Privacy policy
Data protection
(Version 13.12; as of December 1, 2025)
Privacy policy for the Lidl online shop and the Lidl app
1. Contact details of the controller and contact details of the company data protection officer
Unless otherwise stated below, Lidl Digital Deutschland GmbH & Co. KG, Bonfelder Straße 2, 74206 Bad Wimpfen (“Lidl Digital”) and Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm (“Lidl Stiftung”, together with Lidl Digital “we”, “us”) are joint controllers for the processing of your data on the website. www.lidl.deand in the Lidl app (“Services”).
The data protection officer of the Lidl Foundation can be contacted at the above postal address or at datenschutz@lidl-shop.deThe data protection officer of Lidl Digital can be reached at the above postal address or at datenschutz@lidl.dereachable.
2. Involvement of third parties as data processors
Unless otherwise stated, the recipients or categories of recipients named below act as data processors. They are carefully selected and contractually bound in accordance with Article 28 of the GDPR. This means that they may only process personal data on the basis of our instructions and not for any purposes other than those stated.
3. Transfer to recipients in third countries
In certain circumstances, it may be necessary for us to transfer your personal data to recipients in one or more third countries outside the European Union (EU)/European Economic Area (EEA).
The EU Commission has certified that some third countries have a level of data protection comparable to the GDPR through an adequacy decision. You can find an overview of the third countries with an adequacy decision here.hereFor service providers headquartered in the USA, this only applies if they are certified under the EU-US Data Privacy Framework.
If no adequacy decision exists, we secure the transfer through other measures. These can include, for example, binding company regulations, standard contractual clauses of the European Commission, certificates, or recognized codes of conduct.
Unless otherwise stated below, data transfers to third countries are based either on an adequacy decision or one of the measures listed above. Please contact our data protection officers if you have any questions.
4. Accessing our services
Purposes of data processing/legal bases
When you access our services, your browser automatically processes data without your intervention.
IP address of the device used,
Date and time of access,
Name and URL of the retrieved file,
Website/application from which access is made (referrer URL),
browser and, if applicable, operating system of your device,
Name of your access provider
sent to our server and temporarily stored in a log file for the following purposes:
Ensuring a smooth connection setup,
Ensuring a comfortable user experience on our website/application,
Evaluation of system security and stability.
If you consent to geolocation on your device, we will process your real-time location data when using certain functions of our services (e.g., displaying the location of the nearest Lidl store in the store finder).
In order to display product videos on our website,
IP address of the device used,
Video ID (internal name of the video),
browser and, if applicable, operating system of your device,
as well as the user-agent string (interface between user and website),
processed and transmitted to the service provider mentioned below in order to display the respective product video to you in a compatible format.
The legal basis for the data processing described is Article 6(1)(f) GDPR. Our legitimate interest lies in the correct presentation of our services, the protection of our systems, and the prevention of misuse of our website. If the presentation serves the purpose of preparing a contract, the legal basis for the data processing is Article 6(1)(b) GDPR.
Recipients/Categories of Recipients
For the display of product videos, the necessary data will be transmitted to DemoUp GmbH, Cuvrystraße 1, 10997 Berlin.
Storage duration / Criteria for determining the storage duration
The log files are stored on our servers for a period of seven days and then automatically deleted.
5. Handling of purchase contracts including warranty claims
Responsible
Lidl Digital is responsible for data processing in connection with the execution of purchase contracts.
Purposes of data processing/ Legal basis
Lidl Digital's business activity is the distance selling of goods and services. In this context, Lidl Digital processes the data necessary for the conclusion, execution, and termination of contracts. This includes, in particular:
First/Last Name,
Billing/delivery address,
E-mail address,
Billing/payment details,
Birth date,
Phone number (optional).
Orders can be placed as a guest or via your Lidl Plus account. If you place orders as a registered Lidl Plus customer, reserve products in Lidl Plus, pay with Lidl Pay, or use the e-mobility service, Lidl Digital receives the data required for processing the respective contract from the Lidl Foundation (e.g., your customer master data such as name, address, telephone number, and email address).
The legal basis for the aforementioned data processing is Article 6(1)(b) GDPR, i.e., Lidl Digital and the Lidl Foundation process your data to fulfill our contractual obligations.
Recipients/Categories of Recipients
Within the scope of the aforementioned data processing activities, your data will be processed on behalf of data processors - particularly from the logistics sector.
We share your delivery address with service providers we have contracted (e.g., logistics companies, repair services, or the manufacturer) for the purpose of processing your purchase and handling warranty claims. Only in cases involving bulky goods, perishable items, or warranty claims will we transmit your email address and, if applicable, your telephone number to the service provider we have contracted to ensure that the delivery, return, repair, or collection can proceed as planned. The service provider will contact you prior to delivery, return, repair, or collection to coordinate the details of the process. The data is transmitted to the service provider solely for this purpose and is processed by them exclusively for this specific purpose.
If you pay by credit card, an online payment method (e.g., Google/Apple Pay, PayPal), or financing through Consors Finanz BNP Paribas SA, you will be redirected to the website of the respective payment/financing service provider after completing your order. The necessary data (e.g., the specific payment amount) will be transmitted to the service provider. Further information on payment processing and contact details can be found in the service providers' information texts. For credit card and Google/Apple Pay payments, you can find further information on data processing by Adyen NV, Simon Carmiggeltstraat 5-60, 1011 DJ, Amsterdam, Netherlands, and their contact details. here.
For the payment method PayPal, you can find further information on data processing by PayPal (Europe) S.à rl et Cie, SCA and their contact information. hereor directly in your PayPal account.
In the case of financing, Consors Finanz BNP Paribas SA will independently conduct a credit check based on mathematical-statistical methods. Further details regarding this and data processing in general within the context of financing will be provided upon request. here.
Storage duration / Criteria for determining the storage duration
The data collected for contract processing will be stored until the expiry of the statutory/contractual warranty and guarantee rights. After this period, we retain the information required under commercial and tax law for the legally prescribed period. During this period (generally twelve years from the conclusion of the contract), the data will only be processed again in the event of an audit by the tax authorities or in response to customer inquiries.
6. Securing the order process and selecting payment methods
Responsible
Lidl Digital is responsible for data processing to secure the order process and the selection of payment methods. Schwarz Digits Payment GmbH is responsible for conducting efficiency tests of credit reference agencies.
Purposes of data processing/legal bases
To secure and optimize the ordering process and to offer you various payment methods, the information already available during the ordering process (e.g., product group, order quantity, or delivery address) is checked for risks or anomalies. Furthermore, in the case of abandoned orders, the data collected up to the point of cancellation is stored for the (technical) optimization of the ordering process, for the detection of fraud patterns, and to answer customer inquiries regarding the orders. The legal basis for this is Article 6(1)(f) GDPR. Our legitimate interest arises from the described purpose of the processing.
Service providers are used for address verification, identity and credit checks (for payment methods such as direct debit, purchase on account, and installment payment). These providers receive only the data necessary for identification (first and last name, address, and, if applicable, date of birth), which they process solely for this purpose.
When selecting direct debit or installment payment as payment methods, your bank details (IBAN and BIC) will be checked against pools of so-called non-consumer account checks. For this purpose, your data will be transmitted to the credit agencies listed below and checked to see if it is a publicly disclosed bank account (e.g., from companies or banks).
These checks will under no circumstances prevent you from being offered a payment method. For further information on the procedures used, and in particular the calculation of the score values within the framework of the so-called scoring (a mathematical-statistical method for predicting risk probabilities), please contact the relevant service provider.
When selecting installment payment, an individual installment plan, the debit dates and the IBAN for direct debit collection are also processed for the purpose of fulfilling the contract.
