Data Protection Information My Lidl Account
As of: January 2022
My Lidl Account is a service (hereinafter "My Lidl Account" or "service") of the Lidl group of companies (hereinafter referred to as "group of companies" (https://www.lidl.ie/lidl-plus/company-information) operated by Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74167 Neckarsulm ("Lidl Stiftung", "we", "us").
Lidl Stiftung processes the data required for the purposes of the Service as the responsible party insofar as it collects, aggregates, evaluates and transmits the data to other companies of the Lidl group of companies for the performance of the Service.
The list contains only the relevant and current Lidl companies. In the future, other companies may also be added to this list if SB Lidl KG directly or indirectly owns shares in the respective company and they participate in the service. This data transfer is limited to constellations in which the respective Lidl company requires your data in order to be able to offer the respective target service or to support us as a service provider within the scope of My Lidl Account (see below for details).
This data protection information applies to the processing activities of Lidl Stiftung as the data controller. For data protection-related inquiries and the exercise of your data subject rights, please feel free to contact us, for example at: firstname.lastname@example.org. Data protection officer of the Lidl Stiftung can be reached at the above postal address.
The password-protected My Lidl Account offers you a single sign-on service ("SSO") as well as the use of a My Lidl Account Portal. SSO enables you, after one-time registration with an online service of the group of companies (e.g. online shops, click and collect service, apps, etc., hereinafter referred to as "target service"), to use this target service with the same user name and password, provided that SSO is implemented in the respective target service.
My Lidl Account Portal allows you to view, access, manage and correct the information stored in your My Lidl Account in one central location. My Lidl Account Portal stores the customer master data and information described in section 1 (About me, Family Club, payment history).
1 What personal data do we collect?
Registration for My Lidl Account
If you register with the target service without having previously registered with another target service and thus set up the My Lidl Account for the first time, we ask for at least your e-mail address and a password as part of the registration process. Depending on the target service, additional customer master data is also collected: First name, last name, date of birth, mobile phone number and preferred Lidl store. Optionally, salutation, gender, and address (street, house number, postal code, city and country) can be specified. You can find out which of the data we collect is specifically passed on to the respective target service in the data protection information of the relevant target service. When you register for a new target service with an existing My Lidl Account, we will only ask for the above-mentioned customer master data that you have not already provided and that is required for the use of this target service.
We also collect data such as: Your IP address, your mouse movements, the duration of your stay on the My Lidl Account registration website, online identifiers such as device ID, browser details, i.e. browser name and version, name and version of the operating system of the device on which the browser is installed and network-based location data of your device when logging in.
Furthermore, we also store and process certain data in so-called log files if you have visited the registration page. In particular, a log file provides information about the date and time of the registration/login attempt and whether it was successful, the e-mail address provided and the IP address.
Use of the About me function
If you voluntarily enter certain information about your circumstances and interests in the "About Me" section of My Lidl Account Portal, we will also store this data for your overview.
Linking with Family Club
If you have also registered with our Family Club, we store information on the benefits granted and display this in My Lidl Account Portal.
In addition to the data mentioned above, we may also receive information from the target service you use about the payment methods stored there and the history of your purchases and orders. We display this data to you in My Lidl Account Portal. You can find out which target services transfer their payment history to the My Lidl Account in the data protection information of the respective target service.
Analysis of user behavior / cookies
When you contact Lidl Customer Service, they can access the information from your My Lidl Account to help you as efficiently as possible.
2 For what purposes and on what legal basis do we process your personal data?
Purpose of registration, login and account management
In order to provide you with the greatest possible convenience in your user experience, we process your personal data in My Lidl Account, to enable you to avoid having to re-enter your personal data for the usage of the service.
The legal basis for data processing is thus Art. 6 para 1 lit b GDPR, i.e. you provide us with the data on the basis of the contractual relationship between you and us.
This also applies to any additional personal data we receive from target services in connection with the use of your My Lidl Account.
Purpose of securing your customer profile
In the context of registration and/or login, we use Google reCaptcha, a service provided by Google. Our legitimate interest here lies in the protection of your data and our systems. In this context, an analysis of various information is used to determine whether the data entry is made by a human or by an automated program. This analysis begins automatically as soon as you open the My Lidl Account registration website. For the analysis, Google reCaptcha evaluates various information (e.g. IP address, your time spent on the page or mouse movements made by the user). The information generated is transferred to a Google server in the USA and processed there. The collection and analysis do not enable us or Google to identify you. In particular, the information will not be merged by Google with personal data of you. For more information on Google reCaptcha, please visit https://policies.google.com/privacy?hl=ie. Legal basis for this is Art. 6 para 1 lit f GDPR.
Purpose of the processing of your technical user data for abuse prevention
We use your IP address as well as the online identifiers described above, logfiles and your network-based location to prevent abuse and prevent and detect any security breaches and other prohibited or unlawful activities. For example, if you login from a new/unknown device, we may notify you of such a login attempt. The processing of this data is based on our legitimate interest in monitoring and improving the information security of our service (Art. 6 para 1 lit f GDPR).
Purpose of the data overview and management in My Lidl Account Portal
SSO provides you with a cross-portal identity that is recognized and verified by the connected target services. In this way, your master data and information from the "About me" and "Family Club" functions mentioned in section 1 can also be viewed by you from the connected target services in My Lidl Account Portal and can be used for the respective target services within the scope of what is required for the respective purpose. My Lidl Account Portal also allows you to easily and centrally manage the data you have stored there and your My Lidl Account. For example, you can correct and partially delete your master data, change your password, and view some information about your purchases and orders made via the respective target services. Furthermore, My Lidl Account Portal offers you the possibility to use the stored data when using the respective target service. For example, during the checkout process in the Lidl Online Shop, you can automatically use your address stored in My Lidl Account Portal without having to enter it again.
