1. Contact details of the controller and the data protection officer

Unless otherwise stated in the following clauses, Lidl Cyprus, 2 Pigasou Str., Aradippou, CY-7100 Larnaca, Cyprus ("Lidl Cyprus") and Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm ("Lidl Stiftung", and together with Lidl Cyprus "we", "us") are joint controllers of the processing of your data on the website https://www.lidl.com.cy/c/en-CY/ and in the Lidl app ("Services").

The data protection officers of Lidl Cyprus and Lidl Stiftung can be contacted at the above postal addresses or at dataprotection@lidl.com.cy.

2. Involvement of third parties as data processors

Unless otherwise stated, the recipients or categories of recipients named below act as data processors. They are carefully selected and contractually bound in accordance with Article 28 GDPR. This means that they may only process personal data on the basis of our instructions and not for purposes other than those stated.

3. Transfers to recipients in third countries

Under certain circumstances, it may be necessary for us to transfer your personal data to recipients in a third country or several third countries outside the European Union (EU)/the European Economic Area (EEA).

The EU Commission has certified some third countries as having a level of data protection comparable to the GDPR by means of an adequacy decision. You can find an overview of third countries with an adequacy decision here. For service providers based in the USA, this only applies if they are certified in accordance with the EU-US Data Privacy Framework.

If there is no adequacy decision, we secure the transfer by other measures. These can be, for example, binding company regulations, standard contractual clauses of the European Commission, certificates or recognised codes of conduct.

Unless otherwise stated below, the transfer to a third country takes place either on the basis of an adequacy decision or one of the measures listed above. If you have any questions, please contact our data protection officer.

4. Accessing our Services

Purposes of data processing/legal basis

When you access our Services automatically and without your intervention, your browser sends the

 IP address of the end device used,

 Date and time of access,

 Name and URL of the retrieved file,

 Website/application from which access is made (referrer URL),

 Browser and, if applicable, operating system of your end device,

 Name of your access provider

to our server and temporarily stores them in a log file for the following purposes:

 To ensure a smooth connection set-up,

 To ensure convenient/appropriate use of our website/application,

 To evaluate system security and stability.

If you agree to geolocalisation on your end device, we process your real-time location data when you use certain functions of our Services (e.g. displaying the location of the nearest Lidl store in the store finder).

The legal basis for data processing is Article 6(1)(1)(f) GDPR. Our legitimate interest lies in the correct presentation of our Services, the protection of our systems and the prevention of unauthorised access to our website. If the presentation serves to prepare a contract, the legal basis for data processing is Article 6(1)(b) GDPR.

Storage period/criteria for determining the storage period

The log files are stored for a period of seven days and then automatically deleted.

5. Contact form, email contact, telephone calls, social media and customer surveys

Purposes of data processing/legal basis

Personal data that you provide to us when filling out contact forms, by telephone, by email or via social media will only be used for the purpose of processing your enquiry.

If you take part in one of our customer surveys, you do so voluntarily. In these anonymous surveys, no information is stored that allows conclusions to be drawn about the participants. Only the date and time of your participation will be saved. You can specify your details using free-text fields or by creating screenshots. You can also voluntarily agree to be invited to participate in user studies on a regular basis. These are conducted by telephone interviews, written surveys or tests on the user-friendliness of our applications. For this purpose, we store your first name, surname and email address. Any additional personal information you provide in surveys or user studies will be considered to have been provided voluntarily and will be stored in accordance with the GDPR. When using free-text fields and screenshots, please refrain from submitting personal data about yourself or another individual.

The legal basis for data processing is Article 6(1)(f) or Article 6(1)(b) GDPR. Our and your concurrent (legitimate) interest in this data processing arises from the aim of answering your enquiries, solving any problems you may have and thus maintaining and increasing your satisfaction as a customer or user of our website. If you give your consent as part of a customer survey or user study, Article 6(1)(a) GDPR is the legal basis for data processing based on consent. You can withdraw this consent at any time with effect for the future. Further details on this are set out in the data protection notices of the customer surveys and user studies. The legal basis for the processing of data protection requests is Article 6(1)(c) GDPR, as this is necessary to comply with legal obligations.

