Your personal data may be used by Lidl in a variety of ways. We will always be as transparent as possible as to how we use your data—whether in the context of your in-store experience, or using any of our online services.

When you access the Lidl website, app and other Lidl platforms, certain information may be exchanged between your device and our server with your consent. This may contain personal data. Data collected in this way can for instance be used to optimise our website or to display advertising in the browser of your device.

At Lidl we ensure that customer satisfaction is at the heart of everything we do. We know your privacy is important to you so we want you to know that we will treat your personal information with respect.

Why do we use personal data?

Lidl collects information we learn about you from visiting our website and using our online services. Our website gathers statistical and other analytical information of all visitors to it. Your web browser automatically lets us know:

• the website from which you come from when visiting us;

• your IP address;

• the date and time of access;

• the browser you are using and the operating system of your device and

• the name of your internet provider

We use this information to ensure a stable connection, the efficient use of our website, and also to evaluate system security and stability. This is necessary and in our legitimate interest. If you have enabled geolocation services in your browser or other settings, our website may use this function to offer location specific services such as our store locator function. Your location data will only be used for this function.

Who can assess your personal data?

We categorically exclude the dissemination of this data to third parties at an individual level. We may share anonymised data with our ad agencies.

How long do we store your personal data?

The data is stored for the duration of using our website and automatically deleted thereafter. After your website session ends, the geo-location data for the purposes of store locations is stored until your browser settings are reset/forgotten.

To find out more on what cookies or similar tracking technologies we use on our websites, please click here.

Why do we process personal data?

To help us provide you with the best possible customer service and to enable us to respond to your requests, we will need to use your personal data. This is done in our legitimate interests to help us deal with your query in an efficient manner. We won’t use your information for any reason other than to respond to your concerns or queries.

What personal data do we use?

Depending on the circumstances, we may collect any of the following information:

• Full name;
• Email address;
• Telephone numbers (mobile or landline);
• Home or postal address;
• Voice recordings of telephone conversations held by our customer services;
• Details about your experience or concern which may include the time and date you was in store;
• The services you use provided by Lidl e.g. in store or the Lidl Leaflet app;
• Interactions with our intelligent customer assistant platform (LiA).

Personal data obtained by Lidl when dealing with your request by telephone, e-mail, or letter is treated confidentially. In order to maintain our high standards of customer satisfaction all calls are recorded for training, quality, and safety purposes.

Who can access your personal data?

Lidl will only allow access to your information to those members of staff that require it in order to respond to your request, this may include other departments within Lidl. All Lidl staff are under contractual obligations of confidentiality and have received Data Protection training.

In some cases, it may be necessary for us to forward extracts of your request to our business partners (e.g. suppliers for product-specific enquiries to investigate product concerns) in order to process your request. We do this to ensure we meet our contractural obligations to assist with your product specific requests i.e. repairs or replacements.

How long do we store your personal data?

Customer Care case notes:

In most cases, personal data will be kept no longer than 30 days from the date your request is resolved. However any complaints or issues which require further investigation will be kept for a maximum of 3 years.

Call recordings:

In most cases, personal data will be kept no longer than 28 days. from the date your request is resolved. However, calls which require investigation will be kept for the duration of the investigation.

Interactions with our intelligent customer assistant platform (LiA)

Any interactions with LiA is automatically anonymised.

Why do we process personal data?

CCTV recording is active at all Lidl sites which includes our stores, distribution centres, local and property offices and our Head Office. Some of our cameras may also use non-scan detection technologies as part of the checkout process. Any cameras using non-scan detection technologies are only active at our store checkouts and self-checkouts. Such recordings or technologies used are captured and processed in Lidl’s legitimate interest for the purpose of;

• Safety and security of our customers, staff and security guards;

• Safety and security of our premises and property;

• Health and safety and to investigate accidents or claims;

• Protection against, detection of and evidencing of criminal activities;

• The reduction of company losses and inventory discrepancies and;

Any non-scan technologies used on our checkouts and self-checkouts cameras are only used to identify non-scanned items, prevent inventory loss and will always involve human intervention. All facial images collected as part of our non-scan detection cameras are pixelated and no facial recognition technologies are used. Only non-scanned footage will be recorded and these will be stored in line with the principle set out in this Privacy Notice.

