contract, we might use the data of credit agencies to verify creditworthiness. The credit agencies store data that you receive, for example, from banks or companies. This data includes: surname, first name, date of birth, address and information on payment behaviour. You can obtain information about the data that credit agencies have available about you directly from the respective credit agencies.

If you conclude a contract with us using a digital signature, we process your data in relation to this context (in particular email address, IP address, times at which you processed the respective contract document). There is also the option of signing certain contracts with a so-called qualified electronic signature. In this case, we process your signature in addition to the data mentioned. This data is accessible to everyone involved in the approval and signing of the contract.

Recipients/ categories of recipients: 

Within our company, access to your personal data is given only to those departments which need them to perform contractual or legal obligations or to fulfill legitimate interests or have been approved by you in the separate declaration of consent.

As part of the contractual relationships, to fulfill legal obligations and to safeguard legitimate interests, data processors, authorities or service providers also have access to your personal data. In this case, compliance with data protection regulations is contractually ensured. The data may also be transmitted to companies within the Schwarz Group for the performance of contractual obligations.

If you have a framework agreement with the entire Lidl or Schwarz Group as an authorized recipient of the services, the respective procurement or purchasing divisions of Lidl or Schwarz Group (Schwarz Beschendung GmbH) have access to the relevant business partner data for communication and each of Schwarz's national compliance departments has access to the data from the business partner compliance check. The basis for this is in this case Article 26 of the GDPR in the context of joint responsibility. The data will be transmitted outside our group of companies, only if we are legally obliged to do so (eg authority inquiries).

Storage duration/ Criteria for determining storage duration

The personal data will be kept for as long as necessary to fulfill the purposes mentioned above. The legal conservation obligations arising from the relevant national legislation in force are also important at this point. In individual cases, the data can also be stored (eg in the case of construction documents). 

Obligation to provide data

As part of our business relationship with our Partners (who you are in some way associated with) you must, in some cases, provide the personal data necessary for us to establish, execute and/or terminate a business relationship and to perform all necessary obligations, which we are required to do by law or authorized to do due to in terms of our legitimate interests. Without this data we will normally be unable to enter into and/or manage a business relationship with you and/or the entity you represent.

Data transfer to third countries

Should we transfer personal data to recipients outside the European Union (EU) or European Economic Area (EEA), this shall occur exclusively if the EU Commission has identified an appropriate level of data protection in the third country, an appropriate data protection level has been agreed with the recipient (for example through EU standard contractual clauses) or if you have given us your consent.

12.1 Overview

Apart from the right to withdraw the consent you provided to us, you also have the following rights, as long as the legal requirements are in place in each case: 

• the right to access regarding your own personal data that we store in accordance with Article 15 of the GDPR,
• the right to correct incorrect or supplement incorrect data in accordance with Article 16 of the GDPR,
• the right to delete your data which we have stored in accordance with Article 17 of the GDPR,
• the right to limit the processing of your data in accordance with Article 18 of the GDPR,
• the right to data portability in accordance with Article 20 of the GDPR,
• the right to object in accordance with Article 21 of the GDPR.

12.2 The right to access in accordance with Article 15 of the GDPR

You have the right to be informed following a request and at no cost, in accordance with Article 15, paragraph 1 of the GDPR, regarding the personal data we have stored regarding your person. Specifically, this includes:

• the aims of the personal data processing,
• the relevant categories of personal data that we process,
• the recipients or the categories of recipients with whom your personal data are being shared or will be shared,
• if possible, the time period for which your personal data will be stored or, if this is not possible, the criteria that determine the period in question,
• the existence of the right to request from the party responsible for the processing to correct or delete personal data or limit the processing of personal data that concern the data subject or the right to object to the specific processing,
• the right to file a complaint with a regulating authority,
• all available information regarding the origin of personal data, when they are not collected from the data subject,
• the existence of automated decision making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and, at least in these cases, significant information regarding the reasoning followed, as well as the importance and the envisaged consequences of the specific processing for the data subject.

When personal data are transferred to a third country or an international organisation, the data subject has the right to be informed regarding the appropriate guarantees, in accordance with Article 46 of the GDPR regarding transfers.