If you identify yourself as a Lidl Plus customer, the responsible Lidl company will receive your contact details, which are required for the customer service department to process an enquiry or for a product-specific enquiry with suppliers. The legal basis for this is Article 6(1)(b) GDPR.

Recipients/categories of recipients

When answering your enquiries and analysing customer surveys, your data will also be processed on our behalf by data processors from the customer service department and customer survey department.

If necessary to process your complaint, the data you provide may be passed on to companies within the Lidl Group. If your customer service enquiry leads to a further request, we will use your previously collected data for this request so that you do not have to enter your data again.

In order to process your complaint, it may also be necessary to pass on your contact details to our service partners, who will contact you regarding the next steps (e.g. arranging a collection or repair appointment). We will inform you of the name of the specific service partner as part of our communication. The transfer of data is necessary to fulfil warranty claims and thus to perform the contractual relationship with you in accordance with Article 6(1)(b) GDPR.

Storage period/criteria for determining the storage period

We will delete or anonymise all personal data that you provide to us in response to enquiries (suggestions, praise or criticism) no later than 95 days after the final response. Experience has shown that there are usually no more queries after 95 days. If you assert your rights as a data subject under data protection law, your personal data will be processed for the following purposes for three years after the final response to prove that we have complied with legal requirements. The storage period for personal data collected as part of customer surveys is communicated in advance as part of the specific customer survey.

6. Competitions

Controller

The controller for data processing in connection with the organisation of competitions is Lidl Cyprus, 2 Pigasou Str., Aradippou, CY-7100 Larnaca, Cyprus.

Purposes of data processing/legal basis

You have the opportunity to take part in various competitions on our website, from our newsletter or via the Lidl app. Unless otherwise specified in the respective competition, the personal data you provide to us when participating in the competition will be used exclusively for the purposes of organising the competition (e.g. determining the winner, notifying the winner, sending the prize).

The legal basis for data processing in the context of competitions is Article 6(1)(b) GDPR.

Storage period/criteria for determining the storage period

After the competition ends and the winners are announced, the participants’ personal data will be deleted. In the case of non-cash prizes, the winners’ data will be retained for the duration of the statutory warranty claims in order to arrange for rectification or replacement in the event of a defect.

7. Sending of advertising

Purposes of data processing/legal basis

You can sign up for our marketing communications on our website, in our mobile applications, the websites or mobile applications of partner companies and via embedded content on our social media presences. If you have expressly consented to receiving our Lidl marketing communications (email, SMS, WhatsApp, push notifications), we will use your email address or mobile phone number and, if applicable, your name to send you information (see Section "Advertising content"), taking into account your user profile (see Section "Personalised user profile").

In order to ensure that no errors have been made when entering the email address, we use the double opt-in procedure. After you have entered your email address in the registration field, we will send you a confirmation link. Only when you click on this confirmation link will your email address be added to our mailing list. We will do the same with your mobile phone number if you have provided it to us as part of the Lidl Plus registration process.

You can withdraw your consent to receiving marketing communications, including the creation of personalised user profiles, at any time with effect for the future, e.g. at the end of each newsletter, in your Lidl Plus account or via our customer service department at info@lidl.com.cy. When you unsubscribe, we consider your consent to the creation of this personalised user profile and the receipt of newsletters based on it to be withdrawn.

The legal basis for the aforementioned processing is Article 6(1)(f) GDPR or, if consent has been given, Article 6(1)(a) GDPR. The processing of existing customer data for our own advertising purposes or for the advertising purposes of third parties is a legitimate interest within the meaning of the first-mentioned provision.

Recipients/categories of recipients

The recipients include the operators of social networks, advertising partners and specialised service providers who process personal data on our behalf in accordance with our instructions.

If external data processors are used to carry out marketing communications, they are contractually obliged in accordance with Article 28 GDPR.

