Lidl Plus is a loyalty program (hereinafter referred to as the “Service” or “Lidl Plus”) providing you with offers and advertising campaigns from the Companies tailored to your interests by the Lidl group of companies and selected business partners.

You can use Lidl Plus by registering for selected online services of the Lidl group of companies (“Online Services”, e.g. online shops, Click and Collect service, applications, etc.). Please note that some functionalities are offered exclusively via the Lidl app. For example, you must identify yourself with the Lidl app at the cashier desk so that your purchases in Lidl stores can be assigned to your Lidl Plus account.

You can use Lidl Plus by registering for selected online services of the Lidl group of companies (“Online Services”, e.g. online shops, Click and Collect service, applications, etc.). Please note that some functionalities are offered exclusively via the Lidl app. For example, you must identify yourself with the Lidl app at the cashier desk so that your purchases in Lidl stores can be assigned to your Lidl Plus account.

Unless otherwise stated below, Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm (“Lidl Stiftung”, “we”, “us”) is responsible for your data processing within the framework of Lidl Plus.

You can contact the Lidl Stiftung Data Protection Officer at the above postal address or via dataprotection@lidlplus.bg.

Purposes/legal grounds of data processing

After registration completion, you can use Lidl Plus in all related online services with the same username and password, as well as have access to your basic customer data, purchase history and used Lidl Plus functions in your Lidl Plus account.

When registering with Lidl Plus, the following data is processed:

■ Name,

■ date of birth,

■ email address,

■ mobile phone number,

■ password,

■ to address (optional),

■ gender (optional),

We need your date of birth, as only people who are at least 18 years old can participate in Lidl Plus (see section 2 of the participation conditions), as well as because for certain products (e.g. alcoholic drinks) age restrictions must be observed according to the Youth Protection Act.

In your Lidl Plus account, you can optionally provide your address and surname. However, this data is required for certain functions.

If you have registered for Lidl Plus in the Lidl app, we will also process the branches you have selected there. In addition to the data listed above, we also receive information from the online service you use – if any – about the payment methods specified there, as well as your purchase and order history. You can view this data in your Lidl Plus account. You can find out which online services transmit your payment history to the Lidl Plus account in the data protection guidelines of the online services.

If you have registered with our Family Club, information about the benefits provided will also be stored and displayed in your Lidl Plus account.

In particular, we process the data collected during registration for the following purposes:

■ communication with you,

■ verifying your identity as the account holder (e.g. when resetting your password),

■ unambiguous attribution of your purchasing and usage behaviour to your customer profile.

We also use your email address to send you a notification if your account is accessed from a new device.

To ensure the security of registration/login process, the following data is processed:

■ the specified email address or mobile phone number,

■ IP address,

■ mouse movements,

■ the length of time you stay on the registration page,

■ online identifiers such as device ID,

■ browser details (browser name and version),

■ name and version of the operating system of the device on which the browser is installed,

■ your device's network location when you sign in,

■ the date and time of the registration/login attempt,

■ information whether registration/login attempts were successful.

The legal basis for the above data processing is Article 6(1)(b) and (f) of the General Data Protection Regulation (GDPR), i.e. we process your data in order to be able to provide you with our services in accordance with the contract. Our legitimate interest arises from the purposes of the data processing described.

Recipients/categories of recipients

If you log in to online services as a Lidl Plus user, we will pass on to the relevant online service operator the data necessary to provide the service you have ordered. Depending on the offer, this includes:

■ the verified login details (e.g. email address, password, mobile phone number),

■ basic data (e.g. name, address, date of birth),

■ saved payment methods,

■ the information saved in the “About Me” section,

■ information about your participation in Family Club.

We also pass on your basic customer data to those companies within the Lidl group of companies with whom you come into contact as part of customer service inquiries.

Purposes of data processing/legal grounds

When you use Lidl Plus, you can identify yourself at the cashier desk. In this case, we collect the following data:

■ the branch you visited,

■ the products purchased or returned by you by type, quantity and price,

■ the coupons and deposit vouchers you redeemed,

■ the amount of the purchase receipt,

■ payment process time and what payment method was used.

When you shop at Lidl stores, you can collect digital points and exchange them for Lidl Plus reward vouchers. When exchanged for rewards, the points you collect are assigned to your customer number. Product returns are also taken into account when calculating the points.

The legal basis for this is Article 6(1)(b) GDPR, i.e. we process the above mentioned data based on our contractual relationship with you.

To prevent economic damage to Lidl Group of Companies, we analyse your purchasing behaviour for the purpose of fraud prevention. For this purpose, we specifically evaluate whether and how often items are returned. The legal basis for this is Article 6(1)(f) of GDPR. Our legitimate interest arises from the specified processing purposes.

In the event of a product recall, we verify whether you have purchased the affected product so that we can inform you about the recall campaign. This processing is carried out to protect your health (Article 6(1)(d) of GDPR) and because we have a legitimate interest in informing you about any product recall (Article 6(1)(f) of GDPR).

