Last revised: October 2024

Version: 2.0

Lidl Plus Data Protection Notice

Data protection notice on downloads

You can download the Lidl Plus data protection information as a PDF version below.

1. Overview

Lidl Plus is a loyalty programme (the "Service" or "Lidl Plus") that offers you deals and discounts tailored to your interests from the companies of the Lidl Group and selected partners. You can use Lidl Plus by registering for selected online services of the Lidl Group ("Online Services", e.g. online stores, click and collect service, apps). Please note that some functionalities are only available via the Lidl app. For example, you must identify yourself with the Lidl app at the checkout so that your purchases in Lidl stores are assigned to your Lidl Plus profile.

2. Contact details of the controller and the data protection officer

Unless otherwise stated below, Lidl Great Britain Limited, Lidl House, 14 Kingston Road, Surbiton, KT5 9NU ("Lidl GB", "we", "us") is responsible for the processing of your data in the context of Lidl Plus. Lidl GB's data protection officer can be contacted at the above postal address or at data.protection@lidl.co.uk.

3. Processing purposes, legal bases and recipients

3.1 Registration for Lidl Plus and account management.

Purposes of data processing/legal basis. Once you have registered, you can use Lidl Plus in all connected Online Services with the same user

name and password and access your customer master data, shopping history and Lidl Plus functions in your Lidl Plus account.

The following data is processed when registering for Lidl Plus:

▪ First name,

▪ Date of birth,

▪ Email address,

▪ Mobile phone number,

▪ Password,

▪ Title (optional),

▪ Gender (optional),

We need your date of birth, as participation in Lidl Plus requires a minimum age of 18 years (see Section 2 of the Conditions of Participation) and for certain products (e.g. alcoholic beverages) age limits under youth protection laws must be taken into account.

You can also choose to enter your address and surname in your Lidl Plus account. However, providing this data is mandatory for specific functions.

If you have registered for Lidl Plus in the Lidl app, we will also process data on your preferred store. In addition to the above mentioned data, we receive information from the Online Service you use – if available – about the payment methods stored there and your purchase and order history. You can

access this data in your Lidl Plus account. You can find out which Online Services transfer your payment history to your Lidl Plus account in the Online Services' data protection notice.

If you have registered with our Family Club, the information on benefits granted will also be saved and displayed in your Lidl Plus account.

We process the data collected during registration for the following specific purposes:

▪ Communicating with you,

▪ Verifying your identity as the account holder (e.g. when resetting the password),

▪ Uniquely assigning your purchase and usage behaviour to your customer profile.

We also use your email address to send you a notification when your account is accessed via a new device. The following data is processed to secure the registration/login procedure:

▪ Email address or mobile phone number,

▪ IP address,

▪ Mouse movements,

▪ Length of time spent on the registration page,

▪ Online identifiers such as device ID,

▪ Browser details (browser name and version),

▪ Name and version of the operating system of the device on which the browser is installed,

▪ Network-based location of your device when you log in,

▪ Date and time of the registration/login attempt,

▪ Information on whether registration/login attempts were successful.

If you wish to use our Lidl Pay payment service (see Section 3.12 below), "two-factor authentication" will be integrated into the login process with your consent. When you register for your Lidl Plus account, a verification code will be sent to the mobile phone number or email address you registered with. This ensures that only you have access to your account, even if your password is known to third parties. Two-factor authentication can be deactivated at any time via our customer service department. In this case, you will no longer be able to use Lidl Pay.

The legal basis for the above-mentioned data processing is Article 6(1)(b) and (f) GDPR, i.e. we process your data in order to provide you with our Services in accordance with the contract. Our legitimate interest is based on the purposes of data processing described above.