The legal basis for the data processing described in this section is Article 6(1)(b) and (f) of the GDPR. The legitimate interest arises from the protection of your identity, the minimization of payment default risks, and the prevention of fraudulent activity.
To prevent fraud, when selecting direct debit or installment payment as your payment method, our service provider Tink AB may verify the bank account you have provided. During account verification, you will be asked to log in to your online banking account. Once the verification is complete, Lidl Digital will receive your name, IBAN, bank account currency, and confirmation of whether you were able to log in successfully.
To prevent fraud and limit the risk of payment defaults, certain personal data and, where applicable, information on the processing of past electronic payments will be forwarded to your bank or the issuing authority of your payment card, or to a credit reference agency such as infoscore Consumer Data GmbH, SCHUFA Holding AG, or CRIF GmbH. The legal basis for this is Article 6(1)(f) GDPR. The legitimate interest arises from the processing purposes described above.
Prior to collaborating with such credit reference agencies, Schwarz Digits Payment, as the data controller, may conduct tests on the efficiency of these agencies' methods and forward certain customer data (e.g., first and last name, contact details such as address, email address, or telephone number, date of birth, information on preferred payment methods or past orders and any dunning procedures). In this case, the credit reference agencies act strictly on instructions as data processors and must delete the transmitted data immediately after the respective test is completed. This data processing is carried out on the basis of Article 6(1)(f) GDPR. The legitimate interest of Schwarz Digits Payment and Lidl Digital lies in preventing payment defaults.
In the event of a payment delay, the necessary data will be transmitted to a company commissioned with the collection of the debt, provided the legal requirements are met. The legal basis for this is Article 6(1)(b) and (f) of the GDPR. The collection of a contractual claim is considered a legitimate interest. Information about the payment delay or any potential default will also be transmitted to credit agencies cooperating with us, provided the legal requirements are met. The legal basis for this is Article 6(1)(f) of the GDPR. The legitimate interest arises from the interest in reducing contractual risks for future contracts.
The results of the data processing described in this section are also used by Lidl companies and partner companies for the purposes described above, in accordance with their privacy policies. Conversely, the results of data processing carried out by these companies and partners for the same purposes are also used for the data processing described in this section. Currently, this data exchange takes place with the Lidl Foundation and, in the context of installment payments, with Schwarz Digits Payment GmbH as the lender, both located at Stiftsbergstraße 1, 74172 Neckarsulm, Germany.
The legal basis for the data exchange is Article 6(1)(f) GDPR. The legitimate interest arises from securing and optimizing the ordering process, protecting your identity, minimizing payment default risks and preventing fraud attempts, as well as reducing contractual risks for future contracts.
Recipients/Categories of Recipients
Established and trustworthy service providers are used for the above-mentioned data processing, including infoscore Consumer Data GmbH, Rheinstraße 99, 76532 Baden-Baden, Coeo Inkasso GmbH, Kieler Straße 16, 41540 Dormagen, SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden and CRIF GmbH, Victor-Gollancz-Str. 5, 76137 Karlsruhe.
These service providers also process the data they receive to provide their contractual partners (including those in countries outside the EU, provided there is an adequacy decision by the European Commission or another legal basis within the meaning of Articles 44 et seq. GDPR applies) with information for assessing creditworthiness. Further information on the activities of these service providers can be found in their information sheets. infoscore Consumer Data GmbHand CRIF GmbH according to Art. 14 GDPR.
To prevent fraud and limit the risk of payment defaults, certain personal data and, where applicable, information on the processing of past electronic payments will be forwarded to your bank or the issuing authority of your payment card.
Storage duration/criteria for determining the storage duration
The personal data collected to secure the order process will not be stored longer than necessary for processing and fulfilling the orders (until the expiry of statutory or contractual warranty and guarantee rights or until the conclusion of any debt collection proceedings). Personal data from abandoned orders will be stored for a maximum of eighteen months. After this retention period, all personal data will be completely removed.
The data collected from credit checks as part of payment method management is stored for a maximum of 180 days. Depending on the result of the check and the current shopping cart value, another credit check may be performed within this storage period. In this case, the previous check result is deleted.
6.1 Fraud prevention using device fingerprinting
Responsible
Lidl Digital is responsible for data processing for fraud prevention using device fingerprinting.
Purposes of data processing/ Legal basis
For fraud prevention purposes, we check whether your order or attempted order reveals any device-related indications of misuse or attempted fraud, e.g.
extremely short dwell time on websites before a purchase,
Typing speed that only a machine can achieve,
Implausible information regarding device location, delivery address, language settings, and payment methods.
Information that suggests malware is installed.
In addition, the following usage, device, and transaction data are processed:
IP address,
Website visits,
Information about the start, end and scope of the websites visited,
Language and country settings,
Screen information,
Color depth as well as information about installed browsers, plug-ins, software and their versions,
Item of purchase,
Shopping cart
names,
Birth date,
Postal address,
E-mail address,
Delivery address,
Payment method and bank details.
Your data may subsequently be pseudonymized and compared with data from devices that have been used for fraudulent activities in the past or where there is a suspicion of such activity. For this purpose, a device ID is first generated based on the aforementioned device data. This ID allows the device to be recognized with a certain probability on subsequent visits. Additionally, a cookie (a small text file) is stored locally in the web browser's cache to precisely identify the device. The cookie contains only a cookie ID and no personal usage or transaction data. If the comparison reveals that the device has already been used for fraud or attempted fraud, we will refuse to conclude the contract in that specific case. It is possible that Lidl employees or a service provider may manually review the results.
The above-mentioned data processing for fraud prevention will only be carried out if the payment method you have selected (e.g. installment payment, direct debit, purchase on account) poses a financial risk of default for Lidl Digital.
The legal basis for processing personal data within the context of device fingerprinting is Article 6(1)(f) GDPR. There is a legitimate interest in preventing the commission of criminal offenses to protect our economic interests.
Recipients/Categories of Recipients
To implement the measures described above, CRIF GmbH, Leopoldstraße 244, 80807 Munich, is used as a service provider. CRIF GmbH has subcontracted parts of the data processing, in particular the creation of the device ID, to LexisNexis BV, The Base 3/F, Tower C, Evert van de Beekstraat 1, 1118 CL Schiphol, Netherlands. Data processing and storage by CRIF GmbH and LexisNexis take place in data centers in Germany and Europe.
Storage duration / Criteria for determining the storage duration
The data collected for fraud prevention purposes will be stored for a period of six months for the purposes of traceability, optimization and answering customer inquiries, and will then be deleted.
6.2 Verification for using Click to Pay
Responsible
Lidl Digital is responsible for data processing for the implementation of the Click to Pay process at Lidl.
Purposes of data processing/ Legal basis
If you select "Card Payment" as your payment method, Lidl Digital will transmit your email address to Adyen NV, Simon Carmiggeltstraat 5-60, 1011 DJ Amsterdam, Netherlands ("Adyen"). Adyen will check whether a Click to Pay account already exists for this email address and send this information back. This allows Lidl Digital to offer you the "Click to Pay" payment option particularly conveniently if you have previously registered. If you have registered with different email addresses, you can still use the Click to Pay function even if the check fails. To do this, simply enter the email address you used to register with Click to Pay.
The legal basis for the data exchange with Adyen is Article 6(1)(f) GDPR. Lidl Digital's legitimate interest lies in making the payment method as convenient and user-friendly as possible.
The actual execution of the payment process with the "Click to Pay" option corresponds to that of a normal credit card payment (see section 5 above).
Recipients/Categories of Recipients
As described, we transmit your email address to Adyen. Adyen processes your data independently and exchanges data with your credit card provider, for example, to process the payment. This provider could be Mastercard or Visa, for instance.
Adyen's data processing practices are described here: https://www.adyen.com/de_DE/privacy-policy.
You can view Mastercard's data processing activities here: Click to Pay Privacy Notice.
