LIDL APP PRIVACY NOTICE

(Version 1.1, Date 29th April 2020)


Many thanks for using our Lidl app (hereafter referred to as ‘the app’) and your interest in our privacy notice. The following content will inform you about the nature and scope of the processing of your personal data by Lidl U.K. GmbH (also referred to in this data protection statement as “Lidl, “we” or “us”). Personal data are is data that is or can be directly or indirectly attributed to your person. The General Data Protection Regulation (GDPR) serves in particular as the legal basis for data protection.


Contents


  1. Overview
  2. Downloading our app from the respective App Store
  3. Using our app
  4. Access to functions and sensors on your mobile terminal device
  5. Usage analysis and advertising
  6. Re-targeting/ interest-based online advertising
  7. Other functions
  8. Recipients outside the EU
  9. Your affected rights
  10. Point of contact
  11. Name and contact details of the controller of the processing and contact details of the company Data Protection Officer


1. Overview


Data processing by Lidl U.K. GmbH within the scope of your use of our app can be divided into three categories:


  • When you download our app, the necessary data is transmitted to the respective App Store.
  • To allow you to use our features, e.g. to find Lidl stores in your vicinity, our app requires access to various functions on your mobile device.
  • When you use our app, data will be exchanged between your device and our server. This may also be personal data. Data collected in this way can for instance be used in order
  • to optimise our app and
  • to display advertising in the browser on your device or by means of so-called push messages.


2. Downloading our app from the respective App Store


When you download our app, the following data in particular will be automatically processed by the respective operator of the App Store (Apple App Store or Google Play):


  • user name in the App Store
  • the e-mail address stored in the App Store,
  • customer number of your App Store account,
  • time of the download,
  • payment information and
  • the individual device code number.


We have no influence on the collection of this data and are not responsible for it. You can find further information on this data processing in the relevant App Store operator’s privacy policy:



3. Using our app


Purpose of data processing / legal basis:

When you use our app, we will automatically and without any action on your part transmit


  • the mobile device from which you start our app
  • the IP address of your mobile terminal device
  • the date and time of access,
  • the request from the client,
  • the HTTP response code.
  • the amount of data transferred and
  • the app version used


to our servers, where this information is temporarily stored in a so-called log file for the following purposes:


  • protection of our systems,
  • troubleshooting
  • prevention of abusive or fraudulent behaviour.


The legal basis for the processing of the IP address is Article 6 paragraph 1 let. f) GDPR. Our legitimate interest follows from the above-listed purposes of data processing.


Storage duration / criteria for specifying the storage duration:

The data is stored for a period of fourteen days and afterwards automatically erased.


4. Access to functions on your mobile device


Purpose of data processing / legal basis:


Location data


If you have consented to so-called geolocalisation when using our app or in the settings of your mobile device via the “Allow permission” dialogue, we will use this function in order to be able to offer you individual services related to your current location. We will process your location in this way, particularly as part of the “Search for store” function, based on GPS and your network, in order to be able to show the stores nearest to you.


Photos / media / files on your mobile device / USB memory content (read, modify, delete)


If you create a shopping list using our app, depending on the installation location of the app and the available memory, these will be stored directly in the memory of your mobile device or stored on a connected storage medium.


Camera (recording images and videos)

The camera on your mobile device will be used for the scanning of QR codes.


WiFi connection information

Our app uses the Wi-Fi connection on your mobile device in order to set up a connection to the Internet.


Other device functions


Accessing the other functions of your mobile device allows our app in particular to retrieve data from the Internet and error messages to be processed. In addition, it also enables our app to run on start-up and to deactivate the idle state of the device. Finally, as long as you have given your consent, our app can also send you so-called push messages, to keep you informed about current offers and promotions.


The legal basis for the processing of your location data is your consent pursuant to Article 6 para. 1 let. a) GDPR.


Storage duration / criteria for specifying the storage duration:

Your location data will be deleted after closing our app.


5. Usage analysis and advertising


Purposes of data processing/legal bases:


In order to improve the features of our app as well as our services and the marketing of them, we create pseudonymised user profiles to determine usage behaviour, provided that your gave your consent.The legal basis for this is your given consent. We use the following services for usage analysis and advertising:


Google Analytics


Subject to your consent, this app uses Google Analytics, a service of Google LLC (“Google”), to analyse usage behaviour. Google processes the following information:


  • The mobile device on which you start our app
  • Browser type and version
  • Operating system used
  • IP address
  • Time of the server request.


The information is used to


  • Evaluate the use of our app
  • Compile reports about app activities
  • To provide additional services associated with the use of the app and the internet for the purposes of market research and the design of these websites in accordance with requirements.