Recipients/categories of recipients

If you log in to Online Services as a Lidl Plus user, we pass on to the respective operator of the Online Service the data required to provide the Service you have requested. These data vary depending on the offer and can include:

▪ Verified login data (e.g. email address, password, mobile phone number),

▪ Master data (e.g. name, address, date of birth),

▪ Stored payment methods,

▪ Information stored in the "About me" section,

▪ Information about your participation in the Family Club. We also pass on your customer master data to those companies in the Lidl Group that you contact in the context of customer service enquiries.

3.2 Store visits

Purposes of data processing/legal basis

If you use Lidl Plus, you can either identify yourself at the self-checkout or at the till when you visit a store. In this case, we collect the following data:

▪ The store you have visited,

▪ The products you have purchased or returned by type, quantity and price,

▪ The coupons and vouchers you have redeemed,

▪ The purchase receipt amount,

▪ The time of the payment transaction and which means of payment you used.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us. In order to prevent economic damage to Lidl Group companies, we analyse your purchasing behaviour

for fraud prevention purposes. In particular, we analyse whether and how often items are returned. The legal basis for this is Article 6(1)(f) GDPR. Our legitimate interest is based on the purposes of processing described above.

In the event of product recalls, we will check whether you have purchased the affected product so that we can inform you of the recall. This processing is carried out to protect your health (Article 6(1)(d) GDPR) and because we have a legitimate interest in informing you of any product recalls (Article 6(1)(f) GDPR).

3.3 Determining your product interests and personalised advertising approach

Purposes of data processing/legal basis

In Lidl Plus, we determine which products, promotions and services could potentially be of in-terest and relevance to you. This is done in particular on the basis of the following data:

• Store purchases (e.g. products purchased or returned by type, quantity and price),
• Demographic information (e.g. age, gender, place of residence),
• Data stored in the Lidl Plus account,
• Information about life circumstances and interests, which are stored in the "About me" section,
• Activated and/or redeemed coupons,
• Participation in competitions and promotions,
• Product reservations
• Use of our partner offers described in Section 3.9 (e.g. time, quantity, location),
• Use of the Digital Services described in Section 3.13 (e.g. information about your access authorisation to Services of our partners, length of use of the Services, termination date of the free month, activation and use of the discount collector for Digital Services),
• Use of functions in Lidl Plus,
• Use of our Lidl Pay payment service.

In addition, the following information from Online Services is processed to determine your interests:

Usage data of the Lidl app, e.g.

o Visited app sections,

o Viewed articles,

o Version of the operating system,

o Device labelling,

o System language and selected country,

o Lidl app version used tracking data, e.g.

o advertising identifiers (iOS IDFA, Android advertising ID or Huawei ID, email ad-dress, address, mobile phone number),

o IP/MAC address,

o HTTP header,

o Fingerprint of your end device,

o Information about the use of apps and websites (links clicked on, areas visited, duration and frequency of use, number of clicks and scrolls),

o App and event tokens,

Information from the Online Service of the Lidl Group companies, e.g.

o products purchased/reserved in Online Services by type, quantity and price,

o Receipt amount and time of payment,

o Payment method used,

o Selected delivery method,

o Participation in surveys and competitions,

o Products stored in the shopping basket,

o Frequency of purchase transactions,

o Web tracking data of the Online Services,

Your usage behaviour in relation to marketing communication of Online Services, e.g.

o time at which the newsletter was opened,

o clicked links or areas,

o duration and frequency of use.

We use mathematical-statistical methods to determine your interests. For this purpose, your personal data is also compared with the data of other customers. Based on this comparison, we can work out which products and campaigns are relevant for customers with similar interests.

We use this information to provide you and other customers of the Online Services with per-sonalised advertising tailored to your interests and to offer you the best possible individual of-fers and discounts. Where possible, you will also receive personalised information about prod-ucts, promotions, competitions, new services, customer surveys and the latest streaming, store, and travel offers. We also use these findings to optimise the Lidl Plus programme.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

In addition, we may transfer the data described in this paragraph to other companies in the Lidl Group or other third parties if there is a legal basis for this (in particular your consent to the use of tracking technologies in our Online Services).

