Last revised: October 2024

Version: 2.0

Lidl Plus Data Protection Notice

1. Overview

Lidl Plus is a loyalty programme (the "Service" or "Lidl Plus") that offers you deals and discounts tailored to your interests from the companies of the Lidl Group and selected partners.

You can use Lidl Plus by registering for selected online services of the Lidl Group ("Online Services", e.g. online stores, click and collect service, apps). Please note that some functionalities are only available via the Lidl app. For example, you must identify yourself with the Lidl app at the checkout so that your purchases in Lidl stores are assigned to your Lidl Plus profile.

2. Contact details of the controller and the data protection officer

Unless otherwise stated below, Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm ("Lidl Stiftung", "we", "us") is responsible for the processing of your data in the context of Lidl Plus.

Lidl Stiftung's data protection officer can be contacted at the above postal address or at dataprotec-tion@lidlplus.com.cy.

3. Processing purposes, legal bases and recipients

3.1 Registration for Lidl Plus and account management

Purposes of data processing/legal basis

Once you have registered, you can use Lidl Plus in all connected Online Services with the same user name and password and access your customer master data, shopping history and Lidl Plus functions in your Lidl Plus account.

The following data is processed when registering for Lidl Plus:

 First name,

 Date of birth,

 Email address,

 Mobile phone number,

 Password,

 Title (optional),

 Gender (optional),

We need your date of birth, as participation in Lidl Plus requires a minimum age of 18 years (see Section 2 of the Conditions of Participation) and for certain products (e.g. alcoholic beverages) age limits under youth protection laws must be taken into account.

You can also choose to enter your address and surname in your Lidl Plus account. However, provid-ing this data is mandatory for specific functions.

If you have registered for Lidl Plus in the Lidl app, we will also process data on your preferred store. In addition to the above-mentioned data, we receive information from the Online Service you use – if available – about the payment methods stored there and your purchase and order history. You can access this data in your Lidl Plus account. You can find out which Online Services transfer your payment history to your Lidl Plus account in the Online Services' data protection notice.

We process the data collected during registration for the following specific purposes:

 Communicating with you,

 Verifying your identity as the account holder (e.g. when resetting the password),

 Uniquely assigning your purchase and usage behaviour to your customer profile.

We also use your email address to send you a notification when your account is accessed via a new device.

The following data is processed to secure the registration/login procedure:

 Email address or mobile phone number,

 IP address,

 Mouse movements,

 Length of time spent on the registration page,

 Online identifiers such as device ID,

 Browser details (browser name and version),

 Name and version of the operating system of the device on which the browser is installed,

 Network-based location of your device when you log in,

 Date and time of the registration/login attempt,

 Information on whether registration/login attempts were successful.

The legal basis for the above-mentioned data processing is Article 6(1)(b) and (f) GDPR, i.e. we pro-cess your data in order to provide you with our Services in accordance with the contract. Our legiti-mate interest is based on the purposes of data processing described above.

Recipients/categories of recipients

If you log in to Online Services as a Lidl Plus user, we pass on to the respective operator of the Online Service the data required to provide the Service you have requested. These data vary de-pending on the offer and can include:

 Verified login data (e.g. email address, password, mobile phone number),

 Master data (e.g. name, address, date of birth),

 Stored payment methods,

 Information stored in the "About me" section,

We also pass on your customer master data to those companies in the Lidl Group that you contact in the context of customer service enquiries.

3.2 Store visits

Purposes of data processing/legal basis

If you use Lidl Plus, you can either identify yourself at the till when you visit a store. In this case, we collect the following data:

 The store you have visited,

 The products you have purchased or returned by type, quantity and price,

 The coupons and vouchers you have redeemed,

 The purchase receipt amount,

 The time of the payment transaction and which means of payment you used.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

In order to prevent economic damage to Lidl Group companies, we analyse your purchasing behav-iour for fraud prevention purposes. In particular, we analyse whether and how often items are returned. The legal basis for this is Article 6(1)(f) GDPR. Our legitimate interest is based on the pur-poses of processing described above.

In the event of product recalls, we will check whether you have purchased the affected product so that we can inform you of the recall. This processing is carried out to protect your health (Article 6(1)(d) GDPR) and because we have a legitimate interest in informing you of any product recalls (Article 6(1)(f) GDPR).