You can view Visa's data processing practices here: Visa Global Privacy Notice | Visa.
We have no control over the data processing activities of Adyen, Mastercard, Visa, or your bank, nor over their respective legal policies. Please contact them directly if you require further information.
Storage duration / Criteria for determining the storage duration
The storage period is determined by the information provided in section 5 of this privacy policy.
7. Contact form, email contact, telephone calls, social media and customer surveys
Purposes of data processing/legal bases
Personal data that you provide to us when filling out contact forms, by telephone, by email or via social media will be used exclusively for the purpose of processing your request.
Participation in one of our customer surveys is entirely voluntary. These anonymous surveys do not store any information that could identify participants. Only the date and time of your participation are recorded. You can provide more details by filling out free text fields or taking screenshots. You can also voluntarily agree to be invited to participate in user studies on a regular basis. These studies typically include telephone interviews, written surveys, or usability tests of our applications. For this purpose, we store your first name, last name, and email address. Any additional personal information you provide in surveys or user studies is considered voluntary and will be stored in accordance with the GDPR. Please refrain from submitting personal data about yourself or others when using the free text fields and screenshots.
The legal basis for data processing is Article 6(1)(f) or Article 6(1)(b) GDPR. Our and your concurrent (legitimate) interest in this data processing arises from the goal of answering your inquiries, resolving any problems that may arise, and thus maintaining and promoting your satisfaction as a customer or user of our website. If you provide your consent in the context of a customer survey or user study, Article 6(1)(a) GDPR is the legal basis for the data processing based on that consent. You can withdraw this consent at any time with effect for the future. Further details are provided in the data protection information for the customer surveys or user studies. The legal basis for processing data protection inquiries is Article 6(1)(c) GDPR, as this is necessary for compliance with legal obligations.
When you identify yourself as a Lidl Plus customer, the relevant Lidl company receives your contact details, which are necessary for processing your request by customer service or for a product-specific inquiry with suppliers. The legal basis for this is Article 6 Paragraph 1 Sentence 1 b) GDPR.
Recipients/Categories of Recipients
When answering your inquiries and evaluating customer surveys, your data is also processed on our behalf by data processors from the field of customer service and customer surveys.
To the extent necessary for processing your request, the data you provide may be shared with companies within the Lidl Group. If your customer service inquiry leads to a further matter, we will use your previously collected data for this matter as well, so you do not have to provide your information again.
To process your complaint, it may also be necessary to share your contact details with our service partners, who will contact you regarding further processing of your complaint (e.g., arranging a collection or repair appointment). We will inform you of the specific service partner's name during our communication. This data transfer is necessary for the fulfillment of warranty claims and thus for the performance of our contractual relationship with you, in accordance with Article 6 Paragraph 1 Sentence 1 b) GDPR.
Storage duration/criteria for determining the storage duration
All personal data that you provide to us in connection with inquiries (suggestions, praise, or criticism) will be deleted or anonymized by us no later than 95 days after we have issued our final response. Experience has shown that, as a rule, no further inquiries are received after 95 days. If you exercise your data protection rights, your personal data will be stored for three years after the final response to demonstrate that we have complied with legal requirements. The storage period for personal data collected as part of customer surveys will be communicated in advance within the context of the specific survey.
8. Competitions
Responsible
The entity responsible for data processing in connection with the handling of prize draws is Lidl Dienstleistung GmbH & Co. KG, Bonfelder Str. 2, 74206 Bad Wimpfen.
Purposes of data processing/ Legal basis
You have the option to visit the website www.lidl-gewinnspiel.deYou can participate in various prize draws via our newsletter or the Lidl app. Unless otherwise specified in the respective prize draw, the personal data you provide to us in connection with your participation will be used exclusively for the administration of the prize draw (e.g., determining the winner, notifying the winner, sending the prize).
The legal basis for data processing in the context of prize draws is Article 6 paragraph 1 letter b) GDPR.
Recipients/Categories of Recipients
Data will only be shared if this is necessary for the processing of the competition (e.g. sending the prize via a logistics company).
Storage duration / Criteria for determining the storage duration
After the competition ends and the winners are announced, the participants' personal data will be deleted. For prizes in kind, the winners' data will be retained for the duration of the statutory warranty period in order to arrange for repair or replacement in case of a defect.
9. Sending out advertising
Purposes of data processing/legal bases
If you have entered into a contract with us and/or use our services, we process your postal contact details and, where applicable, other data (e.g., purchase history) to send you tailored information about (our own similar) products and services. In this context, we forward your data (especially your gender, date of birth, postal code, and purchased items) – even if you purchase products in our online shop without opening a Lidl Plus account – to a service provider bound by our instructions. This service provider uses this data to assign you to specific target groups (so-called segments). We use these segments to personalize the advertising included with your parcel deliveries from our online shop and thus make it more relevant to you. If you do not open a customer account with us, we delete your personalization-related data after the parcel insert has been generated.
Furthermore, we forward anonymized information (e.g., age, country, postal code area, gender, and your encrypted email address) to our partner company, userwerk GmbH, Ehinger Str. 19, 89077 Ulm, in order to display tailored offers from third parties to you after you place your order. The JavaScript integration of userwerk GmbH stores your personal order data (name, address, telephone number, email address) in your browser's session storage, provided you have consented to the use of convenience technologies. When you open the order form for one of the displayed offers, it is automatically populated with the stored order data. By placing your order via the form, userwerk GmbH receives your personal data in unencrypted form for the first time and then processes it for its own purposes.
You can object to this data processing at any time, free of charge, separately for each communication channel, and with effect for the future. For example, an email to the contact details listed under point 1 is sufficient.
You can subscribe to our marketing communications on our website, in our mobile applications, on the websites or mobile applications of partner companies, and via embedded content on our social media channels. If you have expressly consented to receiving our Lidl marketing communications (email, SMS, WhatsApp, push notification), we will use your email address or mobile phone number and, if applicable, your name to send you information (see section " Promotional Content "), taking into account your usage profile (see section " Personalized Usage Profile ").
To ensure that no errors occur when entering your email address, we use the so-called double opt-in procedure. After you have entered your email address in the registration field, we will send you a confirmation link. Only after you click this confirmation link will your email address be added to our mailing list. We proceed in the same way with your mobile phone number, provided you have given it to us during Lidl Plus registration.
You can withdraw your consent to receive marketing communications, including the creation of personalized user profiles, at any time with effect for the future, e.g. at the end of each newsletter, in your Lidl Plus account or via our customer service at contact@lidl.deBy unsubscribing, we consider your consent to the creation of this personalized user profile and the receipt of the newsletters based on it to be revoked.
The legal basis for the aforementioned processing is Article 6(1)(f) GDPR, or, if corresponding consent has been given, Article 6(1)(a) GDPR. The processing of existing customer data for our own advertising purposes or for the advertising purposes of third parties constitutes a legitimate interest within the meaning of the aforementioned provision. This also applies to the processing of your data to make advertising more relevant to you to the extent described above.
Recipients/Categories of Recipients
Recipients include social network operators, advertising partners and specialized service providers who process personal data on our behalf and under our instructions.
If external processors are used for carrying out marketing communication or enabling the submission of purchase reviews, they are contractually obligated in accordance with Art. 28 GDPR.
Storage duration/criteria for determining the storage duration
If you withdraw your consent to individual advertising measures or object to certain advertising measures, your data will be deleted from the corresponding (email) distribution lists within 72 hours for technical reasons. Likewise, we will no longer use your data to personalize package inserts if you object to this.
If you object, the contact address in question will be blocked from further processing for advertising purposes. Please note that in exceptional cases, even after we receive your objection, you may still temporarily receive advertising material or be shown advertising campaigns. This is due to the necessary lead time for advertising campaigns and does not mean that we are not implementing your objection.