3.4 Advertising optimisation measures, the store network and store design

Purposes of data processing/legal basis

If you provide us with your address as part of the registration process or at a later date in your Lidl Plus account, we will use it to optimise our advertising (e.g. leaflet distribution, poster ad-vertising) and to optimise the store network.

This data is processed on the basis of our legitimate interest in optimising sales channels (Article 6(1)(f) GDPR).

3.5 Google reCaptcha

Purposes of data processing/legal basis

To protect our registration/login process from attacks or misuse by automated programmes (known as bots), we use Google reCaptcha. Bots are used, for example, to obtain customer ac-count passwords or to restrict the functionality of the website through mass data transfers.

Google reCaptcha determines whether the interaction with the website is by a human user or a bot. For this purpose, usage behaviour (time spent on the page or mouse movements made) is analysed and the IP address is read by Google and checked to see whether it could have been assigned to a bot in the past. If the IP address has already been assigned to a bot, Google trans-mits this information to us. We then store these IP addresses for defence against future attacks. This analysis starts automatically as soon as you open the registration page.

The legal basis for this data processing is Article 6(1)(1)(f) GDPR. Our legitimate interest is based on the purposes of processing mentioned above.

Recipients/categories of recipients

When using Google reCaptcha, the above-mentioned data is also processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA to provide the Service. We have no influence over the processing and use of data by Google. Further information on data pro-cessing by Google can be found here: https://policies.google.com/privacy.

3.6 Competitions

Purposes of data processing/legal basis

As a Lidl Plus user, you can take part in various competitions. Unless otherwise specified in the respective competition, your data will be used in the context of your participation in the com-petition in order to run the competition (e.g. determining the winner, notifying the winner, sending the prize) and for the purposes described under Section 3.3 to determine your interests as described in Section 3.3.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

Apart from the above-mentioned determination of your interests and the personalised advertis-ing approach, your data will only be passed on to companies of the Lidl Group or third parties if this is necessary to run the competition (e.g. to send the prize via a logistics company).

3.7 Reservation of products

Purposes of data processing/legal basis

If you reserve products via Lidl Plus and purchase them in-store at a later date, we process this information so that you can

• purchase these later in a Lidl store,
• view a history of reservations,
• view special offers tailored to your preferences and interests as well as participate in promotions.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

We will send a list of the reserved products and your order number to the relevant Lidl Group company. The Lidl company uses this data under its own responsibility for the subsequent pro-cessing of the purchase contract.

3.8 Partner offers

Purposes of data processing/legal basis

Lidl Plus gives you the opportunity to take advantage of discounted offers from selected part-ners. Some of these offers require you to identify yourself as a Lidl Plus customer with your digi-tal customer card. In this case, the partner informs us about your use of the special offer includ-ing the associated information (e.g. time, quantity, location).

If special offers are made within Lidl Plus for contracting services from our partners, we will re-ceive your contact details (e.g. email address and mobile phone number) from them so that we can correctly assign the special offer to your account.

We use the information on the use of the partner offers to determine your interests as de-scribed above and to display personalised advertising.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

If you make use of partner offers via Lidl Plus, we only send the partner the information that you are a Lidl Plus user so that the partner can assign the corresponding offer to you.

3.9 E-mobility

Purposes of data processing/legal basis

To start the charging process at a Lidl charging station, you must first identify yourself with Lidl Plus. If you have not yet entered an address in Lidl Plus, you will be asked for a billing address so that payment can be made. During the charging process, we process the following data with reference to your customer number:

• Date of the charging process,
• Charging quantity (kWh),
• Charging power (kW),
• Start and end of the charging process (time),
• Type of charging plug used.

We use the information on the use of the charging stations to determine your interests as de-scribed above and to display personalised advertising.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

If you select a charging station and a plug in Lidl Plus as part of the e-mobility Service, we will transmit your customer master data for the purpose of carrying out the charging process to Lidl Great Britain Limited. The legal basis for this transfer is Article 6(1)(b) GDPR.