Storage period/criteria for determining the storage period

If you withdraw your consent to individual advertising measures or object to certain advertising measures, your data will be deleted from the corresponding (email) distribution lists within 48 hours for technical reasons.

If you file an objection, your contact address will be blocked for further advertising data processing. We would like to point out that in exceptional cases, advertising material may still be sent or advertising campaigns displayed temporarily even after we have received your objection. This is technically due to the necessary lead time for adverts and does not mean that we will not implement your objection.

Your registration data will then be stored for ten years as proof that we have complied with legal requirements. When registering for the newsletter on a social media site, the data protection information of the respective operator of the social media site also applies.

Further data processing for advertising purposes

Furthermore, we process data concerning you for advertising purposes using cookies and similar technologies as described in Section 9 in more detail.

7.1 Personalised user profile Section title

With your consent, we and the following operators of Lidl websites and Lidl apps, as well as the senders of Lidl newsletters, record your user behaviour:

 Lidl Cyprus

 Lidl Stiftung & Co. KG.

The evaluation of user behaviour includes the following information in particular:

 Used areas of the respective website, the mobile apps or the newsletter,

 Activated links,

 Time of opening,

 Time, duration and frequency of use,

 Participation in surveys,

 Redeemed vouchers,

 Purchase data,

 Frequency and timeliness/timing? of your store purchases when using Lidl Plus.

We use this data to create personalised user profiles by assigning your person and/or email address or mobile phone number in order to be able to better tailor advertising to your personal interests by means of newsletters, SMS, WhatsApp/push notifications, on-site advertising and print advertising, and to improve our offers and digital presence.

We can also enrich this user profile with information about your age and gender if you have given us your consent to do so.

If you have filled in the "About me" section in Lidl Plus, this data will also be used to customise our Services to your interests. The legal basis for this is Article 6(1)(b) GDPR (contract between Lidl Stiftung and you).

7.2 Advertising content

The content of our marketing communications includes information about promotions, products and services (e.g. offers, discount promotions, competitions, Lidl Plus programme benefits, streaming offers, services, surveys, product reviews) from our website, the Lidl app, store operations and from the operators of the Lidl websites and Lidl apps. These are currently in particular:

 Lidl Cyprus ( www.lidl.com.cy),

 Lidl Stiftung & Co. KG ( www.lidlplus.de).

7.3 Push notifications

Purposes of data processing/legal basis

To receive regular information on news, offers, promotions and reminders, you can register to receive push notifications.

To do this, you must confirm the request from end device to receive push notifications. The login time and a push token or your device ID are then saved. This data is used to send push notifications and as proof of registration.

The Lidl app only uses push notifications if you activate push notifications when installing the app or at a later time in the settings of your device. You can deactivate the receipt of push notifications at any time in the Lidl app.

We analyse push messages statistically in order to determine whether and when push messages were displayed and clicked on. This enables us to determine the presumed interests of the recipients and thus optimise the push messages.

The legal basis for processing your data to send push notifications is your consent in accordance with Article 6(1)(a) GDPR.

Recipients/categories of recipients

If external data processors are used to send push notifications, they are contractually obliged to do so in accordance with Article 28 GDPR.

Storage period/criteria for determining the storage period

Your data will be stored as long as you have activated push notifications.

8. Use of cookies and similar technologies to process usage data

The use of cookies and similar technologies for processing usage data (in particular local storage) means that when you visit our website ( https://www.lidl.com.cy/) and some of the web pages embedded there (in particular account.lidl.com) and the Lidl app, files are stored locally on your end device (laptop, tablet, smartphone or similar). Sometimes a so-called tag is used to display personalized advertising, which is integrated into these services (hereinafter referred to as “similar technologies for processing usage data”). This is a code that collects usage data.

8.1 Responsibility

Lidl Cyprus and Lidl Stiftung are joint controllers for most data processing in connection with the use of cookies and other similar technologies (uniformly referred to as "cookies") to process usage data on these Services.