Your registration data will then be stored for ten years as proof that we have complied with legal requirements.
The customer number is stored for six months after the product review is submitted for the purpose of verifying sales and is then deleted.
Further data processing for advertising purposes
Furthermore, we process data relating to you for advertising purposes using cookies and similar technologies as described in more detail under point 10.
9.1 Personalized usage profile
With your consent, we and the following operators of Lidl websites and Lidl apps, as well as senders of Lidl newsletters, will collect data on your usage behavior:
Lidl Dienstleistung GmbH & Co. KG,
Lidl Stiftung & Co. KG,
Lidl Digital Trading GmbH & Co. KG,
Vodafone GmbH (registration.lidl-connect.de).
The analysis of user behavior includes, in particular, the following information:
areas of the respective website, mobile apps or newsletter used,
pressed links,
Opening time,
Selected products or products placed in the shopping cart,
Time, duration and frequency of use,
Ordering via the online shop or the app,
Participation in surveys,
redeemed deposit slips,
Purchase data,
Frequency and recency of your in-store/online shop purchases in the case of Lidl Plus usage.
We use this data to create personalized user profiles by associating them with your person and/or email address or mobile phone number, in order to better tailor potential advertising communications via newsletters, SMS, WhatsApp/push messages, on-site advertising and print advertising to your personal interests and to improve our offers and digital presence.
We can also enrich this usage profile with information about products you have purchased in the online shop or Lidl app, your product reviews, your age and gender, if you have given us your consent to do so.
If you have filled out the "About me" section in Lidl Plus, this data will also be used to tailor our services to your interests. The legal basis for this is Article 6 Paragraph 1 Letter b) GDPR (contract between the Lidl Foundation and you).
9.2 Advertising content
The content of the marketing communications of Lidl Stiftung & Co. KG and Lidl Digital Deutschland GmbH & Co. KG includes information about their offers, discount promotions, competitions, news, products and services (e.g., streaming, photo, electricity and gas, car contracts, newspaper and magazine, children's books, fitness and nutrition, telecommunications, travel offers, recipes, customer satisfaction surveys, and the opportunity to submit product reviews) and those of their changing cooperation partners from the Lidl online shop, the Lidl app, the brick-and-mortar stores, the Lidl websites (e.g., www.lidl.de, www.lidl-kochen.de) and Lidl apps, as well as the cooperations offered there by Lidl and its changing cooperation partners (e.g., Lidl Plus partner benefits).
Current cooperation partners include:
Lidl Dienstleistung GmbH & Co. KG (Lidl retail store, www.lidl.de, www.lidl-kochen.de) ,
Schwarz Digits Content GmbH,
Lidl Digital Trading GmbH & Co. KG (www.lidl-reisen.de),
Vodafone GmbH (registration.lidl-connect.de),
Picanova GmbH (www.lidl-fotos.de),
E.ON Energie Deutschland GmbH (www.lidl-strom.de)
9.3 Push notifications
Purposes of data processing/ Legal basis
To regularly receive information about news, offers, promotions and reminders about incomplete orders, you can sign up to receive push notifications.
To do this, you must confirm your browser or device's request to receive push notifications. Afterwards, the registration time and a push token or your device ID will be stored. This data is used to send push notifications and to verify your registration.
The Lidl app only uses push notifications if you activate them during app installation or later in your device settings. You can deactivate push notifications at any time in the Lidl app or for the Lidl website. hereor in the browser settings.
We statistically analyze push notifications to determine if and when they were displayed and clicked. This allows us to draw conclusions about the likely interests of recipients and thus optimize our push notifications.
The legal basis for processing your data to send you push notifications is your consent pursuant to Art. 6 para. 1 sentence 1 a) GDPR.
Recipients/Categories of Recipients
If external processors are used for sending push notifications, they are contractually obligated in accordance with Article 28 GDPR.
Storage duration / Criteria for determining the storage duration
Your data will be stored as long as you have push notifications enabled.
9.4 Availability notification
Purposes of data processing/ Legal basis
For unavailable items, we offer you the option on the product page to be notified by email or push notification when the desired item is back in stock. If you have consented to receive these availability notifications, we will use your email address, device ID, and, if applicable, your name to send you information about product availability. We store and process your data for the purpose of sending emails and push notifications.
To ensure that no errors occur when entering your email address, we use the so-called double opt-in procedure: After you have entered your email address in the registration field on the Lidl website, we will send you a confirmation link. Only after you click on this confirmation link will your email address be added to our mailing list. If you have clicked on “Remind me when available” in the app, you will be added to our mailing list, which you can access in the app under Settings → Account → Product Reminders.
The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 sentence 1 a) GDPR.
Recipients/Categories of Recipients
If external processors are used for sending emails, they are contractually obligated in accordance with Article 28 GDPR.
Storage duration / Criteria for determining the storage duration
Your data will be deleted 90 days after registration.
9.5 Submitting product reviews
Purposes of data processing/ Legal basis:
With your consent, we enable you to submit product reviews after your orders. We will send you an email with a link to the email address you provided during the ordering process, allowing you to directly submit a review of the purchased product. You can also submit reviews for items in your order history directly from your Lidl Plus customer account. If your review indicates problems with your order or the product itself, we may contact you by email to clarify the matter. Participation in this correspondence is entirely voluntary. We appreciate your support.
To link ratings to specific sales and prevent multiple ratings of the same purchase, the customer number and order number associated with the sale are added to each rating (sales verification). We also use your ratings for marketing purposes.
By using a comprehensive anonymization process, we ensure that your rating is displayed in anonymized form on our websites.
To provide our customers with a simple and quick overview, we summarize the most important positive and negative points from the published reviews using AI-based software.
The legal basis for the aforementioned data processing is your consent pursuant to Art. 6 para. 1 sentence 1 a) GDPR. You give this consent by submitting a review or by agreeing to receive a link to submit the review.
You can withdraw your consent to this data processing at any time with effect for the future. For example, an email to the contact details listed under point 18 is sufficient for this purpose.
We also need your order number to prove that a review is based on a confirmed order and to be able to delete reviews upon request. Storing the order number for this purpose is based on Article 6 Paragraph 1 Sentence 1 f) GDPR.
Recipients/Categories of recipients:
If external processors are used to enable the submission and aggregation of customer reviews, they are contractually obligated in accordance with Article 28 of the GDPR. Furthermore, your data will be shared with other companies within the Schwarz Group for the purpose of using your reviews for advertising purposes.
The text of your review will be forwarded to Lidl online shops in other countries and translated. Your customer data will not be shared, and your review will be published anonymously, just as it is in the German online shop.
Storage duration / Criteria for determining the storage duration:
If you withdraw your consent to receive purchase review emails, your email address will be blocked from receiving these emails. Your data will then be deleted from the relevant email distribution lists.
The customer number is stored for a period of twelve months for the verification of sales after submission of the product review and for marketing purposes, and is then deleted or upon withdrawal of consent.
The order number will be deleted after five years.
10. Use of cookies and similar technologies for processing usage data
When using cookies and similar technologies to process usage data (especially local storage), the following data is collected when you visit our website ( www.lidl.de) and some of the websites embedded there (especially account.lidl.com) and the Lidl app (collectively: "Lidl Services") store files locally on your device (laptop, tablet, smartphone, etc.). Sometimes, a so-called tag is also used to display personalized advertising. This tag is integrated into these Lidl Services (hereinafter referred to as "similar technologies for processing usage data"). This tag is a code used to collect usage data.
10.1. Responsibility
Lidl Digital and the Lidl Foundation are joint controllers for most data processing activities related to the use of so-called cookies and other similar technologies (hereinafter referred to collectively as "cookies") for processing usage data on the Lidl services.