3.10 My Deposits

Purposes of data processing/legal basis:

To save the digital vouchers in your Lidl app and redeem them at the checkout, you must identi-fy yourself at the deposit voucher machine and at the checkout. When storing and redeeming digital vouchers, we process the following data with reference to your customer number and transmit it to the respective national company:

• Deposit ID
• Final total of the deposit vouchers,
• Date of creation and redemption of the deposit voucher,
• Store,
• Type of deposit item (bottle, can, glass, etc.),
• Type of redemption (automatic, manual).
• The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

If you wish to redeem your digital vouchers at the checkout in Lidl Plus as part of the My Depos-its Service, we will send the vouchers you have selected to the Lidl Group company, which will pay out the value of the voucher.

3.11 Lidl Pay

Credit card

Purposes of data processing/legal basis

As a Lidl Plus user, you can choose to register your credit or debit card with our mobile pay-ment Service "Lidl Pay" and make payments (e.g. in Lidl stores) conveniently using your mobile device. To register and use Lidl Pay, it is necessary to enter the credit or debit card number, the CVV/CSV code and the expiry date of the card. This data is entered and stored in encrypted form directly in the PCI-DSS & PCI 3DS-certified systems of our payment platform. To ensure that you are actually the holder of the credit/debit card, your data is compared with the data of the card-issuing company.

If the registration for Lidl Pay is successful, the payment platform sends us a token as confirma-tion. We then link this token to your customer account.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

As soon as you use Lidl Pay in a Lidl store, your credit or debit card data will be forwarded to the respective Lidl Group company for payment processing, which will process the data for its own purposes (e.g. for tax verification obligations).

In order to carry out the payment process in accordance with the statutory provisions of Di-rective (EU) 2015/2366 ("PSD 2"), the applicable national implementing legislation and Delegat-ed Regulation (EU) 2018/389, we also exchange specific information (e.g. data about you, the transaction and your payment behaviour) with your credit institution or the issuer of your means of payment (e.g. your debit or credit card) with the help of our service providers.

These processing operations are carried out on the basis of Article 6(1)(b) GDPR (execution of payment) and Article 6(1)(c) GDPR (fulfilment of the above-mentioned legal obligations).

To prevent fraud, we process your mobile phone number in the registration, pre-authentication and payment process and transmit it to the payment service provider. The legal basis for this is Article 6(1)(f) GDPR, whereby our legitimate interest lies in the prevention of fraud.

Direct debit

Controller, purposes of data processing/legal basis

As a Lidl Plus user, you can choose to register your bank details with our "Lidl Pay" mobile pay-ment service and make payments (e.g. in Lidl stores) conveniently using your mobile device. In order to register and use Lidl Pay and to issue a direct debit mandate, it is necessary to provide additional data, in particular your IBAN, and to activate two-factor authentication in your Lidl Plus account beforehand.

In addition to Lidl Stiftung, Lidl Digital Trading GmbH & Co. KG, Stiftsbergstraße 1, 74172 Neck-arsulm ("Lidl Digital Trading") is jointly responsible for the following data processing within the framework of Lidl Pay in accordance with Article 26 GDPR:

• Execution of the payment transaction,
• Fraud prevention measures,
• Credit assessment and receivables management.

With Lidl Plus, Lidl Stiftung provides the platform for Lidl Pay and processes individual data from the payment transactions for the purposes described in the previous sections. Lidl Digital Trad-ing handles the payment processes as part of Lidl Pay. You can contact both Lidl Stiftung and Lidl Digital Trading to exercise your data subject rights described below with regard to the data pro-cessing described in this paragraph.