Purpose of the processing of "About me" to determine your product interests and the optimization of our online offers
Should you voluntarily store certain information about your circumstances and interests in the "About Me" area, we will also store this data for your overview in your My Lidl Account.
If you have registered to use the Lidl Plus service, we will also use your information in "About me" for the purpose of personalized advertising targeting as part of the Lidl Plus service, as provided for in the usage agreement for the Lidl Plus service. Thus, the legal basis for this is Art. 6 para 1 lit b GDPR, i.e. you provide us with the data on the basis of the contractual relationship with the use of Lidl Plus between you and us.
Purpose of processing customer requests
If you contact our customer service to process any problems with this area of the My Lidl Account, we will use your data stored there to process your respective request. The legal basis for this is Art. 6 para 1 lit b GDPR, as the processing is necessary to provide you with the agreed service, or to restore a contractual condition in accordance with the usage agreement.
If you contact Lidl customer service regarding concerns with target services, we will give your data stored in My Lidl Account to the respective target service so that they can process your concern as efficiently as possible. The legal basis for this is Art. 6 para 1 lit b GDPR, i.e. we thereby fulfil our contract with you.
3 To whom do we disclose your personal data?
Transfer to operators of the target services
If you use your My Lidl Account to use a target service, we will pass on your data on to the operator of the respective target service for the purpose of processing purchase contracts or other services that have been ordered via the target services covered by My Lidl Account. The latter receives those data that are required for the provision of the service ordered, insofar as these have been stored by you in My Lidl Account Portal or transmitted to the portal by another target service, i.e. depending on the offer:
- Verification of log-in data (e-mail address, password, telephone number if applicable).
- Master data (name, address, date of birth)
- Stored payment methods
- Information about your participation in the Family Club program
- Information stored in the "About Me" section about your circumstances and interests
We also pass on your customer master data to those companies of the group of companies whom you contacted in the context of customer service inquiries regarding target services connected to My Lidl Account.
Transfer to service providers
In addition, we use service providers to process your data. The companies acting on our behalf are carefully selected and commissioned in writing. They are bound by our instructions and are inspected by us before the start of data processing and regularly thereafter. These companies never pursue their own purposes with your personal data. In this context, we forward your data to recipients who provide us with
- storage capacity, database systems or similar,
- fraud prevention services,
- technical support and
- provide us with marketing advice.
We exclude any further transfer of your data to third parties.
Transfer to third countries
If we transfer personal data to recipients in third countries (countries outside the European Economic Area), you can infer this from the information on data processing by our service providers described in this data protection information. By adopting adequacy decisions, the European Commission has determined whether such a third country provides an adequate level of data protection. The exact list of countries with an adequacy decision can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. If an adequate level of protection has not been determined by the European Commission for a third country, we will ensure that the adequate level of data protection is provided through other measures, such as: binding internal data protection rules, standard contractual clauses, certification mechanisms or recognized codes of conduct. Please contact our Data Protection Officer (see above) if you would like more information.
4 How do we ensure the confidentiality of your personal data?
To ensure the confidentiality of your personal data, our employees involved in data processing are prohibited from collecting, processing or using personal data without authorization. Our carefully selected employees, who are sensitive to data protection law, are contractually obligated to maintain data secrecy at the beginning of their employment. This obligation continues after termination of the employment relationship.
5 How long do we store your personal data?
We generally store your data for as long as you are a registered user of the My Lidl Account.
If you have only registered with the target service via My Lidl Account, your data will be deleted accordingly as soon as you request the deletion of your account with the target service. Please note, however, that if you have registered with several target services via My Lidl Account, your My Lidl Account and all personal data stored by us will only be deleted once all target services linked to the My Lidl Account have been deleted. The retention periods described in the data protection information of the target service apply accordingly.
The processing and storage of data is the responsibility of the respective operator of the service used, who uses the data required to provide the service ordered for this purpose and then archives it in accordance with the statutory retention periods (the retention periods described in the data protection information of the target service apply accordingly).
6 What rights do you have with regard to the processing of your data?
Of course, upon request, we will provide you with the information pursuant to Art. 15 GDPR (in particular, the data stored about you, the recipient or categories of recipients to whom data are disclosed, the purpose of storage, etc.). Of course, we will provide this information free of charge. In addition, you have the right, under the respective legal conditions, to have incorrect data corrected as well as to have your personal data deleted, restricted from processing and transferred. Furthermore, you have a right to lodge a complaint with the competent supervisory authority.
In cases where the data processing is based on Art. 6 para 1 lit f GDPR or is carried out for the purpose of direct marketing, you have the right to object to the processing.
Insofar as the processing is based on your consent, you have the right to revoke this at any time with effect for the future.
7 No obligation to provide data
If you provide this data yourself, you are not obliged to provide the above voluntary information. Without this data, however, we are not able to fully provide you with the My Lidl account service and to fully provide you with the target services based on it. Only optional data fields are marked as such in the My Lidl Account.
8 Can we change the data protection information?
An amendment of this data protection information may be necessary due to changes in the legal situation or the circumstances of the data processing of the My Lidl Account. If the circumstances or the scope of the processing of your personal data change, we will inform you of this and, if necessary, ask for your consent.