Last revised: October 2024

Version: 2.0


Lidl Plus Data Protection Notice


Contents

1. Overview 2

2. Contact details of the controller and the data protection officer 2

3. Processing purposes, legal bases and recipients 2

3.1 Registration for Lidl Plus and account management 2

3.2 Store visits 4

3.3 Determining your product interests and personalised advertising approach 4

3.4 Optimisation advertising measures, the store network and store design 5

3.5 Google reCaptcha 6

3.6 Competitions 6

3.7 Reservation of products 6

3.8 Partner offers 7

3.9 Lidl Pay 7

4. To which other recipients do we pass on your personal data? 8

4.1 Overview 8

4.2 Transfer within the Lidl Group 8

4.3 Transfers to recipients in third countries 9

5. How long do we store your personal data? 9

6. What rights do you have with regard to the processing of your data? 10


1. Overview

Lidl Plus is a loyalty programme (the "Service" or "Lidl Plus") that offers you deals and discounts tailored to your interests from the companies of the Lidl Group and selected partners.


You can use Lidl Plus by registering for selected online services of the Lidl Group ("Online Services", e.g. online stores, click and collect service, apps). Please note that some functionalities are only available via the Lidl app. For example, you must identify yourself with the Lidl app at the checkout so that your purchases in Lidl stores are assigned to your Lidl Plus profile.


2. Contact details of the controller and the data protection officer

Unless otherwise stated below, Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm ("Lidl Stiftung", "we", "us") is responsible for the processing of your data in the context of Lidl Plus.


Lidl Stiftung's data protection officer can be contacted at the above postal address or at data.controller@lidl.ie .


3. Processing purposes, legal bases and recipients


3.1 Registration for Lidl Plus and account management


Purposes of data processing/legal basis


Once you have registered, you can use Lidl Plus in all connected Online Services with the same user name and password and access your customer master data, shopping history and Lidl Plus functions in your Lidl Plus account.


The following data is processed when registering for Lidl Plus:

 First name,

 Date of birth,

 Email address,

 Mobile phone number,

 Password,

 Title (optional),

 Gender (optional),

We need your date of birth, as participation in Lidl Plus requires a minimum age of 18 years (see Section 2 of the Conditions of Participation) and for certain products (e.g. alcoholic beverages) age limits under youth protection laws must be taken into account.


You can also choose to enter your address and surname in your Lidl Plus account. However, providing this data is mandatory for specific functions.


If you have registered for Lidl Plus in the Lidl app, we will also process data on your preferred store. In addition to the above-mentioned data, we receive information from the Online Service you use – if available – about the payment methods stored there and your purchase and order history. You can access this data in your Lidl Plus account. You can find out which Online Services transfer your payment history to your Lidl Plus account in the Online Services' data protection notice.


If you have registered with our Family Club (where applicable), the information on benefits granted will also be saved and displayed in your Lidl Plus account.


We process the data collected during registration for the following specific purposes:

 Communicating with you,

 Verifying your identity as the account holder (e.g. when resetting the password),

 Uniquely assigning your purchase and usage behaviour to your customer profile.

We also use your email address to send you a notification when your account is accessed via a new device.


The following data is processed to secure the registration/login procedure:

 Email address or mobile phone number,

 IP address,

 Mouse movements,

 Length of time spent on the registration page,

 Online identifiers such as device ID,

 Browser details (browser name and version),

 Name and version of the operating system of the device on which the browser is installed,

 Network-based location of your device when you log in,

 Date and time of the registration/login attempt,

 Information on whether registration/login attempts were successful.

If you wish to use our Lidl Pay payment service (see Section 3.12 below), "two-factor authentication" will be integrated into the login process with your consent. When you register for your Lidl Plus account, a verification code will be sent to the mobile phone number or email address you registered with. This ensures that only you have access to your account, even if your password is known to third parties. Two-factor authentication can be deactivated at any time via our customer service department. In this case, you will no longer be able to use Lidl Pay.


The legal basis for the above-mentioned data processing is Article 6(1)(b) and (f) GDPR, i.e. we process your data in order to provide you with our Services in accordance with the contract. Our legitimate interest is based on the purposes of data processing described above.


Recipients/categories of recipients


If you log in to Online Services as a Lidl Plus user, we pass on to the respective operator of the Online Service the data required to provide the Service you have requested. These data vary depending on the offer and can include:

 Verified login data (e.g. email address, password, mobile phone number),

 Master data (e.g. name, address, date of birth),

 Stored payment methods,

 Information stored in the "About me" section,

 Information about your participation in the Family Club.