Lidl Digital Trading stores transaction data, in particular the customer address, customer num-ber, email address, mobile phone number and payment data, in order to record and trace the payment via Lidl Pay. For the same purpose, Lidl Digital Trading also transmits the processing date, transaction date, transaction time, transaction ID, bank code, amount, currency and pay-ment method to Lidl Dienstleistung GmbH & Co. KG. Data processing in the context of reporting is based on Article 6(1)(f) GDPR and is carried out in the legitimate interest of traceability of payments via Lidl Pay.

To secure and optimise the purchase process, we process the following information during regis-tration and during the purchase process and store it in your customer account:

• Correctness of the data provided (e.g. address verification, identity check)
• Access to the specified bank account (e.g. via our service provider Tink AB or by one cent transfer),
• Credit check (e.g. data comparison with the credit agencies listed below),
• Known anomalies in payment transactions (e.g. dunning procedures),
• Anomalies in specific purchases (e.g. product group or quantity).

During account verification via our Service provider Tink AB, you will be asked to log in to your online banking account. Once verification is complete, we will receive your name, IBAN and the currency of your bank account as well as information on whether you were able to log in suc-cessfully. With the one cent transfer, we transfer one cent to the specified bank account. The operation contains a code that must be entered to complete the registration.

The legal basis for securing and optimising the purchase process is Article 6(1)(b) GDPR, i.e. you provide us with the data on the basis of the contractual relationship between you and us, and Article 6(1)(f) GDPR, whereby our legitimate interest lies in the prevention of fraud.

For the purpose of credit checks and fraud prevention, we use a device recognition procedure within the scope of Lidl Pay to check whether there are any indications of attempted fraud us-ing various rules. For example, these are

• an extremely short session length in the app before a registration process,
• a typing speed that only a machine can achieve, which indicates unusual bulk payments and may be an indication of fraud,
• implausible information about the device location and language settings or
• information that indicates installed malware.

The legal basis for the processing of personal data as part of the device recognition procedure is Article 6(1)(b) and (f) GDPR. We have a legitimate interest in preventing fraud at Lidl Pay to pro-tect our economic interests and the economic interests of third parties.

In addition, with your consent, the following data in particular will be processed in pseudony-mised form and compared with data from devices from which fraudulent acts have been com-mitted in the past or are suspected to have been committed in order to prevent misuse and fraud:

• Usage data (e.g. IP address and information about the start, end and scope of use of Lidl Plus, and another device identifier),
• Device and app data (e.g. language and country settings, screen information, colour depth and information about installed browsers, plug-ins, software and their versions),
• Transaction data (e.g. name, date of birth, postal address and email address).

An individual identifier is created on the basis of the above-mentioned data, which can be used to recognise end devices with a certain probability on subsequent visits. This allows the device to be identified without knowing the name of the person behind it and linking it to the identi-fier. In the event that the comparison shows that fraud or an attempt at fraud has already been committed by the device, we will refuse to enter into the contract using Lidl Pay in the specific case.

The legal basis for this is your consent in accordance with Article 6(1)(a) and Article 6(1)(b) GDPR, i.e. you provide us with the data on the basis of the contractual relationship between you and us.

In the event of misuse or fraudulent use of Lidl Plus or Lidl Pay, reasonable suspicion thereof or if this is necessary to protect our legitimate interests, we are authorised to block the Lidl Pay function. The legal basis for the above-mentioned data processing is Article 6(1)(f) GDPR. The justification for this arises from the protection of your identity, the minimisation of payment default risks and the avoidance of fraud attempts at our expense.

If you are registered for Lidl Pay and change your email address or delete your address in your Lidl Plus account, Lidl Pay can only continue to be used if you verify your email address or re-enter your full address in your Lidl Plus account.

Recipients/categories of recipients

As soon as you use Lidl Pay in a Lidl store, your payment data will be forwarded to the respec-tive company of the Lidl Group with which you enter into a contract for the purchase of goods or services using Lidl Pay for payment processing. This company of the Lidl Group will process the data for its own purposes (e.g. storage for tax documentation obligations).