12.3 The right to rectification under Article 16 of the GDPR

You have the right to demand from us without unjustifiable delay to rectify inaccurate personal data concerning you. Keeping in mind the aims of the processing, you have the right to demand that incomplete personal data will be completed, including by means of providing a supplementary statement.

12.4 The right to erasure ('right to be forgotten') under Article 17 of the GDPR

You have the right to ask us to delete personal data without undue delay, if one of the following reasons is in effect:

• the personal data are no longer necessary in relation to the aims for which they were  collected or submitted in a different way for processing,
• you withdraw your consent on which processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing,
• you object to the processing in accordance with Article 21(1) or (2) of the GDPR and there are no urgent and legal reasons for the processing in accordance with Article 21(2) of the GDPR,
• the personal data have been submitted for processing illegally,
• the personal data must be deleted in order to meet a legal obligation
• the personal data have been collected in relation to the contribution of the services of the information society mentioned in Article 8(1) of the GDPR.

When we have published personal data and we are obligated to delete them, taking into account the technology available and the application cost, we will take reasonable measures to inform the third parties that are processing your personal data that you have demanded and requested from them the deletion of any links with that data or copies or reproductions of said personal data.

12.5 The right to restriction of processing in accordance with Article 18 of the GDPR

You have the right to request from us the restriction of processing when one of the following requirements is met:

• you question the accuracy of the personal data,
• the processing is unlawful and you are asking for a restriction of the use of the personal data rather than their deletion,
• the party in charge of processing no longer requires the personal data for processing reasons, but the data are required by the data subject for the foundation, application and support of legal claims,
• or if you have objections to the processing in accordance with Article 21(1) of the GDPR, pending verification of the degree to which the lawful reasons of the party in charge of processing overrule the reasons of the data subject.

12.6 The right to data portability in accordance with Article 20 of the GDPR

You have the right to receive personal data pertaining to you and which you have provided to us in a structured, commonly used and machine-readable format, as well as the right to transfer the data in question to another party responsible for processing without dispute on our part, when:

• the processing is based on consent in accordance with Article 6(1)(a) or Article 9(2)(a) or in a contract in accordance with Article 6(1)(b) of the GDPR and
• the processing is carried out by automated means.

In exercising your right to data portability you have the right to ask that your personal data be transferred directly by us to another party responsible for processing, if that is technically possible.

12.7 The right to object in accordance with Article 21 of the GDPR

Under the conditions of Article 21(1) of the GDPR you can object to the data processing for other reasons that arise from the particularity of the situation. 

The aforementioned general right to object is valid for all the aims of data processing described in the data protection terms herein, which are being processed by virtue of Article 6(1)(f) of the GDPR. In contrast to the special right to object that concerns data processing for advertisement reasons (see above, especially sections 9 and 7.5), we are obliged, in accordance with the GDPR, to apply the general right to object only if you mention the reasons of higher importance, e.g. a potential danger to life or health. Apart from that, there is the possibility to contact the relevant regulatory authority regarding Lidl Cyprus or the head of data protection of Lidl Cyprus.

13.1 The parties responsible for communication regarding questions or exercising your rights concerning data protection

For questions regarding the website or exercising your rights during the processing of your data (data protection rights) you can contact our customer service department:

https://www.lidl.com.cy/en/contact.htm

13.2 Party responsible for communication regarding data protection questions

If you have other questions regarding the processing of your data, you can address the party responsible for data protection via the party responsible for data processing.

13.3 Right to file a complaint with the regulatory authority for data protection

Furthermore, you have the right to file a complaint with the regulatory authority for data protection at any time. You can contact the regulatory authority for data protection, especially in the member-state in which you reside or at your place of work or in the place where the supposed violation has taken place or the authority of the state in which the party responsible for processing is based.

These data protection terms are in effect for data processed via LIDL Cyprus, Industrial Area, 2 Pigasou Street , CY- 7100, Aradippou - Larnaca (‘Party responsible for processing’) and for the website www.lidl.com.cy. You can contact the party responsible for data protection for Lidl Cyprus at the above address, attention of  the party responsible for data protection, or at dataprotection@lidl.com.cy.