Generally, we collect your data directly from you. However, it may also be necessary at times to process personal data that we receive from your employer, other companies, authorities or other third parties, such as credit agencies etc.

This may include personal data that we receive through our established whistle-blower channels in relation to possible compliance violations or as part of compliance investigations.

Personal data may include: your first name, surname, address and other contact data, date and place of birth as well as nationality, verification and authentication data (e.g. companies house register excerpts, ID data, signature sample), data in the context of our business relationship (e.g. payment data, order information), credit data, data on company structures and ownership relationships, photo and video recordings (e.g. in the case of goods deliveries or site visits) and other data comparable with the above mentioned categories.

You always have the choice whether you want to communicate with us by e-mail or by post. For technical reasons, communication via e-mail may be unencrypted.

To fulfil our contractual obligations

The purposes of the data processing result from the implementation of pre-contractual measures, which precede a contractually regulated business relationship and in the fulfilment of the obligations under contract.

If you conclude a contract with us using a digital signature (Adobe E-Signature), we process your data in relation to this context (in particular email address, IP address, times at which you processed the respective contract document). There is also the option of signing certain contracts with a so-called qualified electronic signature. In this case, we process your signature in addition to the data mentioned. This data is accessible to everyone involved in the approval and signing of the contract.

To comply with our legal obligation

The purposes of data processing arise in individual cases from legal requirements. These legal obligations include, for example, the fulfilment of record keeping and the identification of obligations, e.g. in the framework of money laundering regulations, tax control and reporting obligations and data processing in the case of enquiries from authorities.

To fulfil our legitimate interests

It may be necessary to process the personal data you have provided beyond the actual performance of the contract. The legitimate interests here are in particular the selection of suitable business partners, the conduct of evaluation of companies, the processing of contact details of contact persons, the assignment of work results to individual business partners, the recording of business transactions and negotiating with contact persons who are not or will not be direct business partners. Other legitimate interests include the invitation to events, the assertion of legal claims and avoidance of legal disadvantages (e.g. in the event of bankruptcy), legitimacy checks (e.g. credit providers and disposal companies), defence against liability claims, the avoidance of legal risks and economic disadvantages, detection and processing of potentially harmful Emails, access or access controls, clarification of possible compliance violations, prevention of criminal offenses, the regulation of damage resulting from the business relationship, the efficient and fast digital processing of the contract signature, the corresponding capturing of the signature process for verification purposes as well as the validity check of the qualified electronic signature and other internal administrative purposes.

When concluding a contract, we might use the data of credit agencies to verify creditworthiness. The credit agencies store data that you receive, for example, from banks or companies. This data includes: surname, first name, date of birth, address and information on payment behaviour. You can obtain information about the data that credit agencies have available about you directly from the respective credit agencies.

If you visit any of our sites in the course of fulfilling our contractual relationship with your business, you will on arrival be asked to sign in at the entrance with your name, company name, time of arrival and be issued with a visitor pass which you will be required to wear visibly throughout your visit and then return to reception when leaving. The processing of your data takes place for the purpose of safety and security and the legal basis is our legitimate interest in these. Your data will in this case be retained for 12 months.

Within our company, different business areas are given access to the data provided as necessary to fulfil contractual or legal obligations or to fulfil our legitimate interests. Within the framework of contractual relations, we also instruct service providers, who can obtain access to your personal data. Compliance with data protection regulations is guaranteed by relevant contractual obligations.

The data may also be sent to companies within the Schwarz Group, in order to fulfil contractual obligations.

The personal data will be kept for as long as is necessary to fulfil the above-mentioned purposes. Personal Data will always be retained in line with data minimisation principles. The maximum time the data will be kept for is 12 years starting after the expiry of a business relationship. In individual cases, data can also be kept beyond this (e.g. construction documents).

In the context of our business relationship, you must provide the personal data necessary for entering, executing and terminating a business relationship and for fulfilling related legal obligations, or if it is justified by legitimate interests for us to collect your data. Without this data, we would not be able to enter into a business relationship with you.

If we transmit personal data to recipients outside the European Economic Area (EEA), the transfer will only take place if the EU Commission has confirmed the country has an adequate level of data protection, an adequate level of data protection has been agreed with the data recipient (e.g. by means of EU standard contractual clauses), or if we have obtained your consent.

Upon request, you have the right to receive information about your personal data stored by us free of charge. In addition, you have the right of rectification and/or deletion of your personal data, a right to data transferability and a right to limitation of processing, in accordance with legal provisions. If our processing of your personal data takes place on the basis of your consent, you have the right at any time to revoke this consent. If you wish to revoke your consent, please contact our Data Protection Officer in writing or by e-mail.

In addition, if you do not agree to the processing of your personal data, you may lodge a complaint with the Information Commissioners Office (ICO). Further advice and guidance can be found on their website at www.ico.org.uk or by contacting their helpline on +44 (0)303 123 1113.

The responsible controller is the respective company with which you are initiating or conducting a business relationship.

Contact of the Data Protection Officer:

Email: data.protection@lidl.co.uk

Postal address: Lidl House, 14 Kingston Road, Surbiton, KT5 9NU