Beyond this, the responsibility relationships are as follows:

8.2 Responsibility for cookies for self-promotion purposes

For some of the data processing associated with the marketing cookies for self-promotion (see cookies under the category "Self-promotion" in our cookie notices), in addition to us, the following are also involved: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Facebook). They are joint controllers pursuant to Article 26 GDPR.

We use cookies and carry out associated data processing for the purposes of self-promotion. We can combine these with your age, your gender and your usage behaviour on the website or in the Lidl app to create a profile.

In addition, in this context, data in the Lidl app about you is also partially processed by the advertising partner The UK Trade Desk Ltd., c / o The Trade Desk, Inc., 42 N. Chestnut Street, Ventura, CA 93001, USA (“TTD”) as a separately responsible person for displaying personalized advertising and for measuring success. In order to be able to link your usage behavior with you, the identifiers (MAID, hashed e-mail address and / or hashed telephone number) are forwarded to TTD on the basis of your consent. You will find further information on data processing as well as how you can assert your rights as a data subject in TTD's data protection information.

We also use the Microsoft Advertising and Microsoft Clarity Services of the provider Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (Microsoft) and the Google Advertising Service of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google) for self-promotion in our Services. Microsoft and Google also process your data as part of the Microsoft and Google Advertising Services under their own responsibility.

We use the "Facebook Custom Audience" Service of Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta", "Facebook") in the Lidl app. In this respect, we are joint controllers with Meta pursuant to Article 26 GDPR.

8.3 Purposes/data processing

8.3.1 General presentation

We place cookies on your end device, by means of which the data specified below is collected and then processed for the purposes stated below.

 Technically necessary: These are cookies and similar technologies without which you cannot use our Services (for example, to display our Services correctly, including font and colour, to provide the functions you have requested and to take your settings into account, to save your registration in the login area, etc.).

 Convenience: These technologies allow us to take into account your preferences to offer you the best user experience on our website and the Lidl app. For example, we can use your settings to display our Services in a language that suits you. In this way, we also avoid showing you products that may not be available in your region.

 Statistics: These technologies enable us to compile pseudonymised/anonymised? statistics on the use of our Services. This allows us to determine, for example, how we can customise our website or the Lidl app even better to users’ habits. We use your IP address as well as online identifiers, log files and your location (based on network) to prevent misuse and to prevent and identify any security breaches and other prohibited or illegal activities. For example, if you log in from a new/unknown device, we can inform you of such a login attempt.

 Marketing - Self-promotion: This enables us and other data controllers (see above) to display suitable advertising content based on the analysis of user behaviour and information from your customer account (age, gender, store purchase data from the Lidl Plus Service, if applicable). Your usage behaviour can also be tracked via various websites, apps, browsers and end devices using a user ID (unique identifier).

Further details on the processing purposes can be found in the preferences manager.

8.3.2 Selected Services

Google Ads Customer Match:

We use the "Google Ads Customer Match" Service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Lists of user data are sent to Google servers with the help of the tracking technologies we use. Google then compares whether the transmitted user data matches data from Google customers and then creates target groups that can be used to target adverts. The adverts can be displayed within the Google network (YouTube, Gmail or within the search engine) as well as across devices (known as remarketing or retargeting).

We have concluded an order processing contract with Google for the use of Google Ads Customer Matching in accordance with Article 28(3) GDPR. Through this contract, Google guarantees that it will process the personal data in accordance with the/our instructions and guarantee the protection of data subject rights.

Information on how Google uses personal data transmitted to Google by integrating Services and on your setting options for personalised advertising and data collection can be found at here and here. General information on data processing by Google can be found in the Google Privacy Policy.

Meta/Facebook:

Facebook Custom Audience enables us to create target groups and to design and display personalised advertisements on Facebook in line with requirements.