Beyond that, the lines of responsibility are as follows:
10.1.1 Responsibility for cookies used for self-promotion purposes
For some of the data processing activities associated with marketing cookies for self-promotion (see cookies under the category "Self-promotion" in our cookie policy), in addition to us, the following are also involved:
Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Facebook), the
RTB House GmbH, Kurfürstendamm 226, 10719 Berlin, Germany (RTB House), the
AWIN AG, Eichhornstraße 3, 10785 Berlin, Germany (AWIN), the
lead alliance GmbH, Karlstr. 9, 90403 Nuremberg (lead alliance), and the
Kelkoo Deutschland GmbH, Willy-Brandt-Straße 23, 20457 Hamburg, Germany (Kelkoo) are joint controllers pursuant to Art. 26 GDPR.
We also use the following services for self-promotion in our Lidl services:
Microsoft Advertising and Microsoft Clarity are provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (Microsoft) and the service
Google Advertising is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google). Microsoft and Google also process your data independently within the framework of their respective advertising services.
We use the "Facebook Custom Audience" service in the Lidl app.
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Meta”, “Facebook”). In this respect, we are joint controllers with Meta pursuant to Article 26 GDPR.
In addition, data about you in the Lidl app is also processed in part by the advertising partner The UK Trade Desk Ltd., c/o The Trade Desk, Inc., 42 N. Chestnut Street, Ventura, CA 93001, USA ("TTD") as a separate controller for the purpose of displaying personalized advertising and measuring success. To link your usage behavior to you, your identifiers (MAID, hashed email address and/or hashed phone number) are forwarded to TTD based on your consent. Further information on data processing and how you can exercise your data subject rights can be found in TTD's privacy policy.
In connection with the data processing associated with marketing cookies for our own advertising purposes, we collaborate with Criteo SA, 32 Rue Blanche, 75009 Paris, France (Criteo) as joint controllers with us pursuant to Article 26 GDPR for the creation of an online identifier derived from your email address and the display of personalized advertising outside our services. Criteo is solely responsible for any potential linking of your hashed email address with other identifiers assigned to you.
We also use the Criteo Ads service provided by Criteo SA, 32 Rue Blanche, 75009 Paris, France (Criteo) within the Lidl services. Criteo is jointly responsible with us for collecting data on your usage behavior within the Lidl services, linking it to advertising profiles and segments, and using this data to display personalized advertising and analyze your interaction with this advertising. We and Criteo may also each use this information, independently, to improve the services.
10.1.2 Responsibility for advertising and performance measurement using the IAB TCF
Within the framework of data processing associated with marketing cookies for advertising and performance measurement using the IAB TCF (see cookies under the category "Marketing - Advertising and performance measurement using the IAB TCF" in our cookie notice), we work with Criteo SA, 32 Rue Blanche, 75009 Paris, France (Criteo) and Virtual Minds GmbH, Ellen-Gottlieb-Straße 16, D-79106 Freiburg im Breisgau, Germany, as joint controllers with us pursuant to Article 26 GDPR for the display of personalized advertising outside our services.
In addition, data about you is also processed in this context by the advertising partner The UK Trade Desk Ltd., c/o The Trade Desk, Inc., 42 N. Chestnut Street, Ventura, CA 93001, USA (“TTD”) as a separate controller for the delivery of personalized advertising and for performance measurement.
When using the special identification procedures "Utiq" and "EUID," we collaborate with Utiq SA/NV, Rue aux Laines 70, 1000 Brussels, Belgium, in the case of Utiq, and with TTD in the case of EUID, as joint controllers with us pursuant to Article 26 GDPR. In the case of Utiq, your IP address is forwarded to your telecommunications network operator, provided they participate in Utiq. This operator, as a separate controller, then creates a unique online identifier, the so-called network signal, from your IP address and an internal network reference, such as your mobile phone number, for further use in connection with Utiq. You can find further information on data processing and how to exercise your data subject rights in the privacy policies of Utiq SA/NV and TTD regarding EUID.
The transmission and further processing of your hashed email address, described under the purpose of "storing or accessing information on an end device," is generally carried out jointly with Criteo. Criteo is solely responsible for any potential linking with other identifiers assigned to you.
10.2 Purposes/Data processing
10.2.1 Overview
We place cookies on your device, which collect the data specified in more detail below and then process it for the purposes mentioned below.
Technically necessary : These are cookies and similar technologies without which you cannot use our services (e.g., for the correct display of our services including font and color, for providing the functions you request and for taking your settings into account, for saving your login in the login area, for filling the shopping cart when shopping in-app/online, etc.).
Convenience : These technologies allow us to take your preferences into account for the most convenient use of our services. For example, based on your settings, we can display our services in a language that suits you and show you any incomplete orders in your shopping cart when you revisit our services. This also helps us avoid showing you products that may not be available in your region.
Statistics : These techniques allow us to create pseudonymous statistics on the use of our services. This enables us, for example, to determine how we can better adapt our services to user habits. We use your IP address, online identifiers, log files, and network-based location data to prevent misuse and to prevent and detect potential security breaches and other prohibited or illegal activities. For example, if you log in from a new/unknown device, we can inform you about such a login attempt. Furthermore, we use the "Google Signals" feature in our online services to extend the statistical reports generated by Google Analytics with a cross-device analysis of visitor traffic. Google Signals is only applied to users who are logged into a Google account and have activated the "Personalized Ads" feature there. Through Google Signals, we receive general demographic information (gender, age group), potential interests, and, if applicable, information on whether Lidl stores have been visited. If you wish to deactivate this feature, you can adjust your settings in your Google account. For more information on customizing Google ad settings, see: https://support.google.com/ads/answer/2662856Further information about Google Signals can be found at https://support.google.com/analytics/answer/7532985?hl=de.
Marketing – Self-promotion : This allows us to display relevant advertising content to you and other users within Lidl services, as well as to other responsible parties (e.g., in apps and on third-party websites). This personalization is based on the analysis of pseudonymous user behavior (e.g., by measuring the revenue you generated at checkout, clicked areas, etc.) and information from your customer account (age, gender, purchasing behavior within Lidl services; and, where applicable, store purchase data from the Lidl Plus service). Your usage behavior can also be tracked across various websites, apps, browsers, Lidl services, or devices using a user ID (unique identifier, e.g., a hashed email address) (see section 10.3 of this Privacy Policy for details). We can also optimize our advertising measures based on this information. If you are a user of the Lidl Plus service, this information may also be included in your advertising profile, for example, to identify suitable communication channels.
Marketing - Advertising and performance measurement using the IAB TCF : This includes data processing for the purpose of personalized advertising and performance measurement using the IAB Europe Transparency & Consent Framework advertising network, in which we participate through a service provider commissioned by us (ID 1184) and whose specifications and guidelines we take into account.
Further details regarding the processing purposes can be found in the preference manager.
10.2.2 Selected Services
Google Ads customer matching:
We use "Google Ads Customer Match" from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google") in our services. Using the tracking technologies we employ, lists of user data are sent to Google's servers. Google then compares whether the transmitted user data matches data from Google customers and subsequently creates target groups that can be used to deliver advertisements. These advertisements can be displayed within the Google network (YouTube, Gmail, or within the search engine) as well as across devices (so-called remarketing or retargeting).
We have concluded a data processing agreement with Google for the use of Google Ads Customer Matching in accordance with Article 28 Paragraph 3 GDPR. Through this agreement, Google assures us that it will process personal data on our behalf and in accordance with our instructions, and that the rights of the data subject will be protected.
Information on how Google uses personal data transmitted to Google through the integration of its services, as well as your settings options for personalized advertising and data collection, can be found here. hereand hereGeneral information on data processing by Google can be found in the Google's privacy policy.
Meta/Facebook :
Facebook Custom Audience allows us to create target groups and design and deliver personalized advertisements on Facebook according to need.
