Data Protection Terms of the Lidl App

 

Thank you for using the Lidl App application (hereinafter: the app) and for your interest in the data protection terms. We want you to feel safe and secure when using our app and consider the implementation of data protection as a customer-centred quality feature.

 

The following data protection terms provide you with information about the type and extent of personal data processing by Lidl Cyprus (for the purpose of this data protection notice referred to as "Lidl", "we" or "us"). Personal data is information that is or can be attributed directly or indirectly to you. The legal basis for data protection is, in particular, the General Data Protection Regulation (GDPR).

 

Overview of content

 

1. Summary

 

2. Downloading our app from the App Store

 

3. Using our app

 

4. Accessing the functions and sensors of your mobile terminal device

 

5. Usage analysis and advertising

 

6. Re-targeting/ interest-based online advertising

 

7. Recipients outside the EU

 

8. Rights of data subjects

 

9. Contact person

 

10. Name and contact details of the controller and contact details of the business data protection officer

 

1. Summary

 

Data processing by Lidl Cyprus when using our app can be divided essentially into three categories:

When downloading our app the necessary information is transmitted to the respective App Store.
Our app needs to have access to various functions and sensors of your mobile terminal device so that you can use different features, such as finding Lidl stores in your area.
When using our app various information is exchanged between your mobile terminal device and our server. Such information concerns personal data. Information collected in this way is used inter alia

to facilitate your purchases at Lidl stores;
to improve our app, and
to display advertisements on your mobile terminal device's browser through so-called push notifications.

2. Downloading our app from the App Store

Each App Store provider (Apple App Store or Google Play) automatically processes the following data when you download our app:

the App Store username;
the e-mail address entered in the App Store;
your App Store account number;
the loading time;
payment information, and
the individual device ID number.

We do not have any influence on this data collection and are not responsible for it. More information about the data processing in question can be found in the respective App Store manager's data protection terms:

Google Play Store: https://policies.google.com/privacy?hl=el&gl=el
Apple App Store: https://www.apple.com/legal/privacy/en-ww/

 

3. Using our app

 

Data protection objectives/legal bases:

When using our app, the following are automatically forwarded to the servers without our own action:

the mobile terminal device from which you used our app;
the IP address of your mobile terminal device;
login date and time;
client request;
the http response code;
the volume of data transmitted, and
the version of the app you are using.

These are temporarily stored in a log for the following purposes:

protecting our systems;
error analysis;
abuse or fraud prevention.

The legal basis of the IP address processing is Article 6(1)(f) of the GDPR. Our legitimate interest derives from the above-mentioned purposes of data processing.

Storage duration/criteria for setting the storage duration:

The data is stored for a period of fourteen days and then deleted automatically.

 

4. Accessing the functions and sensors of your mobile terminal device

 

Data protection objectives/legal bases:

Locations

If you have given your consent to the use of so-called "geolocation" when using our app or the settings of your mobile terminal device through the "allow access" box, we will use this feature so we can provide you with personalised services related to your current location. We process your location as part of the "find a store" feature via GPS and network so we can show you the store that is closer to you.

Photos/media/data on your mobile terminal device/USB storage contents (read, modify, delete)

When you create a shopping list through our app, it is stored directly on your mobile terminal device or on a connected storage medium, regardless of where your app is installed and the available storage space.

Wireless network connection information

Our app uses your mobile terminal device's wireless network to establish a connection to the Internet

Other features or sensors on the device

By accessing the other features and sensors of your mobile terminal device, our app can in particular retrieve data from the internet and process error messages. In addition, the app can run on startup and the device's idle state can be deactivated. Once you have given the required consent, the app can send you push notifications to update you on current offers and promotions.

The legal basis for processing your locations is your consent under Article 6(1)(a) of the GDPR.

Storage duration/criteria for setting the storage duration:

Your location information is deleted after closing our app.

