Data Protection Terms of the Lidl App

Thank you for using the Lidl App application (hereinafter: the app) and for your interest in the data protection terms. We want you to feel safe and secure when using our app and consider the implementation of data protection as a customer-centred quality feature.

The following data protection terms provide you with information about the type and extent of personal data processing by Lidl Cyprus (for the purpose of this data protection notice referred to as "Lidl", "we" or "us"). Personal data is information that is or can be attributed directly or indirectly to you. The legal basis for data protection is, in particular, the General Data Protection Regulation (GDPR).

Overview of content

1. Summary

2. Downloading our app from the App Store

3. Using our app

4. Accessing the functions and sensors of your mobile terminal device

5. Analysis of use and advertising

6. Other features

7. Recipients outside the EU

8. Rights of data subjects

9. Contact person

10. Name and contact details of the controller and contact details of the business data protection officer

 

1. Summary

Data processing by Lidl Cyprus when using our app can be divided essentially into three categories:

When downloading our app the necessary information is transmitted to the respective App Store.
Our app needs to have access to various functions and sensors of your mobile terminal device so that you can use different features, such as finding Lidl stores in your area.
When using our app various information is exchanged between your mobile terminal device and our server. Such information concerns personal data. Information collected in this way is used inter alia

to facilitate your purchases at Lidl stores;
to improve our app, and
to display advertisements on your mobile terminal device's browser through so-called push notifications.

2. Downloading our app from the App Store

Each App Store provider (Apple App Store or Google Play) automatically processes the following data when you download our app:

the App Store username;
the e-mail address entered in the App Store;
your App Store account number;
the loading time;
payment information, and
the individual device ID number.

We do not have any influence on this data collection and are not responsible for it. More information about the data processing in question can be found in the respective App Store manager's data protection terms:

Google Play Store: https://policies.google.com/privacy?hl=el&gl=el
Apple App Store: https://www.apple.com/legal/privacy/en-ww/

3. Using our app

Data protection objectives/legal bases:

When using our app, the following are automatically forwarded to the servers without our own action:

the mobile terminal device from which you used our app;
the IP address of your mobile terminal device;
login date and time;
client request;
the http response code;
the volume of data transmitted, and
the version of the app you are using.

These are temporarily stored in a log for the following purposes:

protecting our systems;
error analysis;
abuse or fraud prevention.

The legal basis of the IP address processing is Article 6(1)(f) of the GDPR. Our legitimate interest derives from the above-mentioned purposes of data processing.

Storage duration/criteria for setting the storage duration:

The data is stored for a period of fourteen days and then deleted automatically.

4. Accessing the functions and sensors of your mobile terminal device

Data protection objectives/legal bases:

Locations

If you have given your consent to the use of so-called "geolocation" when using our app or the settings of your mobile terminal device through the "allow access" box, we will use this feature so we can provide you with personalised services related to your current location. We process your location as part of the "find a store" feature via GPS and network so we can show you the store that is closer to you.

Photos/media/data on your mobile terminal device/USB storage contents (read, modify, delete)

When you create a shopping list through our app, it is stored directly on your mobile terminal device or on a connected storage medium, regardless of where your app is installed and the available storage space.

Wireless network connection information

Our app uses your mobile terminal device's wireless network to establish a connection to the Internet

Other features or sensors on the device

By accessing the other features and sensors of your mobile terminal device, our app can in particular retrieve data from the internet and process error messages. In addition, the app can run on startup and the device's idle state can be deactivated. Once you have given the required consent, the app can send you push notifications to update you on current offers and promotions.

The legal basis for processing your locations is your consent under Article 6(1)(a) of the GDPR.

Storage duration/criteria for setting the storage duration:

Your location information is deleted after closing our app.

5. Analysis of use and advertising

Data protection objectives/legal bases:

We create "pseudonymised" profiles for the purpose of improving the functions of our app and our offer, as well as for their marketing. The legal basis is Article 6(1)(f) of the GDPR. Appropriate configuration and continuous optimisation of our app is in our own and in your own interest as it aims to improve the purchase experience and to avoid the display of irrelevant advertisements and is therefore justified within the meaning of the aforementioned provisions. We use the following services for use analysis and advertising purposes:

Google Analytics

Our application uses Google Analytics, a Google LLC ("Google") service for analysing user behaviour. Google processes the following information:

the mobile terminal device from which you used our app;
the type and version of your browser;
the operating system you are using;
the IP address;
the time of submitting the request to the server.