We also pass on your customer master data to those companies in the Lidl Group that you contact in the context of customer service enquiries.



3.2 Store visits

Purposes of data processing/legal basis


If you use Lidl Plus, you can either identify yourself at the self-checkout or at the till when you visit a store. In this case, we collect the following data:

 The store you have visited,

 The products you have purchased or returned by type, quantity and price,

 The coupons and vouchers you have redeemed,

 The purchase receipt amount,

 The time of the payment transaction and which means of payment you used.

When making purchases in Lidl stores, you can collect digital points (where applicable) and exchange them for reward coupons in Lidl Plus. The points collected are assigned to your customer number for the reward exchange. Product returns are also taken into account when calculating the number of points.


The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.


In order to prevent economic damage to Lidl Group companies, we analyse your purchasing behaviour for fraud prevention purposes. In particular, we analyse whether and how often items are returned. The legal basis for this is Article 6(1)(f) GDPR. Our legitimate interest is based on the purposes of processing described above.


In the event of product recalls, we will check whether you have purchased the affected product so that we can inform you of the recall. This processing is carried out to protect your health (Article 6(1)(d) GDPR) and because we have a legitimate interest in informing you of any product recalls (Article 6(1)(f) GDPR).


3.3 Determining your product interests and personalised advertising approach

Purposes of data processing/legal basis


In Lidl Plus, we determine which products, promotions and services could potentially be of interest and relevance to you. This is done in particular on the basis of the following data:

 Store purchases (e.g. products purchased or returned by type, quantity and price),

 Demographic information (e.g. age, gender, place of residence),

 Data stored in the Lidl Plus account,

 Information about life circumstances and interests, which are stored in the "About me" section,

 Activated and/or redeemed coupons,

 Participation in competitions and promotions,

 Use of our partner offers described in Section 3.9 (e.g. time, quantity, location),

 Use of functions in Lidl Plus,

 Use of our Lidl Pay payment service.

In addition, the following information from Online Services is processed to determine your interests:

 Usage data of the Lidl app, e.g.

o Visited app sections,

o Viewed articles,

o Version of the operating system,

o Device labelling,

o System language and selected country,

o Lidl app version used,

 Tracking data, e.g.

o advertising identifiers (iOS IDFA, Android advertising ID or Huawei ID, email address, address, mobile phone number),

o IP/MAC address,

o HTTP header,

o Fingerprint of your end device,

o Information about the use of apps and websites (links clicked on, areas visited, duration and frequency of use, number of clicks and scrolls),

o App and event tokens,

 Information from the Online Service of the Lidl Group companies, e.g.

o products purchased/reserved in Online Services by type, quantity and price,

o Receipt amount and time of payment,

o Payment method used,

o Selected delivery method,

o Participation in surveys and competitions,

o Products stored in the shopping basket,

o Frequency of purchase transactions,

o Web tracking data of the Online Services,

 Your usage behaviour in relation to marketing communication of Online Services, e.g.

o time at which the newsletter was opened,

o clicked links or areas,

o duration and frequency of use.

We use mathematical-statistical methods to determine your interests. For this purpose, your personal data is also compared with the data of other customers. Based on this comparison, we can work out which products and campaigns are relevant for customers with similar interests.


We use this information to provide you and other customers of the Online Services with personalised advertising tailored to your interests and to offer you the best possible individual offers and discounts. Where possible, you will also receive personalised information about products, promotions, competitions, new services, customer surveys and the latest streaming, store, online shop, flower, photo and travel offers. We also use these findings to optimise the Lidl Plus programme.


The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.


Recipients/categories of recipients


In addition, we may transfer the data described in this paragraph to other companies in the Lidl Group or other third parties if there is a legal basis for this (in particular your consent to the use of tracking technologies in our Online Services).


3.4 Advertising optimisation measures, the store network and store design

Purposes of data processing/legal basis


If you provide us with your address as part of the registration process or at a later date in your Lidl Plus account, we will use it to optimise our advertising (e.g. leaflet distribution, poster advertising) and to optimise the store network.


This data is processed on the basis of our legitimate interest in optimising sales channels (Article 6(1)(f) GDPR).