This involves uploading lists of user data to Facebook. Facebook then compares whether the transmitted user data matches data from Facebook users and then creates target groups that can be used to target adverts on Facebook. With Custom Audience, we ensure that only people who have previously visited our app or are interested in our products are shown adverts on Facebook. Facebook also uses the data for its own advertising purposes and for the advertising purposes of third parties.

Further selected data processing in connection with self-promotion:

With your consent, we use special technologies from partners so that we can record your surfing/browsing behaviour and display advertising tailored to you on our website, the Lidl app or our partners' platform (Facebook, TDD). Our partners can also compare the data collected on these Services with their own databases.

Microsoft Advertising and Google Advertising can be used to display targeted advertisements via the Microsoft and Google networks (e.g. in search engines and email programs), optimise them and track the activities of users on our website if they have reached our website via advertisements. Microsoft Clarity can be used to track and visualise user interactions with our services.

We also use Microsoft and Google Advertising Services to collect information that allows us to track target groups using remarketing lists. Microsoft Advertising and Google Advertising can recognise that these Services have been visited and an advertisement can be displayed when Microsoft or Google networks are subsequently used. The information is also used to create conversion statistics, i.e. to record how many users have accessed these Services after clicking on an advert. This tells us the total number of users who clicked on our advert and were redirected to these Services. However, we do not receive any information with which users can be personally identified.

8.4 Data categories

When cookies and similar technologies are used to process usage data, the following types of personal data in particular are processed, depending on the purpose:

Technically necessary:

 User input to retain input across multiple subpages (e.g. selecting your preferred store in the Lidl store finder);

 Authentication data to identify a user after login in order to gain access to authorised content on subsequent visits (e.g. access to the Lidl Plus customer account);

 Security-related events (e.g. detection of frequently failed login attempts);

 Data required to playback multimedia content (e.g. playback of (product) videos selected by the user);

 Information to display our website correctly, including font and colour, to provide the functions you have requested and to take your settings into account, such as the choices you have made regarding cookies and similar technologies, to save your registration in the login area, etc.

Convenience:

 User interface customisation settings that are not linked to a permanent identifier (e.g. language selection or the specific display of search queries or maps in the store finder).

Statistics:

 Browser type/version,

 Operating system used,

 Previously visited page (referrer URL),

 Host name of the accessing computer (IP address; this is regularly anonymised so that it cannot be traced back to you),

 Time of the server request,

 Individual user ID and events triggered on the website (surfing/browsing behaviour). We only merge the user ID with other data from you (e.g. name, email address, etc.) with your express consent (see e.g. Section 8 of this Data Protection Notice). The user ID itself does not allow us to draw any conclusions about your person.

Marketing - Self-promotion:

 Information about the use of our website, in particular:

o IP address (this is regularly anonymised so that it cannot be used to identify you personally),

o Individual user ID (including cookie identifier) or other identifiers (email address, telephone number, address); we only merge the user ID with other data from you (e.g. name, email address, age, gender, etc.) with your express consent. The user ID alone does not allow us to draw any conclusions about your person. We may share the user ID and the associated user profiles with third parties via the providers of advertising networks.

o Potential product interests,

o Access information,

o Device identifiers,

o Information about device and browser settings,

o Mouse/scroll movements,

o Triggered events on the website (surfing behaviour).

 We use the following advertising identifiers for in-app analysis and the display of personalised advertising: (i) the IDFA (Identifier for Advertising) for iOS devices or (ii) the Android advertising ID or (iii) the Huawei ID, the IP/MAC address, the HTTP header as well as the email address, telephone number, address and a fingerprint of your end device (additionally: time of access, country, language, local settings, operating system and version as well as the app version). We also include user device and web activity information as well as app and event tokens in this analysis. This data is processed exclusively on a pseudonymised/anonymised basis. You can reset or deactivate the IDFA or Google GAID, the Android advertising ID and the Huawei ID at any time via your operating system. In the event that the IDFA is not available, we use the SkAdNetwork (Apple’s attribution API) to assign the installations of our app to an advertising campaign.