The information is used for

the evaluation of use of our application;
compiling reports on actions running through the application, and
the provision of other services when using the application or the Internet related to the purposes of market research and the appropriate configuration of those webpages.

IP addresses are "anonymised" so that they cannot be correlated (so-called IP-Masking). You can object to the use of Google Analytics at any time by choosing the "Legal Advice/Tracking" menu with effect for the future.

adjust

Our application also uses the adjust analysis service, a product of the adjust GmbH company. When you use our app, adjust stores the installation and event data (e.g., application use). In this way, we can understand how you interact with our app. In addition, we can analyse and improve our advertising campaigns through mobile phones. Adjust uses

the IDFA (ad ID No = ad ID No on iOS devices), or the Android ad ID for the analysis in question;
the IP-/MAC address;
the HTTP header, and
the fingerprint of your mobile terminal device (including: time of entry, country, language, local settings, operating system and its version, as well as the app version).

This data is anonymised prior to processing for the above-mentioned purposes, i.e. to make it impossible for us or adjust to identify you through such data.

You can always reset or deactivate the IDFA and Android ad ID on your operating system at any time.

If you do not wish to be tracked by adjust, you can object to it in the "Legal advice/Tracking" menu of this application with effect for the future.

Recipients/categories of recipients:

The user information generated by Google Analytics is usually transmitted and stored to a server of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043 in the USA. In no case will your IP address be maintained with other Google data. Usage information created by adjust is transmitted and stored to the server of adjust GmbH, Saarbrücker Str. 38a, 10405 Berlin. This information may be transmitted to third parties on a case-by-case basis, if this is legally permissible or if third parties process such data on request and in accordance with the instructions given.

Storage duration/criteria for setting the storage duration:

After your personal data is anonymised it is impossible to draw conclusions about you. Data recorded for statistical purposes is deleted by Google Analytics and by adjust programs after 26 months. Reports created by Google Analytics or adjust no longer contain any personal reference.

Right to object/opt out

If you do not wish to be tracked, you can always object at any time to all of the above or some of the tracking actions for future detection as follows:

For Google Analytics and adjust: by disabling the corresponding option in the app's "Legal Tips / Tracking" menu.

6. Other features

Webpages you can view through the embedded application browser

When you run another feature through our app or choose special offers, you will be directed through the embedded app browser (iOS: Safari/ Android: Chrome) to the corresponding sub pages of the www.lidl.com.cy webpage or to affiliate webpages to which you will be transferred. The app service and the web content which you can download to the embedded app browser may contain links to other webpages.

When you visit webpages through the embedded app browser (for example, via hyperlinks), your personal data is processed by those webpages in a different way from the one provided for in these data protection terms. These data protection terms apply only to this app. Please review the data protection terms of the linked webpages. We are not responsible for any third party content which has been made available to you through the links and has distinct markings, nor do we consider this content as ours. The provider of the webpage to which you have been transferred shall be solely responsible for illegal, inaccurate or incomplete content as well as losses caused by the use or non-use of the information.

7. Recipients outside the EU

Except for the processing by Google Analytics, described in item 5, we do not transfer your data to recipients located outside the European Union or the European Economic Area. The above data processing involves data transfer to Google Inc.'s servers in the USA. By decision of 12.7.2016, the European Commission ruled, regarding the USA, that there is a reasonable level of data protection based on the EU-US Privacy Shield rules (so-called "adequacy decision" in accordance with Article 45 of the GDPR). Our service provider is Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, which is certified in accordance with the EU-US Privacy Shield.

8. Rights of data subjects

8.1 Overview

In addition to the right to withdraw the consent you have given us, you also have the following rights, provided the legal requirements are met:

Right to access your stored personal data pursuant to Article 15 of the GDPR;
Right to rectify erroneous or inaccurate data in accordance with Article 16 of the GDPR;
Right to erase your personal data stored in accordance with Article 17 of the GDPR;
Right to restrict processing of your data in accordance with Article 18 of the GDPR;
Right to data portability in accordance with Article 20 of the GDPR;
Right to object in accordance with Article 21 of the GDPR.