Lists of user data are uploaded to Facebook. Facebook then compares the submitted user data to match data from other Facebook users and subsequently creates target audiences that can be used to deliver ads on Facebook. With Custom Audiences, we ensure that ads are only shown on Facebook to people who have previously visited our app or have shown interest in our products. Facebook also uses this data for its own advertising purposes and for the advertising purposes of third parties.
Further selected data processing activities related to self-promotion :
With your consent, we use special technologies from partners to track your browsing behavior and display targeted advertising to you on our website, the Lidl app, or our partners' platforms (Facebook, Criteo, TTD, RTB House), or on third-party websites. This also allows us to understand which partners referred you to us for a potential purchase (AWIN, lead alliance, Solute, and Kelkoo). In the case of retargeting via Criteo, we also use your email address (provided you are registered and logged in to Lidl Plus) with your consent. This hash value is then used to generate an online identifier, which allows us and Criteo to recognize you on third-party websites and display personalized advertising to you there. Our partners may also compare the data collected on Lidl services with their own databases.
Microsoft Advertising and Google Advertising allow us to target and optimize advertisements across the Microsoft and Google networks (e.g., in search engines and email programs) and track user activity on our website when users arrive via advertisements. Microsoft Clarity enables us to track and visualize user interactions with our services.
We also collect information through Microsoft and Google Advertising services that allows us to track target audiences using remarketing lists. Microsoft Advertising and Google Advertising can recognize that Lidl services have been visited, and an ad can be displayed when a user subsequently uses Microsoft or Google networks. This information is also used to generate conversion statistics, i.e., to track how many users reached Lidl services after clicking on an ad. This tells us the total number of users who clicked on our ad and were redirected to our Lidl services. However, we do not receive any personally identifiable information. You can find more information about how Google uses personal data here.
10.3 Data categories
When using cookies and similar technologies to process usage data, the following types of personal data are processed, depending on the purpose:
Technically necessary :
User input to retain entries across multiple subpages (e.g., transferring selected items to the shopping cart, selecting your preferred branch in the Lidl store locator);
Authentication data to identify a user after registration in order to gain access to authorized content on subsequent visits (e.g., access to the Lidl Plus customer account);
security-relevant events (e.g. detection of frequently failed login attempts);
required data for playing multimedia content (e.g. playing user-selected (product) videos);
Information on the correct display of our website, including font and color, to provide the functions you request, and to respect your settings such as your choices regarding cookies and similar technologies, to save your login information, etc.
Comfort :
User interface customization settings that are not linked to a permanent identifier (e.g., language selection or the specific display of search queries or maps in the store locator).
Items placed in the shopping cart before completing the order will be deleted if you leave the Lidl services in the meantime.
Statistics :
Browser type/version,
operating system used,
the previously visited page (referrer URL),
Hostname of the accessing computer (IP address; this is regularly anonymized, so that it is generally impossible to trace it back to you personally),
Time of server request,
Your individual user ID and the events triggered on the website (browsing behavior) are recorded. We only combine your user ID with other data (e.g., name, email address, etc.) with your explicit consent (see, for example, section 7 of this privacy policy). The user ID alone does not allow us to identify you personally.
Marketing - Self-promotion :
Information on the use of Lidl services, in particular:
IP address (this is regularly anonymized, so that it is generally impossible to trace it back to you personally),
Individual user ID (including cookie identifier) or other identifiers (hashed email address, mobile phone number or hashed mobile phone number, address or hashed address; the IP or IP/MAC address in anonymized form); We only combine the user ID with other data about you (e.g., name, email address, age, gender, purchasing behavior in Lidl services, etc.) with your explicit consent for advertising and performance measurement. We may share the user ID and the associated usage profiles with third parties via advertising network providers.
potential product interests,
Access information,
Device identifiers,
Information about device and browser settings,
Mouse/scroll movements,
Events triggered in Lidl services (surfing behavior).
For in-app analysis and the display of personalized advertising, we use the following advertising identifiers in addition to the aforementioned individual user ID and other identifiers:
(i) IDFA (Identifier for Advertising) on iOS devices or (ii) the Android Advertising ID or the (iii) Huawei ID,
and a fingerprint of your device (additionally: time of access, country, language, local settings, operating system and version, and app version). Furthermore, we include user device and web activity information, as well as app and event tokens, in this analysis. This data is processed exclusively on a pseudonymized basis.
You can reset or disable the IDFA (Google GAID), the Android Advertising ID, and the Huawei ID at any time via your operating system. If the IDFA is unavailable, we use the SkAdNetwork (Apple's attribution API) to attribute our app installations to an advertising campaign.
The fact that you are a Lidl Plus user, as well as your store shopping data from the Lidl Plus loyalty program.
Marketing – Advertising and performance measurement using the IAB TCF :
Data about your use of our website and third-party media, e.g.
Website content
Click paths,
Display of and interactions with advertisements
Your IP address
The so-called TC string generated for you (an encoded string containing information about the granting and scope of your consent)
Your location data
Data about the devices you use
Provided that a member of your household has also given their consent: data of your household member, in particular about the devices they use.
Derived characteristics from this (e.g. age group, product interest);
Data about your purchasing behavior on the Lidl websites or apps (especially so-called EAN numbers, i.e. the product identification, the number of products you purchased and the time of purchase)
Store purchase data from the Lidl Plus loyalty program
The online IDs assigned to you, including those related to the identification procedures Utiq (in particular the network signal concerning you, the Consent Pass assigned to you, the martechpass and the adtechpass) and EUID (in particular the EUID calculated for you), as well as your email address in hashed form.
Specifically for the Lidl app :
In order to show you interest-based information, it is necessary to be able to associate the aforementioned information with you as an individual. For this purpose, we establish a link to your customer number from the moment you complete your Lidl Plus registration. Your consent to the provision of personalized information also covers this processing step.
10.4 Legal basis/ Recipients/ Storage period
Legal basis :
The legal basis for the use of convenience, statistics, and marketing cookies is your consent pursuant to Article 6(1)(a) GDPR in conjunction with Section 25(1)(1) TDDDG. The legal basis for the use of technically necessary cookies is Article 6(1)(b) GDPR, i.e., we process your data to provide our services in the course of initiating or fulfilling a contract.
Facebook bases the processing of data for Facebook Custom Audiences on the consent of Facebook users pursuant to Art. 6 para. 1 sentence 1 a) GDPR and Facebook's legitimate interests pursuant to Art. 6 para. 1 sentence 1 f) GDPR in order to provide Facebook advertisers with accurate and reliable reports and performance statistics. You can find more information in the [link to privacy policy/data protection statement]. Facebook's privacy informationfind or hereYou can contact Facebook's data protection officer. herecontact.
Recipients/Categories of recipients:
In connection with data processing using cookies and similar technologies for processing usage data, we may use specialized service providers, particularly in the field of online marketing. These providers process your data on our behalf as data processors, are carefully selected, and are contractually bound in accordance with Article 28 of the GDPR. All companies listed as providers in our cookie notice act as data processors for us, unless they are specifically named as (joint) controllers in this privacy policy.
As part of our collaboration with Google Ireland Limited, Meta Platforms Ireland Limited, The UK Trade Desk Limited, and Microsoft Ireland Operations Limited, the above-mentioned data is generally also processed on servers in the USA and the UK for statistical and marketing purposes (see the separate explanations regarding third-country transfers under section 3).
If you have consented to the processing of your data for the purpose of "marketing - advertising and performance measurement using the IAB TCF", your data will be transferred to various recipients as described in the consent (see also the preference manager). These recipients act as data processors unless they are defined as data controllers above. In addition, further data processors within the meaning of Article 28 GDPR are also involved in the advertising process, who support us in particular in the planning, management, and execution of the respective advertising campaign.