 

5. Usage analysis and advertising

 

Purposes of data processing/legal bases:

In order to improve the features of our app as well as our services and the marketing of them, we create pseudonymised user profiles to determine usage behaviour,  provided that your gave your  consent. The legal basis for this is your given consent. We use the following services for usage analysis and advertising:

 

Google Analytics

 

Subject to your consent, this app uses Google Analytics, a service of Google LLC (“Google”), to analyse usage behaviour. Google processes the following information:

·       the mobile device on which you start our app

·       browser type and version

·       operating system used

·       IP address

·       time of the server request.

The information is used to

·       evaluate the use of our app

·       compile reports about app activities

·       to provide additional services associated with the use of the app and the internet for the purposes of market research and the design of these websites in accordance with requirements.

The IP addresses are anonymised so that no association is possible (“IP masking”). You can withdraw your consent to the use of Google Analytics in the “Legal Notice/Tracking” menu item of this app at any time with effect for the future.

 

adjust

 

Subject to your consent, our app also uses the adjust analysis service, a product of adjust GmbH. When you install our app, adjust stores installation and event data (e.g. usage of the app). This allows us to understand how you interact with our app. It also allows us to analyse and improve our mobile advertising campaigns. For this analysis, adjust uses

·       the IDFA (Identifier for Advertising on iOS devices) or the Android Advertising ID

·       the IP/MAC address

·       the HTTP header

·       a fingerprint of your device (additionally: time of access, country, language, local settings, operating system and version as well as the app version)

·       user device and web activity information,

·       app and event token

Adjust transfers this data to our service providers Google LLC (“Google”) and Facebook, Inc (“Facebook”). If Google and Facebook can use this information to identify you, they will provide information to adjust about the advertising campaign that led you to the app store and the way you acted there (especially whether you completed or cancelled the download or  along with similar information). adjust uses this information to create anonymous statistics so that we can track the success of individual advertising campaigns.

You can reset or disable the IDFA and the Android Advertising ID at any time on your device.

If you no longer wish to be tracked by adjust, you can withdraw your consent at any time in the “Legal Notice/Tracking” menu of this app with effect for the future.

Push notification via Accengage

If you have enabled the relevant feature in our app or on yourmobile device, we will send you push notifications (messages on your mobile device that are displayed on the lock screen, the home screen and when other apps are running without opening our app). A click/tap on the push message will open our app, if it is not yet open, and display the message in the app. Showing push notifications is based on our legitimate interest in carrying out direct advertising.. We use the Accengage tool from Accengage SAS to create and show these push notifications. This tool creates – subject to your given consent – pseudonymised usage profiles based on the following data and assigns them to unique identification numbers:

·       Apple IDFA (Identifier for Advertisers; identification number on the iOS operating system for advertising purposes),

·       Google GAID (Google Advertising ID; identification number on the Android operating system for advertising purposes),

·       Push notification token

·       Mobile session ID

·       Usage behaviour within the app (which areas of the app you visit and which links you use there).

This information is analysed by Accengage using an algorithm to provide targeted product recommendations as push notifications.. Under no circumstances will this data be used to personally identify you. By default, no user profiles are created with your personal data.

You can reset or disable the IDFA and the Android Advertising ID at any time on your device

Should you no longer wish to receive push notifications from us, you can stop receiving our push notifications by disabling them

·       completely in the system settings for push notifications on your mobile device, or

·       in the “Push notifications” menu item in our Android app.

If you do not want Accengage to create profiles of push notifications, you can withdraw your consent at any time in the “Legal Notice/Tracking” menu item of this app with effect for the future.

Recipients/categories of recipients:

The information generated by Google Analytics about your usage is usually transferred to a server of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 in the USA and stored there. Under no circumstances will your IP address be aggregated with other data from Google. The information generated by adjust about your usage is transferred to and stored on the servers of adjust GmbH, Saarbrücker Str. 38a, 10405 Berlin. The information generated by Accengage about your usage is transferred to and stored on the servers of Accengage SAS, 31 Rue du 4 Septembre F-75002 Paris, France. This information may also be transferred to third parties if required by law or if third parties process this data on behalf of us in accordance with our instructions.