3.5 Google reCaptcha

Purposes of data processing/legal basis


To protect our registration/login process from attacks or misuse by automated programmes (known as bots), we use Google reCaptcha. Bots are used, for example, to obtain customer account passwords or to restrict the functionality of the website through mass data transfers.


Google reCaptcha determines whether the interaction with the website is by a human user or a bot. For this purpose, usage behaviour (time spent on the page or mouse movements made) is analysed and the IP address is read by Google and checked to see whether it could have been assigned to a bot in the past. If the IP address has already been assigned to a bot, Google transmits this information to us. We then store these IP addresses for defence against future attacks. This analysis starts automatically as soon as you open the registration page.


The legal basis for this data processing is Article 6(1)(1)(f) GDPR. Our legitimate interest is based on the purposes of processing mentioned above.


Recipients/categories of recipients


When using Google reCaptcha, the above-mentioned data is also processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA to provide the Service. We have no influence over the processing and use of data by Google. Further information on data processing by Google can be found here: https://policies.google.com/privacy.


3.6 Competitions

Purposes of data processing/legal basis


As a Lidl Plus user, you can take part in various competitions. Unless otherwise specified in the respective competition, your data will be used in the context of your participation in the competition in order to run the competition (e.g. determining the winner, notifying the winner, sending the prize) and for the purposes described under Section 3.3 to determine your interests as described in Section 3.3.


The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.


Recipients/categories of recipients


Apart from the above-mentioned determination of your interests and the personalised advertising approach, your data will only be passed on to companies of the Lidl Group or third parties if this is necessary to run the competition (e.g. to send the prize via a logistics company).


3.7 Reservation of products

Purposes of data processing/legal basis


If you reserve products (where applicable) via Lidl Plus and purchase them in-store at a later date, we process this information so that you can

 purchase these later in a Lidl store,

 view a history of reservations,

 view special offers tailored to your preferences and interests as well as participate in promotions.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.


Recipients/categories of recipients


We will send a list of the reserved products (where appliable) and your order number to the relevant Lidl Group company. The Lidl company uses this data under its own responsibility for the subsequent processing of the purchase contract.


3.8 Partner offers

Purposes of data processing/legal basis


Lidl Plus gives you the opportunity to take advantage of discounted offers from selected partners. Some of these offers require you to identify yourself as a Lidl Plus customer with your digital customer card. In this case, the partner informs us about your use of the special offer including the associated information (e.g. time, quantity, location).


If special offers are made within Lidl Plus for contracting services from our partners, we will receive your contact details (e.g. email address and mobile phone number) from them so that we can correctly assign the special offer to your account.


We use the information on the use of the partner offers to determine your interests as described above and to display personalised advertising.


The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.


Recipients/categories of recipients


If you make use of partner offers via Lidl Plus, we only send the partner the information that you are a Lidl Plus user so that the partner can assign the corresponding offer to you.


3.9 Lidl Pay

Purposes of data processing/legal basis


As a Lidl Plus user, you can choose to register your credit or debit card with our mobile payment Service "Lidl Pay" and make payments (e.g. in Lidl stores) conveniently using your mobile device. To register and use Lidl Pay, it is necessary to enter the credit or debit card number, the CVV/CSV code and the expiry date of the card. This data is entered and stored in encrypted form directly in the PCI-DSS & PCI 3DS-certified systems of our payment platform. To ensure that you are actually the holder of the credit/debit card, your data is compared with the data of the card-issuing company.


If the registration for Lidl Pay is successful, the payment platform sends us a token as confirmation. We then link this token to your customer account.


The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.


Recipients/categories of recipients


As soon as you use Lidl Pay in a Lidl store, your credit or debit card data will be forwarded to the respective Lidl Group company for payment processing, which will process the data for its own purposes (e.g. for tax verification obligations).


In order to carry out the payment process in accordance with the statutory provisions of Directive (EU) 2015/2366 ("PSD 2"), the applicable national implementing legislation and Delegated Regulation (EU) 2018/389, we also exchange specific information (e.g. data about you, the transaction and your payment behaviour) with your credit institution or the issuer of your means of payment (e.g. your debit or credit card) with the help of our service providers.


These processing operations are carried out on the basis of Article 6(1)(b) GDPR (execution of payment) and Article 6(1)(c) GDPR (fulfilment of the above-mentioned legal obligations).


To prevent fraud, we process your mobile phone number in the registration, pre-authentication and payment process and transmit it to the payment service provider. The legal basis for this is Article 6(1)(f) GDPR, whereby our legitimate interest lies in the prevention of fraud.