The IP addresses are anonymised so that no association is possible (“IP masking”). You can withdraw your consent to the use of Google Analytics in the “Legal Notice/Tracking” menu item of this app at any time with effect for the future.


Google Firebase


Subject to your consent, A/B Testing, Analytics, Cloud Messaging, Crashlytics, Dynamic Links, In-App Messaging, Performance, Predictions and Remote Config – analytic services from Google LLC ("Firebase"), used among other things to analyse usage of the app – are used within this app. When you install the app, Firebase records when and how long the app is used, which app sites are visited, which functions are clicked on and which contents are displayed. That allows us to understand how you interact with our app. Based on your user behaviour, we can also constantly improve the app and provide you with more relevant offers/services. In addition, we can carry out several app tests in parallel and develop other data-based apps.


For this analysis, starting from when registration has been completed, Firebase accesses your customer number, information from Google Signals (if the Google advertising function is enabled in your Google account ( for more information, click here), Google can process certain information with your consent) or device information. More information about data protection in connection with Firebase can be found on the Google Firebase website.


You can withdraw your consent to the use of Google Firebase under the menu item "Legal information/Tracking" in this app at any time with future effect.


Adjust


Subject to your consent, our app also uses the Adjust analysis service, a product of adjust GmbH. When you install our app, adjust stores installation and event data (e.g. usage of the app). This allows us to understand how you interact with our app. It also allows us to analyse and improve our mobile advertising campaigns. For this analysis, adjust uses


  • The IDFA (Identifier for Advertising on iOS devices) or the Android Advertising ID
  • The IP/MAC address
  • The HTTP header
  • A fingerprint of your device (additionally: time of access, country, language, local settings, operating system and version as well as the app version)
  • User device and web activity information,
  • App and event token


Adjust transfers this data to our service providers Google LLC (“Google”) and Facebook, Inc (“Facebook”). If Google and Facebook can use this information to identify you, they will provide information to adjust about the advertising campaign that led you to the app store and the way you acted there (especially whether you completed or cancelled the download or along with similar information). adjust uses this information to create anonymous statistics so that we can track the success of individual advertising campaigns.


You can reset or disable the IDFA and the Android Advertising ID at any time on your device.


If you no longer wish to be tracked by adjust, you can withdraw your consent at any time in the “Legal Notice/Tracking” menu of this app with effect for the future.


Push notification via Accengage


If you have enabled the relevant feature in our app or on yourmobile device, we will send you push notifications (messages on your mobile device that are displayed on the lock screen, the home screen and when other apps are running without opening our app). A click/tap on the push message will open our app, if it is not yet open, and display the message in the app. Showing push notifications is based on our legitimate interest in carrying out direct advertising.. We use the Accengage tool from Accengage SAS to create and show these push notifications. This tool creates – subject to your given consent – pseudonymised usage profiles based on the following data and assigns them to unique identification numbers:


  • Apple IDFA (Identifier for Advertisers; identification number on the iOS operating system for advertising purposes),
  • Google GAID (Google Advertising ID; identification number on the Android operating system for advertising purposes),
  • Push notification token
  • Mobile session ID
  • Usage behaviour within the app (which areas of the app you visit and which links you use there).


This information is analysed by Accengage using an algorithm to provide targeted product recommendations as push notifications.. Under no circumstances will this data be used to personally identify you. By default, no user profiles are created with your personal data.


You can reset or disable the IDFA and the Android Advertising ID at any time on your device


Should you no longer wish to receive push notifications from us, you can stop receiving our push notifications by disabling them


  • Completely in the system settings for push notifications on your mobile device, or
  • In the “Push notifications” menu item in our Android app.

If you do not want Accengage to create profiles of push notifications, you can withdraw your consent at any time in the “Legal Notice/Tracking” menu item of this app with effect for the future.


Personalised usage profiles


With your consent, we combine the pseudonymised usage profiles created as part of this app with your personal data from your Lidl customer account and evaluate your usage behaviour on the websites, mobile apps and newsletters of Lidl for advertising purposes.


After registering or logging in to your customer account using our app, the usage profiles from our app are processed , associating them with the data stored in your Lidl customer account and combining them with the other usage data mentioned above.


This personalised usage profile , helps us to tailor a promotional approach to your personal interests and further improve our web services for you, especially in the form of newsletters, on-site advertising and print advertising.


The legal basis for this data processing is your given consent..


You may withdraw your consent to the creation of personalised usage profiles in the “Legal Notice/Tracking” menu item of this app at any time with effect for the future.


Recipients/categories of recipients:


The information generated by Google Analytics about your usage is usually transferred to a server of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 in the USA and stored there. Under no circumstances will your IP address be aggregated with other data from Google. The information generated by adjust about your usage is transferred to and stored on the servers of adjust GmbH, Saarbrücker Str. 38a, 10405 Berlin. The information generated by Accengage about your usage is transferred to and stored on the servers of Accengage SAS, 31 Rue du 4 Septembre F-75002 Paris, France. This information may also be transferred to third parties if required by law or if third parties process this data on behalf of us in accordance with our instructions.