Storage period/criteria for determining the storage period:

After the anonymisation of your personal data, it is no longer possible to identify  you personally. The statistically processed data will be deleted in Google Analytics, adjust and  Accengage after 26 months. There will no longer be any personal reference in reports created on the basis of Google Analytics, adjust or Accengage.

 

6. Re-targeting/ interest-based online advertising

 

Purposes of data processing/legal bases:

Subject to your consent, we use re-targeting technologies from a variety of providers. This enables us to make our online services more interesting for you.

Our app processes the following advertising IDs:

·       Apple IDFA (Identifier for Advertisers; identification number on the iOS operating system for advertising purposes), and

·       Google GAID (Google Advertising ID; identification number on the Android operating system for advertising purposes).

For “re-targeting”, information about your internet usage (e.g. articles viewed) is collected for marketing purposes, stored with reference to the advertising ID and analysed using an algorithm. Subsequently, targeted product recommendations can be shown as personalised advertising banners for our products on our partners’ websites and mobile apps.

Under no circumstances can this data be used to personally identify the user of our mobile app. No personal data is processed and no usage profiles are aggregated with personal data.

This data processing is carried out on the basis of your given consent. With the targeting measures we use, we want to make sure that you only receive advertising focused on your interests.

Please also note that some third-party mobile applications use a technical feature called “webview” that allows developers to display web applications or web pages directly in their application – without leaving the app and opening a browser. A webview can be independent to both your browser and app settings. We therefore recommend that you also disable re-targeting services in this specific setting if you do not want to receive re-targeting ads.

Storage period/criteria for determining the storage period:

The information processed for re-targeting purposes is  automatically deleted or anonymised after 13 months.

 

7. Recipients outside the EU

 

Except for the processing by Google Analytics, described in item 5, we do not transfer your data to recipients located outside the European Union or the European Economic Area. The above data processing involves data transfer to Google Inc.'s servers in the USA. By decision of 12.7.2016, the European Commission ruled, regarding the USA, that there is a reasonable level of data protection based on the EU-US Privacy Shield rules (so-called "adequacy decision" in accordance with Article 45 of the GDPR). Our service provider is Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, which is certified in accordance with the EU-US Privacy Shield.

 

8. Rights of data subjects

 

8.1 Overview

 

In addition to the right to withdraw the consent you have given us, you also have the following rights, provided the legal requirements are met:

Right to access your stored personal data pursuant to Article 15 of the GDPR;
Right to rectify erroneous or inaccurate data in accordance with Article 16 of the GDPR;
Right to erase your personal data stored in accordance with Article 17 of the GDPR;
Right to restrict processing of your data in accordance with Article 18 of the GDPR;
Right to data portability in accordance with Article 20 of the GDPR;
Right to object in accordance with Article 21 of the GDPR.

 

8.2 Right of access in accordance with Article 15 of the GDPR

 

You have the right to be informed free of charge, at your request, in accordance with Article 15(1) of the GDPR, of ​​the personal data we have stored for you. The information shall in particular concern:

the purposes of the processing of personal data;
the categories of personal data we process;
the recipients or categories of recipients to whom your personal data have been or will be disclosed;
the period for which your personal data will be stored or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the existence of the right to lodge a complaint with a supervisory authority;
any available information about their origin when personal data are not collected by the data subject;
the existence of an automated decision-making process including profiling provided for in Article 22(1) and (4) of the GDPR and, at least in these cases, significant information on the rationale followed and the significance and foreseeable consequences of the processing in question for the data subject.

Where personal data is transmitted to a third country or an international organisation, the data subject shall have the right to be informed, in accordance with Article 46 of the GDPR of ​​the existence of appropriate safeguards on such transfer.