Storage duration/ Criteria for determining the storage duration :
You can find the storage duration for cookies in our Cookie NoticeThis information can be found in the "Expiry" column. If the entry "persistent" is given, the cookie will be stored permanently until the corresponding consent is revoked.
The online identifiers assigned to you are valid for the following periods: martechpass 90 days, adtechpass 24 hours, consentpass 90 days, Netzwerksignal 90 days, EUID 30 days – after which they are deleted and may be recreated depending on your consent.
Criteo SA stores your data for a maximum of 13 months.
Your data can remain in a Facebook Custom Audience for a maximum of 180 days. After 180 days, your data belonging to the website's Custom Audience will be removed if you do not visit the website again.
Information that we process in our own systems as a result of the use of cookies and similar technologies (for example, advertising profiles) is deleted according to the storage period for cookies that you have specified in the settings. Cookie Noticecan view.
10.5 Right of withdrawal/opt-out/further information
You can withdraw your consent at any time, for example via the preference manager. You can declare the withdrawal either to us or to the parties jointly responsible with us.
Website:
You can also prevent the techniques described here by adjusting your browser's cookie settings to reject certain or all cookies. Please note that you may then not be able to use all the functions of these services.
Lidl App:
If you wish to withdraw your consent to tracking in the Lidl app, you can do so at any time with effect for the future by opting out within the app under "Account" → "Legal Information" → "Tracking" after completing registration.
You can opt out of using the Custom Audiences service globally on the Facebook websiteYou can opt out. After logging into your Facebook account, you will be taken to the Facebook ad settings.
You can disable or customize personalized advertising from Microsoft and Google. Details can be found on their respective support pages.
Microsoft: https://about.ads.microsoft.com/de-de/ressourcen/richtlinien/personalisierte-anzeigenand https://account.microsoft.com/privacy/ad-settings/signedout.
Google: https://support.google.com/My-Ad-Center-Help/answer/12155451.
You can also find settings for personalized advertising under https://youradchoices.com/and here.
You can also withdraw your consent in connection with Utiq hereYou can also revoke and withdraw your consent in connection with EUID. hererevoked.
Further information on data processing by the companies listed below and on exercising your data subject rights can also be found in the following privacy policies:
Meta (Facebook): https://de-de.facebook.com/policy.php
RTB House: https://www.rtbhouse.com/privacy-center/services-privacy-policy/
AWIN: https://www.awin.com/de/datenschutzerklarung
lead alliance: https://www.lead-alliance.net/dataprotection2
Kelkoo: https://www.kelkoo.de/unternehmen/datenschutzrichtlinie/
Microsoft: https://privacy.microsoft.com/de-de/privacystatement
Google: https://policies.google.com/privacy?hl=de
Criteo: https://www.criteo.com/de/privacy/
Virtual Minds: https://virtualminds.de/datenschutz/
The UK Trade Desk: https://www.thetradedesk.com/de/privacy
An overview of the individual cookies and similar technologies used, along with their respective processing purposes, storage duration and any third-party providers involved, can be found here. hereFurther details on the processing methods can also be found in the Preference Manager.
11. Map services
11.1 Bing Maps
Purposes of data processing/ Legal basis
This website uses map data from Bing Maps, a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA. This allows us to display interactive maps directly on the website and enables you to conveniently use the map function to, for example, find Lidl stores near you.
The use of Bing Maps is in our legitimate interest in presenting our online services in an appealing way and ensuring that the locations we specify on the website are easy to find. This constitutes a legitimate interest within the meaning of Article 6(1)(f) GDPR.
By visiting our website, the provider of Bing Maps, Microsoft Corporation, receives information that you have accessed the corresponding subpage of our website. To use the functions of Bing Maps, your IP address is processed as part of internet communication. This is generally processed on a Microsoft server in the USA.
We have no control over the specific data processing carried out by Bing Maps. Further information on the purpose and scope of data processing by Bing Maps can be found in the [link to privacy policy/data protection statement]. Microsoft's privacy policyThere you will also find further information about your rights and the settings options for protecting your privacy.
11.2 Google Maps, Apple Maps, Huawei Map kit
Purposes of data processing/ Legal basis
Our app allows you to use your mobile device's operating system's map service to find, for example, a Lidl store near you. This enables interactive maps to be displayed directly within the app.
To use the map services, it is necessary to process your IP address as part of internet communication. This is usually processed on a server of the respective operating system provider. We have no control over the specific data processing. Further information on the purpose and scope of data processing can be found in the privacy policy of the respective provider. There you will also find further information about your rights and settings to protect your privacy.
Addresses and privacy policies of the providers:
Google Maps
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland,
Privacy policy: https://www.google.com/policies/privacy/,
Terms of Use: https://maps.google.com/help/terms_maps.html,
Apple Maps
Apple Inc., One Apple Park Way, Cupertino, California,
Privacy policy: https://www.apple.com/legal/privacy/de-ww/
Terms of Use: https://www.apple.com/legal/internet-services/maps/terms-de.html,
Huawei Map kit
Huawei Aspiegel SE, 1F, Simmonscourt House, Ballsbridge, Dublin D04 W9H6, Ireland. Huawei
Privacy policy: https://www.huawei.com/en/privacy-policy
Terms of Use: https://developer.huawei.com/consumer/es/hms/huawei-MapKit/.
The use of map services is based on our contractual relationship with you, Article 6 Paragraph 1 b) GDPR, and on our legitimate interest in presenting our offers attractively and ensuring the easy location of the stores we specify in the app. This constitutes a legitimate interest within the meaning of Article 6 Paragraph 1 Sentence 1 f). If you use the map services in the Lidl app or have consented to geolocation in your mobile device settings via the "Allow permission" dialog, we use this function to offer you personalized services related to your current location. Specifically, for the "Store Locator," "EV Charging Station Locator," and "Partner Benefit Locator," we process your location using GPS and network data to show you the stores closest to you. Geolocation data is not stored permanently by us.
12. Google reCaptcha
Purposes of data processing/ Legal basis
To protect your data and the transmission of forms, especially for competition entries and newsletter subscriptions on the website, from attacks or misuse by automated programs (so-called bots), we use Google reCAPTCHA. Bots are used, for example, to attempt to obtain passwords for customer accounts or to restrict the functionality of the website through mass data transfers.
Google reCAPTCHA determines whether the interaction with the website is by a human user or a bot. To do this, user behavior (time spent on the page or mouse movements) is analyzed, and Google reads the IP address and checks whether it has been associated with a bot in the past. If the IP address has already been associated with a bot, Google transmits this information to us. We then store these IP addresses to prevent future attacks. This analysis begins automatically as soon as you open the registration page.
The legal basis for this data processing is Article 6(1)(f) GDPR. Our legitimate interest arises from the aforementioned purposes of processing.
Recipients/Categories of Recipients
When using Google reCAPTCHA, the data mentioned above is also processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA, for the purpose of providing the service. We have no control over Google's processing and use of this data. Further information on Google's data processing can be found here: https://policies.google.com/privacy.
13. Insurance of your shopping cart
Responsible
Lidl Digital is responsible for data processing related to insuring your shopping cart.
Purposes of data processing/ Legal basis
As part of the ordering process, you have the option of insuring your purchase through our cooperation partner simplesurance GmbH, Hallesches Ufer 60, 10963 Berlin (simplesurance).
For the data processing described below, which takes place within the context of presenting the offer and transmitting the data for a successful insurance policy conclusion, simplesurance and Lidl Digital are joint controllers pursuant to Article 26 of the GDPR. simplesurance assumes primary responsibility for the processing of your data and undertakes to fulfill all obligations under the General Data Protection Regulation (GDPR) with regard to the processing of your data, including your data subject rights. You can contact simplesurance's data protection officer by email at dataprotection@simplesurance.de.