Many of our premises hold alcohol licenses which requires CCTV to be in operation. For these premises, the processing is necessary for Lidl to comply with its legal obligations.

CCTV footage may at times be used in evidencing legal/ongoing disputes where all requirements for the access and storage of such data have been met as laid out in our internal investigation procedures.

The physical technological infrastructure and recordings are stored and backed-up internally.

Who can assess your personal data?

As a general rule, we will not disclose this data to any third parties.

Lidl will always cooperate with the local police or law enforcement agencies and will provide CCTV footage upon their request when it is lawful and necessary to do so.

Should there be an incident involving the damage or destruction of our property or premises, or violence or abuse towards of customers, staff or security guards, we may disclose CCTV footage to the police or law enforcement agencies.

We may share CCTV footage or images with our internal or external advisors (including but not limited to lawyers, consultants, insurance companies) as may be necessary for the defense of our legal rights.

How long do we store your personal data?

CCTV footage is kept for a period of up to 31 days from the time of recording unless specified separately under licence requirements.

In the event of an incident, potential or ongoing investigation or claim, then footage may be retained for a period of up to 3 years from the date of the incident or when the claim is finalised.

Purpose of data processing / legal basis:

On our website, on the Lidl Community page, through the Lidl app, at the point of certain competitions and through dedicated event communications we offer you the possibility to register for our newsletter. If you have consented to receive our newsletter, we will use your e-mail address and possibly your name in order to send you information about products, special offers, competitions and news, photography as well as for customer satisfaction surveys. We will store and process this data for the purpose of sending the newsletter until such time as you request for this to not be the case.

The content of the newsletter includes promotions (offers, discount promotions, competitions, etc.) as well as goods and services of the Lidl stores. With your consent we use email tracking technology (pixels) to collect data such as newsletter opens and click-throughs in order to create personalised usage profiles. This information is assigned to your email address in order to ensure the offers you receive are as relevant as possible to your interests. You may revoke your consent at any time by clicking on the unsubscribe link at the bottom of our newsletter.

The legal basis for data processing within the scope of the distribution of newsletters is your consent.

To ensure that no errors occur when entering your e-mail address, we use the so-called double opt-in procedure: After you have entered your e-mail address in the log-in field, we will send you a confirmation link. Only when you click this confirmation link will your e-mail address be added to our distribution list.

You may revoke your consent to the receipt of the newsletter at any time in the future, e.g. by unsubscribing from the newsletter on our website. You can find the link to unsubscribe at the end of each newsletter. When you revoke your consent all the collected user data will be deleted.

Recipients or categories of recipients:

We use a third party email provider to send our newsletter and store our email database. As with all service providers we work with, we only share the information required to provide the service, and they are required to meet our own high standards of security. They are under a contractual obligation in accordance with Article 28 of GDPR. We categorically exclude any further dissemination of this data to third parties.

Storage duration / criteria for specifying the storage duration:

If you revoke your consent to receipt of the Lidl newsletter, your data will be deleted from the corresponding (e-mail) distribution lists.

Why and what personal data do we use?

From time to time Lidl may hold competitions or prize draws. You are able to participate in various promotions on our website, our social media channels, at Lidl events, from our newsletter or via the Lidl App.

Unless otherwise specified in the individual terms and conditions of any such competition, the personal data forwarded by you to us within the scope of participation in any competition will be used exclusively for processing the competition (e.g. identifying the winner, informing the winners, providing the prize). The legal basis for the data processing in the context of competitions held by Lidl will generally be based on consent. Participants may revoke this consent at any time.