Storage period/criteria for determining the storage period:


After the anonymisation of your personal data, it is no longer possible to identify you personally. The statistically processed data will be deleted in Google Analytics, adjust and Accengage after 26 months. There will no longer be any personal reference in reports created on the basis of Google Analytics, adjust or Accengage.


6. Re-targeting/ interest-based online advertising


Purposes of data processing/legal bases:


Subject to your consent, we use re-targeting technologies from a variety of providers. This enables us to make our online services more interesting for you.


Our app processes the following advertising IDs:


  • Apple IDFA (Identifier for Advertisers; identification number on the iOS operating system for advertising purposes), and
  • Google GAID (Google Advertising ID; identification number on the Android operating system for advertising purposes).


For “re-targeting”, information about your internet usage (e.g. articles viewed) is collected for marketing purposes, stored with reference to the advertising ID and analysed using an algorithm. Subsequently, targeted product recommendations can be shown as personalised advertising banners for our products on our partners’ websites and mobile apps.


Under no circumstances can this data be used to personally identify the user of our mobile app. No personal data is processed and no usage profiles are aggregated with personal data.


This data processing is carried out on the basis of your given consent. With the targeting measures we use, we want to make sure that you only receive advertising focused on your interests.


Please also note that some third-party mobile applications use a technical feature called “webview” that allows developers to display web applications or web pages directly in their application – without leaving the app and opening a browser. A webview can be independent to both your browser and app settings. We therefore recommend that you also disable re-targeting services in this specific setting if you do not want to receive re-targeting ads.


Recipients/categories of recipients:


Subject to your consent, we use the Criteo service (Criteo DPO – 32 Rue Blanche – 75009 Paris – France, email: dpo@criteo.com, Privacy Policy: http://www.criteo.com/de/privacy) for the purpose of personalising advertisements.


Storage period/criteria for determining the storage period:


The information processed for re-targeting purposes is automatically deleted or anonymised after 13 months.


You may withdraw your consent to the creation of personalised usage profiles in the “Legal Notice/Tracking” menu item of this app at any time with effect for the future.


7. Other functions


7.1 Websites you can access via the in-app browser

If you run another function using our app such as selecting special offers via the in-app browser (iOS: Safari / Android: Chrome) you will reach the appropriate sub-pages of our website www.lidl.co.uk or the partner websites located there. Our app offer and our online content that is accessible via the in-app browser may under certain circumstances also contain links to other websites.


If you access websites from the in-app browser (e.g. via links), your personal data will be processed on these websites in deviation from this privacy policy. This privacy policy only applies to our app. Please note the privacy policies of the linked websites. We assume no responsibility for external contents which are provided through links and are specially highlighted and we do not adopt their content as our own. The provider of the website who is referred to is alone responsible for illegal, incorrect or incomplete content and for damages resulting from the use or non-use of the data.

8. Recipients outside the EU


With the exception of the processing by Google Analytics described in Section 5, we will not pass your data to recipients established outside the European Union or the European Economic Area. The processing mentioned causes the data to be transmitted to the servers of Google Inc. in the USA. In a decision of 12 July 2016, the European Commission decided for the USA that an adequate level of data protection exists under the regulations of the EU-U.S. Privacy Shield (so-called “Adequacy Decision” pursuant to Art. 45 GDPR). We use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, which is certified in accordance with the EU-U.S. Privacy Shield.


9. Your affected rights


9.1 Overview Besides the right to revoke the consent you have given us, you have the following further rights if the respective legal requirements are met:


  • The right to information about your personal data stored with us as referred to in Article 15 GDPR.
  • The right to rectification of incorrect data or completion of incomplete data as referred to in Article 16 GDPR
  • The right to erasure of your personal data stored with us as referred to in Article 17 GDPR and.
  • The right to restriction of processing of your data as referred to in Article 18 GDPR;
  • The right to data portability as referred to in Article 20 GDPR;
  • Right to object as referred to in Article 21 GDPR;


9.2 Right to information as referred to in Article 15 GDPR

You have the right as referred to in Art.15 paragraph 1 GDPR to receive upon request information about the personal data stored with us about you, free of charge. This includes in particular:


  • the purposes for which the personal data are processed;
  • the categories of personal data that are processed;
  • the recipients or the categories of recipients to whom the personal data concerned have been disclosed or are still being disclosed;
  • the planned duration of storage of the personal data concerning you or, if specific details of this are not possible, criteria for the specification of the retention period;
  • the existence of a right of rectification or deletion of personal data concerning you or of a restriction on processing by the data controller or of a right to object to such processing;
  • the existence of a right of appeal to a supervisory authority;
  • all available information about the origin of the data, if the personal data are not collected from the person concerned;
  • The existence of an automated decision-making process, including profiling, as referred to in Article 22 paragraphs 1 and 4 GDPR and - at least in these cases - meaningful information about the logic involved as well as the scope and desired impact of such processing for the person concerned.