To display the offer and determine the specific insurance premium, the contents of your shopping cart are transmitted to simplesurance. Due to the integration of the simplesurance plugin for displaying the offer, your IP address and the internet browser you are using are also processed by simplesurance as part of the technical process of internet communication.
Should you be interested in the displayed insurance and click on "Add protection plan to shopping cart", the following data will be forwarded to simplesurance in order to conclude the contract with the insurance company:
Order number,
First name and last name,
E-mail address,
telephone number and
Address.
Simplesurance is solely responsible for the conclusion and execution of insurance contracts. Detailed information on data processing by simplesurance can be found in simplesurance's privacy policy.
After successful insurance coverage, simplesurance transmits the following information to Lidl Digital for billing purposes:
Insurance number,
Amount of the insurance premium and
Product category of the insured goods.
The legal basis for the data processing described above is Lidl Digital's legitimate interest in offering commission-based insurance as a direct marketing measure within the meaning of Art. 6 para. 1 sentence 1 f) GDPR and Art. 6 para. 1 sentence 1 b) GDPR for the processing of the insurance contract.
Storage duration / Criteria for determining the storage duration
If you have only selected products,
for which no insurance is offered or
You should not take out insurance,
Your data will be anonymized immediately by simplesurance.
If you take out an insurance policy, the above-mentioned data will be processed in accordance with the privacy policy of simplesurance.
14. Livestreams with chat function
Purposes of data processing/ Legal basis
We use live streams to present and promote our products. During the live streams, you can also chat with the moderators and participants and add the featured items to your shopping cart.
The following data is processed when providing the live streams:
Time of the start and end of the live stream,
IP address,
browser used,
Livestream shopping cart,
selected chat pseudonym,
Chat messages.
Participation in the live stream chat is entirely voluntary. Any personal information you provide during the chat will be considered voluntary and will be accessible to us, the moderators, and all other chat participants for the duration of the live stream. Please refrain from mentioning names or similar information in the chat that could identify you or others.
The products shown in the livestream can be saved to a shopping cart within the livestream player. If you decide to order the saved products, they will be added to your shopping cart. www.lidl.deadded and you can then place an order as a guest or via your Lidl Plus account.
The legal basis for the aforementioned data processing is Article 6(1)(b) and (f) of the GDPR. We process your data in the course of initiating or fulfilling a contract. The promotion of our own products within the context of livestream events is considered a legitimate interest.
You can object to the processing of your data for advertising purposes at any time, free of charge, with effect for the future. For example, an email to the contact details listed under point 1 is sufficient.
Recipients/Categories of Recipients
We use specialized service providers, particularly in the field of online marketing, for the data processing described above. These providers process your data on our behalf as data processors; they are carefully selected and contractually bound in accordance with Article 28 of the GDPR.
Storage duration / Criteria for determining the storage duration
The IP address is deleted after 7 days. Chat pseudonyms and chat messages are no longer publicly accessible after the livestream and are stored by us for evaluation purposes for one year. Any products stored in the livestream shopping cart are only saved for the duration of the currently running livestream.
15. Links to other websites and applications
Our website and the Lidl app contain links to other websites and apps operated by other Lidl companies, selected partners, or other third parties. If you click on one of these links, for example, via an in-app banner in the Lidl app, you will be redirected to the website/app or your respective app store. These links may also contain tracking technologies that allow the operators of the aforementioned websites/applications to understand and measure where the user has learned about them. We have no control over the data processing practices of these websites/apps. We recommend that you review the privacy policies of each website/app to which you are redirected to understand what information about you is processed by the operator.
When we redirect you to one of these websites/apps, we process your personal data to comply with your (technical) request to visit the respective application or website (Art. 6 para. 1 sentence 1 b) GDPR), as well as based on the operator's legitimate interest in conducting advertising (Art. 6 para. 1 sentence 1 f) GDPR).
16. Access to functions and sensors of your mobile device
Purposes of data processing/ Legal basis
Location data
If you have consented to geolocation via the "Allow permission" dialog while using the Lidl app or in your mobile device settings, we use this function to offer you personalized services based on your current location. In particular, we process your location using GPS and network data within the "Store Locator" function to show you the nearest stores.
Photos/media/files from your mobile device/USB storage contents (read, modify, delete)
If you create a shopping list or shopping cart via the Lidl app, these will be saved directly in the memory of your mobile device or on a connected storage medium, depending on where the app is installed and the available storage space.
Camera (takes pictures and videos)
Your mobile device's camera will be used to scan QR codes.
Wi-Fi connection information
The Lidl app uses your mobile device's Wi-Fi connection to establish an internet connection.
Other device functions or device sensors
By accessing other device functions and sensors on your mobile device, the Lidl app is specifically able to retrieve data from the internet and process error messages. Finally, if you have given your consent, the Lidl app can send you push notifications to inform you about current offers and promotions.
The legal basis for processing your location data is your consent pursuant to Art. 6 para. 1 sentence 1 a) GDPR.
17. Embedded third-party content
We have integrated YouTube videos into our online offering, which are based on https://www.youtube.comThe videos are stored and can be played directly from our website. However, when you visit our website, no content from the third-party provider YouTube (Google LLC) is loaded, and YouTube receives no information from you. Only when you give your consent will content from the third-party provider YouTube (Google LLC) be loaded. This allows YouTube (Google LLC) to receive information that you have visited our site, as well as the technically necessary usage data. YouTube (Google LLC) is then also able to implement tracking technologies. We have no control over the further data processing by the third-party provider YouTube (Google LLC). Data processing is based on your consent pursuant to Art. 6 Para. 1 Sentence 1 a) GDPR. Your consent is voluntary and covers the loading of third-party content and the transfer of the described data to YouTube (Google LLC). For transfers to the USA, an adequate level of data protection is ensured due to the provider's certification under the adequacy decision (EU-US Data Privacy Framework). Further information on the purpose and scope of data collection and processing by YouTube (Google LLC) can be found in the provider's privacy policy. There you will also find further information on your rights and settings options to protect your privacy. YouTube's address and privacy policy: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; https://www.google.de/intl/de/policies/privacy/.
If you have given your consent to the immediate playback of YouTube videos, you have the option to revoke this consent at any time below. Once you have deactivated the switch below, your consent will be requested again the next time you visit one of our pages containing a YouTube video.
Consent to play YouTube videos
18. What rights do you have regarding the processing of your data?
You have the right, pursuant to Article 15 Paragraph 1 GDPR, to request information free of charge about the personal data stored about you.
In addition, if the legal requirements are met, you have the right to rectification (Art. 16 GDPR), erasure (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR). If you have provided us with the processed data, you have the right to data portability pursuant to Art. 20 GDPR.
If data processing is based on Article 6(1)(e) or (f) of the GDPR, you have the right to object under Article 21 of the GDPR. If you object to data processing, it will only continue if we can demonstrate compelling legitimate grounds for the processing which override your interest in objecting. You can send your objection at any time to datenschutz@lidl-shop.de.
If the data processing is based on consent pursuant to Art. 6 para. 1 sentence 1 a) or Art. 9 para. 2 a) GDPR, you can withdraw your consent at any time with effect for the future, without affecting the lawfulness of the processing carried out before the withdrawal.
Furthermore, you have the right to lodge a complaint with a data protection supervisory authority. The competent authority is the data protection supervisory authority of the federal state in which you reside or in which the data controller is based.
In this privacy notice, we have described numerous joint controllership arrangements pursuant to Article 26 of the GDPR. Upon your request (e.g., via the contact details provided in section 1), we will gladly provide you with the essential information regarding the respective joint controllership agreement. To exercise your data subject rights, you can contact us or – for the specific data processing activities in question – the joint controllers with us.