Where a winner is identified, prizes will typically be provided on the basis of contract where in consideration of the prize, winners agree to participation in promotional activity surrounding the competition or the prize.

If you are a winner, we may contact you to request further personal data e.g. your postal address so we can dispatch your prize.

Who can assess your personal data?

The name and county of major prize-winners will either be published or made available on request. For this reason, a full name of winners will be required.

If you are a winner, we may contact you using the channel you entered the competition e.g. a social medial platform or email to obtain your full name, postal address and telephone number to process your prize. Your personal data will be made available to third parties if this is necessary for processing the promotion (e.g. dispatching the prize via a logistics company).

How long do we store your personal data?

After three months following the end of the competition and where applicable announcement of the winner(s), the personal data of the participants will be deleted. In the case of material prizes, the data of the winners will be kept for the duration of the statutory warranty claims, in order to arrange for repair or replacement in the case of a defect.

Why do we use personal data?

You are able to provide your consent to receiving marketing from Lidl using the following channels;

• On our website lidl.co.uk
• The Lidl App
• When entering a competition or prize draw
• At a Lidl hosted event

If you have consented to receive marketing from Lidl, we will use your name and e-mail address to send you our newsletter and information about products, special offers, competitions, new Lidl services, and news, as well as for customer satisfaction surveys.

We use email tracking technology (pixels) to collect data such as newsletter opens and click-throughs in order to create personalised usage profiles. This information is assigned to your email address in order to ensure the offers you receive are as relevant as possible to your interests.

The legal basis for data processing within the scope of the distribution of newsletters is your consent.

You may revoke your consent to receiving marketing from Lidl at any time by unsubscribing from the newsletter on our website. You can find the link to unsubscribe at the end of each newsletter. When you revoke your consent all the collected user data will be deleted.

This does not include marketing from Lidl Plus. Please refer to section [x] below.

Who can assess your personal data?

We use a third party email provider to send our electronic newsletter and store our email database. As with all service providers we work with, we only share the information required to provide the service, and they are required to meet our own high standards of security. They are under a contractual obligation in accordance with Article 28 of GDPR. We categorically exclude any further dissemination of your data to other third parties.

How long do we store your personal data?

Your personal data will be kept for as long as you want to receive newsletters and updates from Lidl.

If you revoke your consent to receive the Lidl newsletter, you will no longer receive the newsletter. Please allow up to 72 hours to be removed from our distribution list, within this time, you may still receive a marketing email.

Once you have revoked your consent, we will retain your data for 6 months.

Why do we use personal data?

In the process of planning for new Lidl stores, we may undertake consultations with local residents and customers to help generate local support for our new stores.

When we conduct local consultations, you will be given the opportunity to voluntarily provide your name, address, email to confirm if you are in support or against a new store being built as part of the local consultation. Alongside your personal data, there is a free format field where you can provide additional information in support or against the proposed new store.

Where you provide your consent, your personal data will be provided to the local authority who will decide to grant planning permission to build a new store in your local area.

When providing your personal data as part of the local consultation, you will also have the opportunity to be kept up to date on the progress of your new local store or be informed how you can provide additional support to the application.

Who can assess your personal data?

Where you provide your consent, your personal data will be provided to the local authority who will decide whether to grant planning permission to build a new store in your local area.

How long do we store your personal data?

If our application was successful (or we have successfully appealed a rejected planning decision) and a store will be built in your local area, all data processed as part of the consultation will be retained until 1 month after store opening date.

If Lidl no longer intends to build a store in your local area, any personal data processed during the consultation period will be retained for a maximum of one month following our decision not to appeal the planning decision.

Why do we use personal data?

On our website, newsletter, Lidl App and various other channels eg QR codes in store posters you have the option to voluntarily participate in feedback surveys. This is based on the business interest of improving the Lidl website experience, customer offerings and online services. These surveys provide anonymous results and therefore do not store any information that identifies individual survey participants. Only the date and time of your participation will be saved. The data processed would include your age range, gender, location and opinions or additional information provided freely by yourself in any free text fields.