3.3 Determining your product interests and personalised advertising approach

Purposes of data processing/legal basis

In Lidl Plus, we determine which products, promotions and services could potentially be of interest and relevance to you. This is done in particular on the basis of the following data:

 Store purchases (e.g. products purchased or returned by type, quantity and price),

 Demographic information (e.g. age, gender, place of residence),

 Data stored in the Lidl Plus account,

 Information about life circumstances and interests, which are stored in the "About me" sec-tion,

 Activated and/or redeemed coupons,

 Participation in competitions and promotions,

 Product reservations,

 Use of our partner offers described in Section 3.9 (e.g. time, quantity, location),

 Use of the Digital Services described in Section 3.13 (e.g. information about your access au-thorisation to Services of our partners, length of use of the Services, termination date of the free month, activation and use of the discount collector for Digital Services),

 Use of functions in Lidl Plus,

In addition, the following information from Online Services is processed to determine your inter-ests:

 Usage data of the Lidl app, e.g.

o Visited app sections,

o Viewed articles,

o Version of the operating system,

o Device labelling,

o System language and selected country,

o Lidl app version used,

 Tracking data, e.g.

o advertising identifiers (iOS IDFA, Android advertising ID or Huawei ID, email address, address, mobile phone number),

o IP/MAC address,

o HTTP header,

o Fingerprint of your end device,

o Information about the use of apps and websites (links clicked on, areas visited, du-ration and frequency of use, number of clicks and scrolls),

o App and event tokens,

 Information from the Online Service of the Lidl Group companies, e.g.

o products purchased/reserved in Online Services by type, quantity and price,

o Receipt amount and time of payment,

o Payment method used,

o Participation in surveys and competitions,

o Frequency of purchase transactions,

o Web tracking data of the Online Services,

 Your usage behaviour in relation to marketing communication of Online Services, e.g.

o time at which the newsletter was opened,

o clicked links or areas,

o duration and frequency of use.

We use mathematical-statistical methods to determine your interests. For this purpose, your per-sonal data is also compared with the data of other customers. Based on this comparison, we can work out which products and campaigns are relevant for customers with similar interests.

We use this information to provide you and other customers of the Online Services with personal-ised advertising tailored to your interests and to offer you the best possible individual offers and discounts. Where possible, you will also receive personalised information about products, promo-tions, competitions, new services, customer surveys and the latest streaming, store and flower offers. We also use these findings to optimise the Lidl Plus programme.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

In addition, we may transfer the data described in this paragraph to other companies in the Lidl Group or other third parties if there is a legal basis for this (in particular your consent to the use of tracking technologies in our Online Services).

3.4 Advertising optimisation measures, the store network and store design

Purposes of data processing/legal basis

If you provide us with your address as part of the registration process or at a later date in your Lidl Plus account, we will use it to optimise our advertising (e.g. leaflet distribution, poster advertising) and to optimise the store network.

This data is processed on the basis of our legitimate interest in optimising sales channels (Article 6(1)(f) GDPR).

3.5 Google reCaptcha

Purposes of data processing/legal basis

To protect our registration/login process from attacks or misuse by automated programmes (known as bots), we use Google reCaptcha. Bots are used, for example, to obtain customer ac-count passwords or to restrict the functionality of the website through mass data transfers.

Google reCaptcha determines whether the interaction with the website is by a human user or a bot. For this purpose, usage behaviour (time spent on the page or mouse movements made) is analysed and the IP address is read by Google and checked to see whether it could have been as-signed to a bot in the past. If the IP address has already been assigned to a bot, Google transmits this information to us. We then store these IP addresses for defence against future attacks. This analysis starts automatically as soon as you open the registration page.

The legal basis for this data processing is Article 6(1)(1)(f) GDPR. Our legitimate interest is based on the purposes of processing mentioned above.

Recipients/categories of recipients

When using Google reCaptcha, the above-mentioned data is also processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA to provide the Service. We have no influence over the processing and use of data by Google. Further information on data processing by Google can be found here: https://policies.google.com/privacy?hl=en.

3.6 Competitions

Purposes of data processing/legal basis

As a Lidl Plus user, you can take part in various competitions. Unless otherwise specified in the re-spective competition, your data will be used in the context of your participation in the competition in order to run the competition (e.g. determining the winner, notifying the winner, sending the prize) and for the purposes described under Section 3.3 to determine your interests as described in Section 3.3.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

Apart from the above-mentioned determination of your interests and the personalised advertising approach, your data will only be passed on to companies of the Lidl Group or third parties if this is necessary to run the competition (e.g. to send the prize via a logistics company).

3.7 Reservation of products

Purposes of data processing/legal basis

If you reserve products via Lidl Plus and purchase them in-store at a later date, we process this in-formation so that you can

 purchase these later in a Lidl store,

 view a history of reservations,

 view special offers tailored to your preferences and interests as well as participate in pro-motions.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

We will send a list of the reserved products and your order number to the relevant Lidl Group com-pany. The Lidl company uses this data under its own responsibility for the subsequent processing of the purchase contract.