If personal data are transferred to a third country or to an international organisation, you have the right to be informed about the appropriate guarantees as referred to in Article 46 GDPR in connection with the transfer.


9.3 Right to rectification as referred to in Article 16 GDPR

You have the right to seek the immediate rectification by us of inaccuracies in your personal data. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data - also by means of a supplementary declaration.


9.4 Right to erasure as referred to in Article 17 GDPR

You have the right to request from us that personal data concerning yourself is immediately erased, if one of the following grounds applies:


  • the personal data are no longer necessary for the purposes for which they have been collected or have been processed in any other way;
  • you revoke your consent, which supported the processing as referred to in Article 6 paragraph 1(a) or Article 9 paragraph 2(a) GDPR, and there is no other legal basis for processing;
  • You object to the processing pursuant to Article 21 paragraph 1 or paragraph 2 GDPR, and in the case of Article 21 paragraph 1 GDPR there are no overriding justifiable grounds for the processing;
  • the personal data have been unlawfully processed;
  • the deletion of the personal data is necessary for the fulfilment of a legal obligation;
  • The personal data have been collected in relation to services offered by information society services as referred to in Article 8 paragraph 1 GDPR.


Insofar as we have made the personal data public and are obliged to erase them, we will take appropriate measures taking into account the available technology and the costs of implementation, in order to inform the third parties who are processing your data that you also request from them that they delete all links to these personal data and copies or replications of these personal data.


9.5 Right to restriction of processing pursuant to Article 18 GDPR

You have the right to request from us a restriction of the processing, if one of the following requirements exist:


  • the correctness of the personal data is disputed by you;
  • the processing is illegal and you request a restriction of the use of the personal data rather than their erasure;
  • the data controller no longer requires the personal data for the purposes of the processing, but the person concerned requires them in order to enforce, exercise or defend legal claims or
  • you have raised an objection to the processing pursuant to Article 21 paragraph 1 GDPR, as long as it is still not certain whether the legitimate grounds of the data controller outweigh those of the person concerned.


9.6 Right to data portability as referred to in Article 20 GDPR

You have the right to receive the personal data that concern you, which you have provided to us, in a structured, common and machine-readable format, and you have the right to transfer these data to another data controller without hindrance by us, insofar as


  • the processing is based on consent as referred to in Article 6 paragraph 1(a) or Article 9 paragraph 2(a) or on a contract as referred to in Article 6 paragraph 1(b) GDPR and
  • the processing takes place with the aid of automated procedures.


When exercising your right to data portability, you have the right to ensure that the personal data are transferred directly by us to another data controller, insofar as this is technically feasible.


9.7 Right to object as referred to in Article 21 GDPR

Under the conditions laid down in Article 21 paragraph 1 GDPR, you may object to data processing for reasons arising from your particular situation.

The above general right of objection applies to all processing purposes described in this privacy policy, which are processed on the basis of Article 6 paragraph 1 (f) GDPR. Unlike the special right to object oriented towards data processing for advertising purposes (compare above in particular Sections 9 and 11.6), we are only obliged by the GDPR to implement such a general objection, if you give us reasons of paramount importance for this, e.g. a possible risk to life or health. Furthermore, there is the possibility to contact the supervisory authority responsible for Lidl U.K. GmbH.


10. Point of contact


10.1 Point of contact in case of questions or to exercise your data protection rights

In the case of questions on the website or the Lidl online shop or to exercise your rights with regard to the processing of your data (data protection rights) you can contact our customer service.


10.2 Point of contact in case of questions regarding data protection

If you have further questions regarding the processing of your data, you can contact Lidl’s company data protection officer (see Section 11).


10.3 Right of complaint to the supervisory data protection authority

In addition, you have the right to complain at any time to the responsible supervisory data protection authority. For this, you can contact the Information Commissioner’s Office (ICO).


11. Name and contact details of the controller of the processing and contact details of the company Data Protection Officer


This privacy notice applies to data processing by Lidl U.K. GmbH and Lidl Great Britain Limited, 19 Worple Road, Wimbledon, London, SW19 4JS (“Data Controller”) and the Lidl App. The Company Data Protection Officer of Lidl U.K. GmbH can be contacted at the above-mentioned address, c/o the Data Protection Officer or at Data.Protection@lidl.co.uk.