If there are any free-text fields in a survey, we ask that you do not provide any personal data relating to yourself or another individual.

Additionally, whenever you contact customer care, you are given the opportunity to participate in a satisfaction survey. If you wish to take part by phone, you can do so by giving your consent at the end of the call. If you prefer to take part by e-mail, we will send a questionnaire to the e-mail address you provide to us. We ask you to take part in our Customer Care surveys to gain valuable feedback to help improve our service.

The results of our customer surveys are used for internal evaluations only.

Providing Feedback on your store experience (“Have Your Say”) and Customer Care experience ("NPS")

Purposes of data processing / legal bases:

When you participate in our Have Your Say survey, this happens on a voluntary basis. Whilst we ask for certain personal data from you to allow us to analyse the feedback received, it will not allow us to identify you as an individual. Any information you do choose to provide also will be considered given voluntarily.

When you participate in our NPS survey, this happens on a voluntary basis. As feedback is given based on your communication with our Customer Care team it is possible to identify you as the results are related to your specific case within our CRM system Salesforce. Any information you do choose to provide also will be considered given voluntarily.

The purpose of collecting data is for internal evaluation to improve the customer experience both in store and when contacting the Customer Care department. On Occasion our Customer Care team may contact you to discus your NPS response in more detail.

Should you not wish to be contacted please email customer.care@lidl.co.uk with the subject line ‘NPS Feedback’ and our Customer Care team will ensure you are not contacted regarding your NPS survey response.

When accessing our website, our “Have Your Say” survey or our Customer Care experience survey (NPS), the browser used on your end device will – automatically and without any action on your part store the following data in the course of the survey in so-called cookies (see section 15 of our Customer Privacy Notice):

• the IP address of the accessing Internet-enabled device;

• the date and time of access;

• the name and URL of the requested file;

• the website/application from which the access occurred (referrer URL);

• the browser and, where relevant, the operating system of your Internet-enabled computer; and

• the name of your Internet service provider;

• the time required to complete the surveys;

to our website server and be stored temporarily in what is known as a log-file for the following purposes:

• to ensure a fault-free connection;

• to ensure the comfortable use of our website/application;

• to prevent fraudulent survey responses; and

• to analyse system security and stability.

The log file information collected as part of the survey is used to ensure multiple and duplicated responses in the survey are not included in the evaluation of our store and Customer Care department.

Please note that during the first 7 days after the survey is closed, it is theoretically possible for us to identify the IP address you used in the store finder. We will not use the IP address for any other purpose other than stated above.

The legal basis for the processing of the for the above data is our legitimate interest to ensure that our systems operate correctly.

Recipients or categories of recipients:

We contract with third party service providers who process the information captured in the survey on our behalf in order to provide us with relevant metrics and statistics. This is only ever done in an anonymised format. As with all service providers we work with, we only share the information required to provide the service, and they are required to meet our own high standards of security.

Storage period / criteria for determining the storage period:

The personal data relating to the duration of time spent in surveys and date and time of the survey access will be stored for 90 Days and then deleted after another 14 days. This is necessary to allow a long-term evaluation of the surveys and to prevent manipulation of data.

All the remaining personal data stored as log files using cookies is archived after 7 days and deleted after 14 days. For a full list of cookies used in the “Have Your Say” survey and our Customer Care experience survey (NPS) see below:

Providing further feedback to our customer service

If you wish to share any more detailed feedback in relation to your shopping experience with us, you are of course welcome to get in touch with our friendly Customer Care team. In this case your personal data will be processed in line with the relevant section within the Customer Privacy Notice on Contacting Customer Care.

Have Your Say Free Prize Draw

All participants in our Have Your Say feedback survey are welcome to participate in our Have Your Say Free Prize Draw.