 Store purchasing data from the Lidl Plus loyalty programme

Specific to the Lidl app:

In order to display interest-based information to you, we must be able to assign the above-mentioned information to you as a person. For this purpose, we establish a connection to your customer number from the time you complete your Lidl Plus registration. Your consent to the provision of personalised information also covers this processing step.

8.5 Legal basis/Recipient/Storage period

Legal bases:

The legal basis for the use of convenience, statistics and marketing cookies is your consent in accordance with Article 6(1)(a) GDPR. The legal basis for the use of technically necessary cookies is Article 6(1)(b) GDPR, i.e. we process your data to provide our Services in the course of contract initiation or contract processing.

Facebook bases the processing of data for Facebook Custom Audience on the consent of Facebook users in accordance with Article 6(1)(a) GDPR and the legitimate interests of Facebook in accordance with Article 6(1)(f) GDPR in order to ensure accurate and reliable reports and accurate performance statistics for Facebook advertisers. You can find more information on this in Facebook's Privacy Policy or here. You can contact Facebook’s data protection officer here.

Recipients/categories of recipients:

As part of data processing using cookies and similar technologies for processing usage data, we may use specialist service providers, in particular from the online marketing sector. They process your data on our behalf as data processors, are carefully selected and contractually bound in accordance with Article 28 GDPR. All companies listed as providers in our cookie notice are, unless they have been named as (joint) controllers in this data protection notice, acting as data processors for us.

As part of our cooperation with Google Ireland Limited, Meta Platforms Ireland Limited, Microsoft Ireland Operations Limited, the above-mentioned data is generally also processed on servers in the USA and the UK for statistical and marketing purposes (see the separate explanations on third country transfers under Section 3).

Storage period/criteria for determining the storage period:

The storage period for cookies can be found in our cookie notices. If "persistent" is specified in the "Expiry" column, the cookie is stored permanently until the corresponding consent is withdrawn.

Your data can remain in a Facebook Custom Audience for a maximum of 180 days. After 180 days, your data belonging to the website’s custom audience will be removed if you do not visit the website again.

8.6 Cancellation/opt-out option/Further information

You can withdraw your consent at any time, for example via the preferences manager. You can report your withdrawal either to us or to those jointly responsible with us.

Website:

You can also block the technologies explained here by rejecting certain or all cookies in the cookie setting in your browser. We would like to point out that you may then not be able to use all the functions of these Services.

Lidl app:

If you wish to withdraw your consent to tracking in the Lidl app, you can do so at any time with effect for the future by doing so after completing registration via the opt-out in the app under "More" -> "Legal information" -> "Tracking".

You can object to the use of the Custom Audiences Service globally on the Facebook website. After logging in to your Facebook account, you will be taken to the settings for Facebook adverts.

You can deactivate personalised advertising with Microsoft and Google or set it individually. Details can be found on the respective support pages:

 Microsoft: https://about.ads.microsoft.com/de-de/ressourcen/richtlinien/personalisierte-anzeigen

and https://account.microsoft.com/privacy/ad-settings/signedout?lang=en-GB.

 Google: https://support.google.com/My-Ad-Center-Help/answer/12155451.

You can also find setting options for personalised advertising at https://youradchoices.com/ and here.

Further information on data processing by the companies listed below and on exercising your rights as a data subject can also be found in the following data protection policies:

 Meta (Facebook): https://de-de.facebook.com/policy.php

 Microsoft: https://www.microsoft.com/en-us/privacy/privacystatement

 Google: Privacy Policy – Privacy & Terms – Google

 The UK Trade Desk: https://www.thetradedesk.com/de/privacy

An information overview of the individual cookies and similar technologies used, together with the respective processing purposes, the respective storage period and any third-party providers involved can be found here. Further details on processing can also be found in the preferences manager.

9. Map services

9.1 Bing Maps

Purposes of data processing/legal basis

On this website we use map material from Bing Maps, a Service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA. This allows us to display interactive maps directly on the website and enables you to conveniently use the map function, e.g. to find Lidl stores in your local area.