 

8.3 Right to rectification in accordance with Article 16 of the GDPR

 

You have the right to ask us to immediately rectify any inaccuracy in your personal data. Taking into account the purposes of the processing, you have the right to ask for any incomplete personal data to be filled in, including by means of a supplementary declaration.

 

8.4 Right to erasure in accordance with Article 17 of the GDPR

 

You have the right to ask us to immediately erase the personal data concerned if one of the following reasons is true:

your personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
you withdraw your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal ground for processing;
you object to processing under Article 21(1) or (2) of the GDPR and there are no compelling legitimate grounds for the processing in accordance with Article 21(1) of the GDPR;
the personal data were illegally processed;
the personal data must be erased in order to comply with a legal obligation;
the personal data have been collected in connection with the provision of information society services in accordance with Article 8(1) of the GDPR.

When we have published your personal data and are obliged to erase it, taking into account available technology and application costs, we will take reasonable steps to inform third parties processing your personal data that you require and ask them to erase any links with such data or copies or reproductions of such personal data.

 

8.5 Right to restrict processing in accordance with Article 18 of the GDPR

 

You have the right to ask us to restrict processing when one of the following conditions is true:

you question the accuracy of personal data;
processing is illegal and, instead of erasure, you are requesting restriction of use of personal data;
the data controller no longer requires personal data for the purpose of processing, but such data is required by the data subject to establish, exercise or support legal claims, or
you have objections to processing pursuant to Article 21(1) of the GDPR, pending verification that the legitimate grounds of the controller override the data subject's grounds.

 

8.6 Right to data portability in accordance with Article 20 of the GDPR

 

You have the right to receive the personal data provided to us in a structured, commonly used and machine readable format, as well as the right to transfer such data to another controller without objection by us when:

processing is based on consent in accordance with Article 6(1)(a) or Article 9(2)(a) or a contract in accordance with Article 6(1)(b) of the GDPR, and
processing is carried out by automated means.

When exercising the right to data portability, you have the right to request that personal data be transmitted directly from us to another controller, if this is technically feasible.

 

8.7 Right to object in accordance with Article 21 of the GDPR

 

You may object to data processing for other reasons resulting from the specificity of the situation, under the conditions of Article 21(1) of the GDPR

The above general right to object applies to all data processing purposes described in these data protection terms, regarding data which is processed pursuant to Article 6(1)(f) of the GDPR. Unlike the special right to object to data processing for advertising purposes (see above, in particular points 9 and 7.6), we have an obligation to apply the general right to object under the GDPR only if you state to us grounds of overriding importance, e.g. a potential risk to life or health. In addition, you can contact the supervisory authority responsible for Lidl Cyprus or the data protection officer of Lidl Cyprus.

 

9. Contact person

 

9.1 Contact person for enquiries or for exercising your rights in relation to data protection

 

For enquiries regarding the webpage or the Lidl app or for exercising your rights when processing your data (data protection rights), you can contact customer service:

Customer Service

 

9.2 Contact person for enquiries regarding data protection

 

If you have any other enquiries about processing your data, you can contact your business data protection officer of Lidl Cyprus (see Point 10).

 

9.3 Right to lodge a complaint with the supervisory data protection authorities

 

In addition, you have the right to lodge a complaint at any time with the competent data protection supervisory authority. You can contact the data protection supervisory authority, in particular in the Member State where you have your habitual residence or place of work or the place where the suspected infringement has been committed or the authority of the State where the controller is located.
 
10. Name and contact details of the controller and contact details of the business data protection officer

 

These data protection terms apply to data processing via LIDL Cyprus, Industrial Area, Emporiou Street 19, CY- 7100, Aradippou - Larnaca ("Controller") including the lidl app. You can contact the business data protection officer of Lidl Cyprus at the above address, attention Data Protection Officer or at dataprotection@lidl.com.cy.