Purposes of data processing / legal bases:

The personal data (title, name and email address) required as part of your participation is used exclusively for the purpose of carrying out the prize draw (e.g. determination and notification of winners, sending the prize and subsequent public congratulations to our winners and engagement with the public). The legal basis for processing your data is our legitimate interests in the above.

Recipients / categories of recipients:

If you are a winner, your data will be passed on to third parties if and to the extent that this is necessary for the handling of the prize competition (e.g. sending the prize via a logistics company). Furthermore, the first name and county of the winners will be published in advertising material to publicly congratulate our winners and engage with the public. Please see the Prize Draw terms and conditions for more information. If you wish to object to your first name and county being published or wish to reduce the data published, please make this known to Lidl at the point of claiming your prize.

Storage period / criteria for determining the storage period:

After the conclusion of the respective prize draw and the announcement of the winners, the personal data of the respective participants will be deleted. Please be aware that once your data is published externally we will be unable to remove your data from printed material or where the data has been further disseminated beyond Lidl GB’s control e.g. through social media postings.

Registration for the newsletter of Lidl GB

When submitting your data to participate in the Have Your Say Prize Draw, you can also additionally optionally subscribe to the Lidl GB newsletter. You can find more information on how we use your data in the context of a newsletter subscription in point (see section 5 in our Customer Privacy Notice.)

Further information regarding how we process your personal data can be found in sections 17.-19. Of our Customer Privacy Notice.

The Lidl Facebook Group (Lidlers GB) Policy can be found here.

Lidl Plus is operated and controlled by Lidl Stiftung & Co KG, Stiftsberstrasse 1, 74167 Neckarsulm, Germany as data controller.

Please click here to for the relevant privacy policy.

Data Protection Information My Lidl Account

Terms of Use My Lidl Account

The Lidl website and other online/mobile sites may use Social Media plug-ins for the social networks:

• Facebook (Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA)

• Twitter (Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA)

• YouTube (YouTube, LLC 901 Cherry Ave., 94066 San Bruno, CA, USA, a subsidiary of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA)

• Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, California 94025, USA, a subsidiary of Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA)

• LinkedIn (LinkedIn Ireland, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland)

• Pinterest, 505 Brannan Street San Francisco, CA 94107 United States

• TikTok Culver City, 10100 Venice Blvd #401, CA, United States

Social Media plug-ins are social network programs that are embedded on other companies’ websites. Embedding a Social Media plug-in allows personal data to be transmitted to the provider of the social media plug-in. If you are also logged on to a social network, an activated social media plug-in enables your activities to be assigned to your profile.

For data protection reasons, we have decided to initially block the social media plug-ins that are embedded on our website.

We do, however, offer you the possibility of using social media plug-ins if you so desire.

The plug-in is only activated by you clicking on the desired plug-in symbol for example, clicking on the Facebook logo, which we have pre-connected.

Please note that, when the plug-in you have selected is activated, this results in personal data being transmitted to the respective provider of the social media service.

The plug-in you have activated immediately sets up via your browser a connection to the server of the social media provider you have selected.

We would expressly point out that we have no influence on the scope, type and purpose of the processing of your personal data by the provider of the social media service and can inform you only according to our level of knowledge at this point.

The personal data collected and processed by the social media providers includes:

• Your IP address

• The address of the website on which the activated social plug-in is located,

• Information about the browser used and the operating system you use,

The date and time our website was accessed or the social media plug-in was activated, respectively

The above-mentioned data is transmitted and stored when the plug-in is activated irrespective of whether you are a Member of the corresponding social media provider.

In addition we would refer you at this point explicitly to the social media provider’s privacy policy.

View Facebook's policy here.

View Twitter's policy here.

View YouTube's policy here.

View Instagram's policy here.

View Linkedin’s policy here.

If at the time of the interaction you are also logged on to a social media provider, such as Facebook, it is capable of learning your user name or, if stored, your real name, and assigning the interaction to your profile.