The use of Bing Maps serves to provide an attractive presentation of our offers and an easy method of finding the places indicated by us on the website. This constitutes a legitimate interest within the meaning of Article 6(1)(f) GDPR.

When you visit our website, the provider of Bing Maps, Microsoft Corporation, receives the information that you have accessed the corresponding page of our website. To use the functions of Bing Maps, your IP address is processed as part of the Internet communication. This is usually processed on a Microsoft server in the USA.

We have no influence over the specific data processed by Bing Maps. Further information on the purpose and scope of data processing by Bing Maps can be found in the Microsoft Privacy Policy. There you will also receive further information about your rights and the setting options to protect your privacy.

9.2 Google Maps, Apple Maps, Huawei Map kit

Purposes of data processing/legal basis

In our app, you have the option of using the map service of your mobile device’s operating system to find Lidl stores in your local area, for example. This allows interactive maps to be displayed directly in the app.

In order to be able to use map services, it is necessary to process your IP address as part of the Internet communication. This is usually processed on a server of the respective operating system provider. We have no influence over the specific data processing. Further information on the purpose and scope of data processing can be found in the data protection notice of the respective provider. There you will also find further information about your rights and settings to protect your privacy.

Providers’ addresses and data protection notices:

 Google Maps

o Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland,

o Privacy Policy: https://policies.google.com/privacy?hl=en,

o Terms of Service: https://www.google.com/help/terms_maps/

 Apple Maps

o Apple Inc, One Apple Park Way, Cupertino, California, USA.

o Privacy Policy: https://www.apple.com/legal/privacy/en-ww/

o Terms of Use: https://www.apple.com/legal/internet-services/maps/terms-en.html,

 Huawei Map kit

o Huawei Aspiegel SE, 1F, Simmonscourt House, Ballsbridge, Dublin D04 W9H6, Ireland. Huawei

o Privacy Policy: https://www.huawei.com/en/privacy-policy

o Terms of use: https://developer.huawei.com/consumer/en/hms/huawei-MapKit/.

The use of map services is based on our contractual relationship with you, Article 6(1)(b) GDPR, as well as on our legitimate interest in presenting our offers in an attractive manner and making it easy to find the locations specified by us in the app. This constitutes a legitimate interest within the meaning of Article 6. If you use the map services in the Lidl app or have agreed to geolocalisation in the settings of your mobile device via the "Give permissions" dialogue, we use this function to be able to offer you individual services based on your current location. In particular, we process your GPS and network-based location for the "store search", "e-charging station search" and "partner benefits search" functions in order to show you the stores closest to you. We do not store geolocalisation data permanently.

The legal basis for the data processing described above is Article 6(1)(b) and (f) GDPR. The legitimate interest lies in presenting our offers in an attractive manner and making it easy to find the locations specified by us in the app.

10. Google reCAPTCHA

Controller

Lidl Cyprus is responsible for the data processing for Google reCAPTCHA.

Purposes of data processing/legal basis

We use Google reCAPTCHA to protect your data and the transmission of forms, in particular in the context of participating in competitions and registering for newsletters on the website, from attacks or misuse by automated programmes (known as bots). Bots are used, for example, to obtain passwords for customer accounts or to restrict the functionality of the website through mass data transfers.

Google reCAPTCHA determines whether the interaction with the website is by a human user or a bot. For this purpose, usage behaviour (time spent on the page or mouse movements made) is analysed and the IP address is read by Google and checked to see whether it could be assigned to a bot in the past. If the IP address has already been assigned to a bot, Google transmits this information to us. We then store these IP addresses for defence against future attacks. This analysis starts automatically as soon as you open the registration page.

The legal basis for this data processing is Article 6(1)(1)(f) GDPR. Our legitimate interest follows from the above-mentioned purposes of processing.

Recipients/categories of recipients

When using Google reCAPTCHA, the above-mentioned data is also processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA to provide the Service. We have no influence over the processing and use of data by Google. Further information on data processing by Google can be found here: https://policies.google.com/privacy.