3.8 Partner offers

Purposes of data processing/legal basis

Lidl Plus gives you the opportunity to take advantage of discounted offers from selected partners. Some of these offers require you to identify yourself as a Lidl Plus customer with your digital cus-tomer card. In this case, the partner informs us about your use of the special offer including the associated information (e.g. time, quantity, location).

If special offers are made within Lidl Plus for contracting services from our partners, we will receive your contact details (e.g. email address and mobile phone number) from them so that we can cor-rectly assign the special offer to your account.

We use the information on the use of the partner offers to determine your interests as described above and to display personalised advertising.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

If you make use of partner offers via Lidl Plus, we only send the partner the information that you are a Lidl Plus user so that the partner can assign the corresponding offer to you.

4. To which other recipients do we pass on your personal data?

4.1 Overview

Your personal data will only be passed on without your prior consent in the cases mentioned in Sections 3.1 - 3.13 if this is permitted by law. This is the case, for example, if:

 we have a legitimate interest in sharing your personal data for administrative purposes within the Lidl Group and your rights and interests in protecting your personal data within the meaning of Article 6(1)(f) GDPR do not outweigh this interest

or

 we use third parties as data processors who we have carefully selected and that are con-tractually obliged to process your personal data exclusively in accordance with our instruc-tions.

4.2 Transfer within the Lidl Group

The data provided during registration will be passed on within the Lidl Group for internal adminis-trative purposes, including joint customer support.

Any disclosure of personal data is justified by the fact that we have a legitimate interest in disclos-ing the data for administrative purposes within our Group (Article 6(1)(f) GDPR).

4.3 Transfers to recipients in third countries

Under specific circumstances, it may be necessary for us to transfer your personal data to recipients in a third country or several third countries outside the European Union (EU)/the European Eco-nomic Area (EEA).

The EU Commission has certified some third countries as having a level of data protection compara-ble to the GDPR by means of an adequacy decision. You can find an overview of third countries with an adequacy decision here. For service providers based in the USA, this only applies if they are certified in accordance with the EU-US Data Privacy Framework.

If there is no adequacy decision, we secure the transfer by other measures. These can be, for ex-ample, binding company regulations, standard contractual clauses of the European Commission, certificates or recognised codes of conduct.

Unless otherwise stated, the transfer to a third country takes place either on the basis of an ade-quacy decision or one of the measures listed above. If you have any questions, please contact our data protection officer (Section 2).

5. How long do we store your personal data?

We delete or anonymise your personal data as soon as it is no longer required for the purposes stated. As a rule, we store your personal data for the duration of your participation in Lidl Plus. If you are inactive for 24 months or actively delete your Lidl Plus account, we will notify you of the pending cancellation. Within 72 hours, you have the option of reversing the cancellation by logging in again. If your data must be stored for a longer period of time due to statutory retention periods or to secure, assert or enforce legal claims, we will store your data beyond the cancellation of the account. The data will only be stored for as long as is legally permissible.

All personal data that you send us in the context of customer service enquiries will be deleted or anonymised by us no later than 90 days after the final response. Experience has shown that there are usually no more queries after 90 days. If data subjects assert their rights, personal data will be stored for three years after the final response to prove that we have provided comprehensive in-formation and complied with the legal requirements.

We store the log files in which we record your interactions with Lidl Plus (your registration, pass-word reset, etc.) for a period of up to 90 days.

6. What rights do you have with regard to the processing of your data?

You have the right to request information about the personal data stored about you free of charge in accordance with Article 15(1) GDPR.

If the legal requirements are met, you also have the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR). If you have provided us with the processed data, you have a right to data portability in accordance with Article 20 GDPR.

If data processing is carried out on the basis of Article 6(1)(1)(e) or (f) GDPR, you have the right to object in accordance with Article 21 GDPR. If you object to data processing, this will only be contin-ued if we can demonstrate compelling legitimate grounds for further processing that outweigh your interest in objecting. You can send your objection to dataprotection@lidlplus.com.cy at any time.

If the data processing is based on consent in accordance with Article 6(1)(1)(a) or Article 9(2)(a) GDPR, you can withdraw your consent at any time with future effects without affecting the lawful-ness of the previous processing.

You also have the right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority of the country in which you live or in which the controller has its registered office is responsible.

Data protection notice on downloads

You can download the Lidl Plus data protection information as a PDF version below.