4. To which other recipients do we pass on your personal data?


4.1 Overview

Your personal data will only be passed on without your prior consent in the cases mentioned in Sections 3.1 - 3.13 if this is permitted by law. This is the case, for example, if:

 we have a legitimate interest in sharing your personal data for administrative purposes within the Lidl Group and your rights and interests in protecting your personal data within the meaning of Article 6(1)(f) GDPR do not outweigh this interest

or

 we use third parties as data processors who we have carefully selected and that are contractually obliged to process your personal data exclusively in accordance with our instructions.

4.2 Transfer within the Lidl Group

The data provided during registration will be passed on within the Lidl Group for internal administrative purposes, including joint customer support.


Any disclosure of personal data is justified by the fact that we have a legitimate interest in disclosing the data for administrative purposes within our Group (Article 6(1)(f) GDPR).



4.3 Transfers to recipients in third countries

Under specific circumstances, it may be necessary for us to transfer your personal data to recipients in a third country or several third countries outside the European Union (EU)/the European Economic Area (EEA).


The EU Commission has certified some third countries as having a level of data protection comparable to the GDPR by means of an adequacy decision. You can find an overview of third countries with an adequacy decision here. For service providers based in the USA, this only applies if they are certified in accordance with the EU-US Data Privacy Framework.


If there is no adequacy decision, we secure the transfer by other measures. These can be, for example, binding company regulations, standard contractual clauses of the European Commission, certificates or recognised codes of conduct.


Unless otherwise stated, the transfer to a third country takes place either on the basis of an adequacy decision or one of the measures listed above. If you have any questions, please contact our data protection officer (Section 2).

5. How long do we store your personal data?

We delete or anonymise your personal data as soon as it is no longer required for the purposes stated. As a rule, we store your personal data for the duration of your participation in Lidl Plus. If you are inactive for 24 months or actively delete your Lidl Plus account, we will notify you of the pending cancellation. Within 72 hours, you have the option of reversing the cancellation by logging in again. If your data must be stored for a longer period of time due to statutory retention periods or to secure, assert or enforce legal claims, we will store your data beyond the cancellation of the account. The data will only be stored for as long as is legally permissible.


If you do not use Lidl Pay for 24 months, the data collected within this function and the function itself will be deleted. You can then re-register for Lidl Pay at any time.


If you log out of Lidl Pay or wish to have your Lidl Plus account deleted completely, we will delete your payment data when using Lidl Pay as standard and subject to legal disputes or additional statutory retention obligations at the latest after 10 weeks starting with the date of the last transaction in order to be able to assign any refunds. Transaction data processed as part of reporting is anonymised after 12 years.


If you enter your Lidl Pay Passcode incorrectly five times in a row, your Lidl Pay account will be automatically deleted for security reasons.


Data for the credit check within the scope of Lidl Pay is stored for a maximum of 180 days. Data for fraud prevention in the context of Lidl Pay through the device recognition procedure (see above) will be deleted with your cancellation, but at the latest after six months.


All personal data that you send us in the context of customer service enquiries will be deleted or anonymised by us no later than 90 days after the final response. Experience has shown that there are usually no more queries after 90 days. If data subjects assert their rights, personal data will be stored for three years after the final response to prove that we have provided comprehensive information and complied with the legal requirements.


We store the log files in which we record your interactions with Lidl Plus (your registration, password reset, etc.) for a period of up to 90 days.


6. What rights do you have with regard to the processing of your data?

You have the right to request information about the personal data stored about you free of charge in accordance with Article 15(1) GDPR.


If the legal requirements are met, you also have the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR). If you have provided us with the processed data, you have a right to data portability in accordance with Article 20 GDPR.


If data processing is carried out on the basis of Article 6(1)(1)(e) or (f) GDPR, you have the right to object in accordance with Article 21 GDPR. If you object to data processing, this will only be continued if we can demonstrate compelling legitimate grounds for further processing that outweigh your interest in objecting. You can send your objection to customer.services@lidl-ni.co.uk or Data.controller@lidl.ie at any time.


If the data processing is based on consent in accordance with Article 6(1)(1)(a) or Article 9(2)(a) GDPR, you can withdraw your consent at any time with future effects without affecting the lawfulness of the previous processing.


You also have the right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority of the country in which you live or in which the controller has its registered office is responsible.


Data protection notice on downloads

You can download the Lidl Plus data protection information as a PDF version here.