11. Links to other websites and applications

Our website and the Lidl app contain links to other websites and apps operated by other Lidl companies, selected partners or other third parties. If you click on one of these links, for example in the Lidl app via an in-app banner, you will be redirected to the website/app or to your respective app store. The links may also contain special tracking techniques that enable the operators of the websites/applications mentioned to understand and measure where the user has learnt about them. We have no influence over data processing by these websites/apps. We recommend that you check the relevant privacy policy of each website/app you are redirected to in order to understand what information about you is processed by the operator.

If we redirect you to one of these websites/apps, we process your personal data in order to fulfil your (technical) request to visit the respective application or website (Article 6(1)(b) GDPR) and on the basis of the operator’s legitimate interest in carrying out advertising (Article 6(1)(f) GDPR).

12. Access to functions and sensors on your mobile device

Purposes of data processing/legal basis

Location data

If you have agreed to geolocalisation via the "Give permissions" dialogue when using the Lidl app or in the settings of your mobile device, we use this function to be able to offer you individual services based on your current location. In particular, we process your GPS and network-based location as part of the "store search" function in order to show you the stores closest to you.

Photos/media/files on your mobile device/USB memory contents (read, change, delete)

If you create a shopping list via the Lidl app, these will be saved directly in the memory of your mobile device or on a connected storage medium, depending on the installation location of the app and the available storage space.

Camera (taking pictures and videos)

The camera on your mobile device is used to scan QR codes.

WLAN connection information

The Lidl app uses your mobile device’s WLAN connection to establish a connection to the Internet.

Other device functions or device sensors

By accessing the other device functions and device sensors of your mobile device, the Lidl app is able to retrieve data from the Internet and process error messages. It also allows the Lidl app to be executed at start-up and the device’s sleep mode to be deactivated. Finally, if you have given your consent, the Lidl app can send you push notifications to inform you about current offers and promotions.

The legal basis for the processing of your location data is your consent in accordance with Article 6(1)(a) GDPR.

13. Embedded third-party content

We have integrated YouTube videos into our website, which are available at https://www.youtube.com and can be played directly from these Services. These are all integrated in "extended data protection mode", i.e. no data about you as a user is transferred to YouTube if you do not play the videos. The data is only transferred when you play the videos. We have no influence over the data processing by the operator of YouTube.

Further information on the purpose and scope of data collection and its processing by YouTube can be found in the provider’s privacy policy. There you will also find further information on your rights in this regard and setting options to protect your privacy. Address and privacy policy of YouTube: Google LLC, 1600 Amphitheatre Parkway. Mountain View, CA 94043, USA; Privacy Policy – Privacy & Terms – Google.

14. What rights do you have with regard to the processing of your data?

You have the right to request information about the personal data stored about you, free of charge in accordance with Article 15(1) GDPR.

If the legal requirements are met, you also have the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR). If you have provided us with the processed data, you have a right to data portability in accordance with Article 20 GDPR.

If data processing is carried out on the basis of Article 6(1)(1)(e) or (f) GDPR, you have the right to object in accordance with Article 21 GDPR. If you object to data processing, this will only be continued if we can demonstrate compelling legitimate grounds for further processing that outweigh your interest in objecting. You can send your objection at any time to dataprotection@lidl.com.cy.

If the data processing is based on consent in accordance with Article 6(1)(1)(a) or Article 9(2)(a) GDPR, you can withdraw your consent at any time with effect for the future without affecting the lawfulness of the previous processing.

You also have the right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority of the state in which you live or in which the controller has its registered office is responsible.

We have presented numerous relationships of joint responsibility in accordance with Article 26 GDPR in this data protection notice. Upon your request (e.g. via the contact options specified in Section 1), we will be happy to provide you with the essentials of the respective agreement on joint responsibility. To exercise your rights as a data subject, you are welcome to contact us or – for the data processing in question – those jointly responsible with us.

Data protection notice on downloads

You can download a PDF version of the data protection notice below.