8.2 Right of access in accordance with Article 15 of the GDPR

You have the right to be informed free of charge, at your request, in accordance with Article 15(1) of the GDPR, of ​​the personal data we have stored for you. The information shall in particular concern:

the purposes of the processing of personal data;
the categories of personal data we process;
the recipients or categories of recipients to whom your personal data have been or will be disclosed;
the period for which your personal data will be stored or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the existence of the right to lodge a complaint with a supervisory authority;
any available information about their origin when personal data are not collected by the data subject;
the existence of an automated decision-making process including profiling provided for in Article 22(1) and (4) of the GDPR and, at least in these cases, significant information on the rationale followed and the significance and foreseeable consequences of the processing in question for the data subject.

Where personal data is transmitted to a third country or an international organisation, the data subject shall have the right to be informed, in accordance with Article 46 of the GDPR of ​​the existence of appropriate safeguards on such transfer.

8.3 Right to rectification in accordance with Article 16 of the GDPR

You have the right to ask us to immediately rectify any inaccuracy in your personal data. Taking into account the purposes of the processing, you have the right to ask for any incomplete personal data to be filled in, including by means of a supplementary declaration.

8.4 Right to erasure in accordance with Article 17 of the GDPR

You have the right to ask us to immediately erase the personal data concerned if one of the following reasons is true:

your personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
you withdraw your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal ground for processing;
you object to processing under Article 21(1) or (2) of the GDPR and there are no compelling legitimate grounds for the processing in accordance with Article 21(1) of the GDPR;
the personal data were illegally processed;
the personal data must be erased in order to comply with a legal obligation;
the personal data have been collected in connection with the provision of information society services in accordance with Article 8(1) of the GDPR.

When we have published your personal data and are obliged to erase it, taking into account available technology and application costs, we will take reasonable steps to inform third parties processing your personal data that you require and ask them to erase any links with such data or copies or reproductions of such personal data.

8.5 Right to restrict processing in accordance with Article 18 of the GDPR

You have the right to ask us to restrict processing when one of the following conditions is true:

you question the accuracy of personal data;
processing is illegal and, instead of erasure, you are requesting restriction of use of personal data;
the data controller no longer requires personal data for the purpose of processing, but such data is required by the data subject to establish, exercise or support legal claims, or
you have objections to processing pursuant to Article 21(1) of the GDPR, pending verification that the legitimate grounds of the controller override the data subject's grounds.

8.6 Right to data portability in accordance with Article 20 of the GDPR

You have the right to receive the personal data provided to us in a structured, commonly used and machine readable format, as well as the right to transfer such data to another controller without objection by us when:

processing is based on consent in accordance with Article 6(1)(a) or Article 9(2)(a) or a contract in accordance with Article 6(1)(b) of the GDPR, and
processing is carried out by automated means.

When exercising the right to data portability, you have the right to request that personal data be transmitted directly from us to another controller, if this is technically feasible.

8.7 Right to object in accordance with Article 21 of the GDPR

You may object to data processing for other reasons resulting from the specificity of the situation, under the conditions of Article 21(1) of the GDPR

The above general right to object applies to all data processing purposes described in these data protection terms, regarding data which is processed pursuant to Article 6(1)(f) of the GDPR. Unlike the special right to object to data processing for advertising purposes (see above, in particular points 9 and 7.6), we have an obligation to apply the general right to object under the GDPR only if you state to us grounds of overriding importance, e.g. a potential risk to life or health. In addition, you can contact the supervisory authority responsible for Lidl Cyprus or the data protection officer of Lidl Cyprus.

9. Contact person

9.1 Contact person for enquiries or for exercising your rights in relation to data protection

For enquiries regarding the webpage or the Lidl app or for exercising your rights when processing your data (data protection rights), you can contact customer service:

https://www.lidl.com.cy/en/contact.htm

9.2 Contact person for enquiries regarding data protection

If you have any other enquiries about processing your data, you can contact your business data protection officer of Lidl Cyprus (see Point 10).

9.3 Right to lodge a complaint with the supervisory data protection authorities

In addition, you have the right to lodge a complaint at any time with the competent data protection supervisory authority. You can contact the data protection supervisory authority, in particular in the Member State where you have your habitual residence or place of work or the place where the suspected infringement has been committed or the authority of the State where the controller is located.
 
10. Name and contact details of the controller and contact details of the business data protection officer

These data protection terms apply to data processing via LIDL Cyprus, Industrial Area, Emporiou Street 19, CY- 7100, Aradippou - Larnaca ("Controller") including the lidl app. You can contact the business data protection officer of Lidl Cyprus at the above address, attention Data Protection Officer or at dataprotection@lidl.com.cy.