The above-mentioned data also makes it possible for the providers of the social media services to create pseudonymised (de-personalised), and potentially also individualised, usage profiles for their own purposes.

Where there is interaction with the activated plug-in (e.g. Facebook “likes”), the social media provider may store a cookie on your device, which also makes it possible to identify your profile.

If the plug-in is activated, your IP address is stored and a cookie saved irrespective of whether you are member of the social media providers.

We would expressly point out that the duration of storage of such cookies is not known to us and we have no influence over it. In the case of non-members, a usage profile might subsequently be created by any stored cookie, when you log on to a social media provider in the future.

Please note that when a social media plug-in is activated, your personal data can also be stored, processed and used in countries outside the European Union and in countries that do not have an adequate and appropriate level of data protection to that of the European Union.

You can prevent/delete cookies for our website to prevent the above activities from happening, though it may affect your user experience.

Why do we use personal data?

In addition to the information we have directly shared with you through social networks, we also use the option of “social listening” to get an idea and perception of our products and services and to identify any potential for improvement. Contributions made public by you on online platforms (Twitter, Facebook, LinkedIn etc.) are reviewed and evaluated. Only contributions that have been made publicly available will be processed.

The personal data processed is determined by the type of content posted e.g. posting in text form or an uploaded image file will be processed. In individual cases, your username or ID used may be relevant if you ask for help from Lidl. We also receive information from the respective platform operators on the scope of the respective contributions.

The legal basis for the processing of personal data is our legitimate interest in being able to identify in publicly made comments or deficiencies in our products and services and to react to them in an appropriate manner.

Who can assess your personal data?

In the process of social listening personal data is also processed on our behalf by Processors in the Marketing Sector. These are carefully selected, audited by us and are contractually obliged in accordance with GDPR.

How long do we store your personal data?

All the companies listed as providers in our cookie notice are acting for us as processors, unless they are named as a (joint) controller at the beginning of this paragraph.

As part of our cooperation with Google LLC and Facebook Ireland Limited, the above-mentioned personal data is usually also processed on servers in the USA for statistical and marketing purposes.

To the extent covered by your respective consent, your data will also be collected as described above by Lidl Stiftung & Co. KG as separate or joint controller.

Recipients outside of the EU or the UK

If we transmit data to recipients in a third country (based outside the European Economic Area or the UK), you can find more information on the recipients / categories of recipients in the description of the respective data processing activity. The European Commission certifies that some third countries have a data protection standard that is comparable to the level in the European Economic Area. These are called adequacy decisions. A list of these countries can be found here.

If the data protection standard in a country should not be adequate, we ensure that data protection is guaranteed by other measures, for example binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates, or recognised codes of conduct. Please contact our Data Protection Officer (Section 19) if you would like to find out more information on this.

Storage duration / criteria for determining the storage duration:

The relevant personal data is not permanently stored by Lidl, but only viewed and analysed to understand where we can potentially take action and do better.

At Lidl GB we work with contracted and trusted partners both in store, and online as part of our marketing activities. Each of these partners are listed below, with a link to their privacy policy:

NCT

https://www.nct.org.uk/privacy

NTS

https://www.nts.org.uk/privacy-data-protection

Tough Mudder

https://toughmudder.co.uk/privacy-policy-uk

NSPCC

https://www.nspcc.org.uk/cookies-policy

Baby Show

https://www.thebabyshow.co.uk/privacy-policy

Neighbourly

https://www.neighbourly.com/privacy

If you pay by card, we as a retailer collect your personal data via the payment terminal and transmit the data to the network operator. The network operator and the respective payment service providers for the authorisation and settlement of the payment transactions (e.g. acquirer) process the data further. The purposes are processing of payment, prevention of card misuse, limiting the risk of payment defaults and legally required purposes, such as combating money laundering and criminal prosecution. For these purposes your data will also be shared with other responsible parties, such as your card-issuing bank. Personal Data is at no time shared with the network operator

We as a retailer and the acquirer are each responsible for processing the data as follows:

We are responsible for operating the payment terminal at the check-out and for our internal network to securely transmit data via Internet or telephone line to the network operator, whilst the acquirer is responsible for the processing and settlement of payment transactions.

