Contractual relationships with business partners
The following data protection notice apply to you if you are a business partner of Lidl or its legal representative, employee, shareholder (where applicable) of the business partner or financial beneficiary. The business partners are legal or natural persons who are in negotiations with Lidl for the establishment of a business relationship or who are already parties in a corresponding business relationship with Lidl. Employment or training contracts are expressly excluded.
Purposes of data processing/ legal basis
To fulfill our contractual obligations (Art. 6 par. 1 b) GDPR)
If you, as a natural person, are a business partner of Lidl, the purposes of the data processing result from the implementation of pre-contractual measures, which precede a contractually regulated business relationship and in the fulfilment of the obligations under contract.
To comply with our legal obligation (Art. 6 par. 1 c) GDPR)
In addition, the processing of personal data in the business partner context may be necessary in individual cases to meet legal requirements. The specific purposes of data processing then result from the relevant legal requirements. These legal obligations include the fulfillment of storage and identification obligations, for example within the framework of anti-money laundering prescriptions, tax control and reporting obligations as well as data processing in the context of requests from relevant authorities or compliance checks in conjunction with the relevant mandatory laws.
To fulfill our legitimate interests (Art. 6 par. 1 f) GDPR)
If you are an employee, legal representative (e.g. managing director or authorized signatory), shareholder or beneficial owner of one of our business partners, we collect and process your above data in the context of the business partner relationship to fulfill our legitimate interests.
The legitimate interests here are in particular the selection of suitable business partners, the implementation of social audits to check compliance with social standards, the implementation of surveys on evaluations of company, the processing of contact details for contact persons, the assignment of work results to individual business partners, the booking of business transactions, negotiating with contact persons who are not or will not be direct business partners as well as processing as part of the digitization process. Other legitimate interests are the invitation to events, exercise of legal claims and avoidance of legal disadvantages (e.g. in the case of bankruptcies), legitimation checks, defense against dangers and liability claims and avoidance of legal risks and economic disadvantages, detection and processing of potentially harmful e-mails, physical and logistical access controls, clarification of possible compliance violations through internal compliance investigations (e.g. documentation of behavior contrary to antitrust law), prevention of criminal acts, regulation of damage resulting from the business relationship, efficient and fast digital processing of contract signing, the corresponding logging of the signature process for verification purposes as well as the validity check of the qualified electronic signature and other internal administrative purposes (e.g. user and contract management, project control and approval calculation, process and workflow optimization, processing in ticket systems and IT portals).
Based on consent (Art. 6 par. 1 a) GDPR)
In addition, the processing of your personal data can be based on your voluntary consent within the meaning of Art. 6 Para. 1 a) GDPR.
Categories of data
We usually collect your data from you. However, it could also be necessary to process personal data about you which we obtain from other companies or tax offices due to legal regulations or legitimate interests (e.g. in the context of business partner compliance checks), Authorities, credit agencies, insolvency registers, publicly available sources (internet research) or other third parties. This also includes reports on possible compliance breach through our channels.
Relevant personal data may be:
Personal details (e.g. name, surname, address and other contact details, date and place of birth as well as nationality), legitimacy and authentication data (e.g. commercial register extracts, identification data, specimen signature), company as well as position and work department in the company, chief, data in the context of our business relationship (e.g. payment data, order data), company structure and propriety relationship, photo and video recording (e.g. for the delivery of the goods) username and user ID, compliance data (e.g. referral information, bankruptcy information, negative reports, criminal investigation information on the subject of the service) as well as other data comparable to the mentioned categories.
When concluding a contract, we might use the data of credit agencies to verify creditworthiness. The credit agencies store data that you receive, for example, from banks or companies. This data includes: surname, first name, date of birth, address and information on payment behaviour. You can obtain information about the data that credit agencies have available about you directly from the respective credit agencies.
If you conclude a contract with us using a digital signature, we process your data in relation to this context (in particular email address, IP address, times at which you processed the respective contract document). There is also the option of signing certain contracts with a so-called qualified electronic signature. In this case, we process your signature in addition to the data mentioned. This data is accessible to everyone involved in the approval and signing of the contract.
Recipients/ categories of recipients:
Within our company, access to your personal data is given only to those departments which need them to perform contractual or legal obligations or to fulfill legitimate interests or have been approved by you in the separate declaration of consent.
As part of the contractual relationships, to fulfill legal obligations and to safeguard legitimate interests, data processors, authorities or service providers also have access to your personal data. In this case, compliance with data protection regulations is contractually ensured. The data may also be transmitted to companies within the Schwarz Group for the performance of contractual obligations.
If you have a framework agreement with the entire Lidl or Schwarz Group as an authorized recipient of the services, the respective procurement or purchasing divisions of Lidl or Schwarz Group (Schwarz Beschendung GmbH) have access to the relevant business partner data for communication and each of Schwarz's national compliance departments has access to the data from the business partner compliance check. The basis for this is in this case Article 26 of the GDPR in the context of joint responsibility. The data will be transmitted outside our group of companies, only if we are legally obliged to do so (eg authority inquiries).
Storage duration/ Criteria for determining storage duration
The personal data will be kept for as long as necessary to fulfill the purposes mentioned above. The legal conservation obligations arising from the relevant national legislation in force are also important at this point. In individual cases, the data can also be stored (eg in the case of construction documents).
Obligation to provide data
As part of our business relationship with our Partners (who you are in some way associated with) you must, in some cases, provide the personal data necessary for us to establish, execute and/or terminate a business relationship and to perform all necessary obligations, which we are required to do by law or authorized to do due to in terms of our legitimate interests. Without this data we will normally be unable to enter into and/or manage a business relationship with you and/or the entity you represent.
Data transfer to third countries
Should we transfer personal data to recipients outside the European Union (EU) or European Economic Area (EEA), this shall occur exclusively if the EU Commission has identified an appropriate level of data protection in the third country, an appropriate data protection level has been agreed with the recipient (for example through EU standard contractual clauses) or if you have given us your consent.