In the event of a delay in payment, we will transfer the necessary data to a company contracted to enforce the claim if the other legal requirements are met. The legal basis for this is Article 6(1)(b) and (f) GDPR. The legitimate interest arises from our own interest and that of third par-ties in the fulfilment of the claim and in reducing the risk of non-payment.

We use the results of the data processing described in this section for the purposes described above for your purchases in the context of other Online Services of Lidl Group companies and, conversely, we also use the results of the data processing carried out for these Online Services for the data processing described in this section. This currently affects all services operated by Lidl Digital Deutschland GmbH & Co. KG and Lidl Digital Trading, including the following web-sites: www.lidl.de and www.lidl-reisen.de.

As part of Lidl Pay, we exchange the following personal data with your credit institution or the issuing organisation of your means of payment in order to execute the respective contract with you (including the legally required authentication procedure prior to the execution of individu-al payment transactions):

• Name of the bank account holder,
• IBAN,
• Currency in which the bank account is held.

To rule out attempted fraud within the scope of Lidl Pay, our carefully selected, authorised ser-vice providers will confirm that you actually have access to the specified bank account.

To book and trace the payment via Lidl Pay, Lidl Digital Trading GmbH & Co. KG transmits per-sonal data to Lidl Dienstleistung GmbH & Co. KG.

With infoscore Consumer Data GmbH, Rheinstraße 99, 76532 Baden-Baden, infoscore Forder-ungsmanagement GmbH, Rheinstraße 99, 76532 Baden-Baden, Coeo Inkasso GmbH, Kieler Straße 16, 41540 Dormagen and CRIF GmbH, Leopoldstraße 244, 80807 Munich, we use estab-lished and trustworthy service providers for the above-mentioned data processing in the con-text of Lidl Pay. We only transmit the data required for the above-mentioned data processing (e.g. first and last name, address, date of birth) to infoscore Consumer Data GmbH and CRIF GmbH in order to assess your creditworthiness and set a payment limit for Lidl Pay. These ser-vice providers also process the data received in order to provide their contractual partners (also in countries outside the EU, provided that an adequacy decision of the European Commission exists or another legal basis within the meaning of Article 44 et seq. GDPR is relevant) to pro-vide information for assessing creditworthiness. Further information on the activities of the ser-vice providers can be found in the information sheets of the service providers infoscore Con-sumer Data GmbH and CRIF GmbH. Please contact infoscore Consumer Data GmbH and CRIF GmbH for further information on credit checks and in particular for calculating score values as part of scoring (mathematical-statistical method for forecasting risk probabilities).

In the event of non-payment, we transmit the data required for debt collection proceedings to Coeo Inkasso GmbH so that they can enforce the outstanding claims on our behalf.

In addition, we transmit data to Lidl Digital Trading GmbH & Co. KG to exercise the direct debit mandate as part of Lidl Pay.

3.12 Digital Services

Purposes of data processing/legal basis

In Lidl Plus, you can activate a special discount collector and purchase access authorisations to digital services from various partners ("Digital Services"). As soon as you have acquired access authorisation, we will process the following data:

• Start and end date of your access authorisation,
• Cancellation date of the free month,
• Available accesses,
• Information about the activation of the discount collector for Digital Services,
• Purchase values accumulated in the discount collector.

We use the information on access authorisations to determine your interests as described above and to display personalised advertising.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above-mentioned data on the basis of the contractual relationship between you and us.

Recipients/categories of recipients

If you have activated the discount collector for Digital Services in Lidl Plus and purchased an access authorisation for the Digital Services of Schwarz Digits Content GmbH, we transmit the following data to them for the purpose of processing the contract with you and for the purpose of fraud prevention:

• Customer number,
• Preferred Lidl store, date of purchase of access authorisation,
• Cancellation date of the access authorisation and the free month,
• Country and language,
• First name and surname,
• Email address,
• Mobile number,
• Device data.