We process your card data (card number, expiry date, issue number and cvv) and other payment data (purchase amount, date, time, terminal identification, location, company and store where you pay, as well as your signature). The purpose is the processing of the payment and carrying out the payment process with the payment service provider and, if necessary, to process a cash withdrawal and to check creditworthiness.

The legitimate interest consists in the processing of the cash withdrawal or the payment process. The card data is processed only in hashed form and deleted as soon as it is no longer required for processing the payment and there are no legal retention periods which require to keep the data.

If you pay with debit/credit card, we forward in an encrypted format the following payment information to the network operator Ingenico Retail Enterprise (UK) Limited, registered office is Ingenico House, Rudheath Way, Gadbrook Park, Northwich, Cheshire, CW9 7LT: card number, expiry date, issue number, cvv, date, time, purchase amount, terminal identification, city, company and store. For more information please refer to their data protection regulations https://www.ingenico.com/legal/ifs/data-processing

If you pay with an American Express card, we will forward your payment information to American Express Services Europe Limited, Belgrave House, 76 Buckingham Palace Road, London, SW1W 9AX, United Kingdom For more information about the processing of your data by the card provider, please refer to their data protection regulations https://www.americanexpress.com/uk/legal/european-implementing-principles.html

In line with repairing card terminals, the used service provider Ingenico Retail Enterprise (UK) Limited, registered office is Ingenico House, Rudheath Way, Gadbrook Park, Northwich, Cheshire, CW9 7LT, may gain access to the payment data stored on the payment terminals.

If required by law, your data will be transmitted to law enforcement agencies and money laundering reporting offices.

You are neither legally nor contractually obliged to provide us with your data. However, a card payment is not possible without the data. Alternatively, you can pay with cash at any time.

Age verification checks

When selling products with age restrictions, such as alcohol (18 years) / the sale of computer games, DVDs, videos cassettes with age restrictions , our cashier staff will carry out a visual inspection of your ID card for the purpose of age verification in line with our Think25 policy as advertised in our stores. The legal basis is compliance with our legal obligation to not sell age-restricted products to persons under-age and legitimate interest in carrying out due diligence checks.

Some of our stores have ANPR cameras to prevent overstaying which ensures our customers can always park when shopping with us. For stores where Lidl directly manages its own carparks, these are operated by ParkingEye. You can find out more about how they process your personal data by visiting their privacy policy.

Some of our stores are located within retail parks where ANPR is in operation so these schemes maybe operated by other carpark management companies. Please check the signs when parking in all of our stores as this will confirm if ANPR is in operation and who the carpark management company that managed the scheme.

Whilst we only process the necessary amount of data, for the necessary length of time, for the agreed purposes whilst ensuring secure storage and management, you reserve your own rights to your personal data.

17.1 Overview

You have the following rights if the respective legal requirements are met:

• The right to be informed about the collection and use of your personal data

• The right to have access to your personal data

• The right to request rectification of incorrect data or completion of incomplete data

• The right to request deletion of your personal data stored with us

• The right to request restriction of processing of your data

• The right to request data portability

• The right to object to the processing of your personal data

17.2 Right to be informed

You have the right to be informed about the collection and use of your personal data:

• the purposes for which the personal data are processed;

• the categories of personal data that are processed;

• the recipients or categories of recipients of the personal data;

• the retention periods for the personal data;

• all available information about the origin of the data, if the personal data was not collected from you;

• the details of the existence of existence of an automated decision-making process, including profiling;

• the details of transfer of the personal data to any third countries or international organisations

17.3 Right of access

You have the right to receive, upon request, information about the personal data stored with us about you, free of charge, commonly known as ‘data subject access request.’ You have the right to ask for:

• Confirmation of the data processing activities involving your data;

• A copy of your personal data; and

• Information outlined in this Privacy Policy and within the above section 11.2

17.4 Right to rectification

You have the right to seek the immediate rectification by us of inaccuracies in your personal data. Considering the purposes of the processing, you have the right to request the completion of incomplete personal data and add newly available supplementary information.

17.5 Right to erasure

You have the right to request from us that personal data concerning yourself is immediately erased if one of the following grounds applies:

• the personal data is no longer necessary for the purposes for which they have been collected or have been processed in any other way;

• you withdraw consent and there is no other legal ground for the processing;

• you object to the processing and there are no overriding legitimate grounds for the processing to continue;

• the personal data has been unlawfully processed; or

• the deletion of the personal data is necessary for the fulfilment of a legal obligation;

Where our processing of your data is based on your consent, you have the right to withdraw your consent, but this will not affect the lawfulness of the processing based on your original consent. We will no longer process your data for the purpose you originally agreed to unless we have another legal basis for continuing to process your data, which we will explain to you.

In the event that we have made the personal data public and are obliged to delete it, we will take appropriate measures in so far as possible to ensure this data is removed. This may include us informing the third party processing your data to delete all links to the personal data (copies or replications).

17.6 Right to restriction of processing

You have the right to request from us a restriction of the processing, if one of the following requirements exist:

• the correctness of the personal data is disputed by you;

• the processing is unlawful and you request a restriction of the use of the personal data rather than its deletion;

• we no longer require your personal data for the purposes of the processing, but you require it in order to enforce, exercise or defend legal claims; or

• you have raised an objection to the processing, so long as it is not certain whether the legitimate grounds of Lidl outweigh those of yourself

17.7 Right to data portability

You have the right to receive the personal data that concerns you, which you have provided to us, in a structured, common and machine-readable format, and you have the right to transfer this data to another data controller without hindrance by us, considering:

• the processing is based on consent or on a contract; and

• the processing takes place with the aid of automated procedures

When exercising your right to data portability, you have the right to ensure that the personal data is transferred directly by us to another data controller, where this is technically feasible.

17.8 Right to object

You have the right to object to the processing of your personal data, for reasons arising from your particular situation.

The above general right of objection applies to all processing purposes described in this privacy notice, which are processed on the basis of legitimate interests. This also applies in relation to data processing for the purpose of direct mail for marketing purposes. If you object to any processing of data, it will be stopped with effect for the future unless we as the controller are able to demonstrate overriding legitimate grounds for further processing that outweigh your interests.

18.1 Point of Contact in case of general Questions

In the case of questions on the website, other Lidl platforms and related to marketing information or to exercise your rights with regard to the processing of your data (data protection rights) you can contact customer services:

Online: Click here to access our Customer Service Portal

18.2 Point of Contact in case of Questions regarding Data Protection

If you have further questions regarding the processing of your data, you can contact the company data protection officer on Data.Protection@lidl.co.uk.

18.3 The Supervisory Authority

A complaint can be lodged with the supervisory authority for data protection in the United Kingdom which is the Information Commissioners Office (ICO). Further advice and guidance can be found on their website at www.ico.org.uk or by contacting their helpline on 0303 123 1113.

Lidl House

14 Kingston Road

Surbiton

KT5 9NU

+44 (0)208 971 1100

Lidl Great Britain Limited (registered company number 02816429) and ICO reference number Z6682144

We welcome visitors to our offices, including:

• Suppliers
• Job Applicants
• External training / or other service providers
• Stakeholders

All visitors to our premises are asked to sign in and out in of our visitors book at reception. You will be asked for your name, company and signature and then handed a visitor pass where.

The visitor book is kept for a period of 12 months and will be destroyed after this.

The processing of your data takes place for the purpose of safety and security and the legal basis is our legitimate interest in ensuring these.