The legal basis for this transfer is the legitimate interest of Schwarz Digits Content GmbH in pro-cessing the contract with you (Article 6(1)(f) GDPR).

4. To which other recipients do we pass on your personal data?

4.1 Overview

Your personal data will only be passed on without your prior consent in the cases mentioned in Sections 3.1 - 3.13 if this is permitted by law. This is the case, for example, if:

• we have a legitimate interest in sharing your personal data for administrative purposes within the Lidl Group and your rights and interests in protecting your personal data within the meaning of Article 6(1)(f) GDPR do not outweigh this interest

or

• we use third parties as data processors who we have carefully selected and that are con-tractually obliged to process your personal data exclusively in accordance with our in-structions.

4.2 Transfer within the Lidl Group

The data provided during registration will be passed on within the Lidl Group for internal admin-istrative purposes, including joint customer support.

Any disclosure of personal data is justified by the fact that we have a legitimate interest in dis-closing the data for administrative purposes within our Group (Article 6(1)(f) GDPR).

4.3 Transfers to recipients in third countries

Under specific circumstances, it may be necessary for us to transfer your personal data to recipi-ents in a third country or several third countries outside the European Union (EU)/the European Economic Area (EEA).

The EU Commission has certified some third countries as having a level of data protection com-parable to the GDPR by means of an adequacy decision. You can find an overview of third coun-tries with an adequacy decision here. For service providers based in the USA, this only applies if they are certified in accordance with the EU-US Data Privacy Framework.

If there is no adequacy decision, we secure the transfer by other measures. These can be, for example, binding company regulations, standard contractual clauses of the European Commis-sion, certificates or recognised codes of conduct.

Unless otherwise stated, the transfer to a third country takes place either on the basis of an adequacy decision or one of the measures listed above. If you have any questions, please con-tact our data protection officer (Section 2).

5. How long do we store your personal data?

We delete or anonymise your personal data as soon as it is no longer required for the purposes stated. As a rule, we store your personal data for the duration of your participation in Lidl Plus. If you are inactive for 24 months or actively delete your Lidl Plus account, we will notify you of the pending cancellation. Within 72 hours, you have the option of reversing the cancellation by logging in again. If your data must be stored for a longer period of time due to statutory reten-tion periods or to secure, assert or enforce legal claims, we will store your data beyond the can-cellation of the account. The data will only be stored for as long as is legally permissible.

If you do not use Lidl Pay for 24 months, the data collected within this function and the func-tion itself will be deleted. You can then re-register for Lidl Pay at any time.

All personal data that you send us in the context of customer service enquiries will be deleted or anonymised by us no later than 90 days after the final response. Experience has shown that there are usually no more queries after 90 days. If data subjects assert their rights, personal data will be stored for three years after the final response to prove that we have provided compre-hensive information and complied with the legal requirements.

We store the log files in which we record your interactions with Lidl Plus (your registration, password reset, etc.) for a period of up to 90 days.

6. What rights do you have with regard to the processing of your data?

You have the right to request information about the personal data stored about you free of charge in accordance with Article 15(1) GDPR.

If the legal requirements are met, you also have the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR). If you have provided us with the processed data, you have a right to data portability in accordance with Article 20 GDPR.

If data processing is carried out on the basis of Article 6(1)(1)(e) or (f) GDPR, you have the right to object in accordance with Article 21 GDPR. If you object to data processing, this will only be continued if we can demonstrate compelling legitimate grounds for further processing that outweigh your interest in objecting. You can send your objection to customer.care@lidl.co.uk at any time.

If the data processing is based on consent in accordance with Article 6(1)(1)(a) or Article 9(2)(a) GDPR, you can withdraw your consent at any time with future effects without affecting the law-fulness of the previous processing.

You also have the right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority of the country in which you live or in which the controller has its registered office is responsible.