Purposes/legal grounds of data processing

Within Lidl Plus, we determine which products, advertising campaigns and services could be potentially interesting and relevant to you. This is done in particular on the basis of the following data:

■ purchases in the branches (e.g. products purchased or returned by you by type, quantity and price),

■ demographic information (e.g. age, gender, place of residence),

■ data stored in the Lidl Plus account,

■ information about life circumstances and interests, which is contained in the “About me” section,

■ activated and/or redeemed coupons,

■ participation in prize games and advertising campaigns,

■ reservations,

■ using our partner offers described in section 3.8 (e.g. time, quantity, place),

■ use of the digital services described in section 3.10 (e.g. information about your permission to access the services of our business partners, duration of use of the services, end date of the free month, activation and use of discount collectors for digital services)

used functions of Lidl Plus. To determine your interests, the following information from the digital services is additionally processed:

■ Lidl app usage data, e.g.

o sections of the application visited,

o items viewed,

o operating system version,

o device identifier,

o system language and selected country,

o version of the Lidl application used,

■ tracking data, e.g.

o advertising identifiers (iOS-IDFA, Android advertising ID or Huawei ID, email address, street address, mobile phone number),

o IP/MAC address,

o HTTP header,

o fingerprint of the end device,

o information about the use of applications and websites (links clicked, areas visited, duration and frequency of use, number of clicks and scrolls),

o application and event tokens,

■ information from the online service of the companies in the Lidl group of companies, e.g.

o acquired/saved products in the online service by type, quantity and price,

o amount of the receipt and time of the payment process,

o payment method used,

o selected delivery method,

o participation in surveys and prize games,

o products saved in the basket,

o shopping frequency,

o data from the web tracking of the online service,

■ Your usage behaviour regarding marketing communication of online services, e.g.

o time of bulletins opening,

o links and areas you clicked on,

o duration and frequency of use.

We use mathematical and statistical methods to determine your interests. For this purpose, your personal data is also compared with the data of other customers. Based on this comparison, we can assess which products and advertising campaigns are suitable for customers with comparable interests.

We use this information to show you and other customers personalized and interest-based advertising in online services and the best individual offers and discount advertising campaigns. For this purpose, you will receive – where possible – personalized information about products, advertising campaigns, prize games, new services, customer surveys and news from streaming offers, affiliates, online shops, flowers, photos and travel. We also use this information to optimize the Lidl Plus programs.

The legal basis for this is Article 6(1)(b) of GDPR, i.e. we process the above-mentioned data based on our contractual relationship with you.

Recipients/categories of recipients

We may also transfer the data described in this paragraph to other companies in the Lidl Group of Companies or other third parties if there is a legal basis therefor (in particular, your consent to the use of tracking techniques in our online services).

Purposes/legal grounds of data processing

If you provide us with your address when registering for a Lidl Plus account or at a later stage, we will use it to optimize advertising activities (e.g. distribution of brochures, poster advertising) as well as to optimize our branch network.

This data will be processed on the basis of our legitimate interest in optimising distribution channels (Article 6(1)(f) of GDPR).

Purposes/legal grounds of data processing

To protect our registration/login process from attacks or malicious use by automated programs (so-called bots), we use Google reCaptcha. Bots attempt to access customer account passwords or limit website functionality through bulk data transmission.

Google reCaptcha determines whether the interaction with the website is that of a human or a bot. For this purpose, the usage behaviour (duration of stay on the site or mouse movements) is analysed, and the IP addresses are read by Google and checked to see if they have been assigned to a bot in the past. If the IP address has been assigned to a bot, Google passes this information on to us. We then store these IP addresses to prevent future attacks. This analysis starts automatically as soon as you open the registration page.

The legal basis for this data processing is Article 6(1)(f) of GDPR. Our legitimate interest arises from the above-mentioned purposes of the processing.

Recipients/categories of recipients

When using Google reCaptcha, the above-mentioned data is also processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA for the provision of the service. We have no influence on the processing and use of data by Google. More information about data processing by Google can be found here: https://policies.google.com/privacy?hl=bg&gl=bg.

Purposes/legal grounds of data processing

As a Lidl Plus user, you can take part in various prize games. Unless otherwise stated in the respective prize game, your data will be processed within the framework of participation in the prize game for the implementation thereof (e.g. determining the winner, notifying the winner, sending the prize) and to determine your interests as specified in section 3.3 .

The legal basis for this is Article 6(1)(b) of GDPR, i.e. we process the above-mentioned data based on our contractual relationship with you.

Recipients/categories of recipients

Data may be transferred to companies in the Lidl group of companies or to third parties, in addition to the above-mentioned determination of your interests and for personalized advertising campaigns, if this is necessary for the prize game implementation (e.g. sending the prize via a logistics company).

Purposes/legal grounds of data processing

If you reserve products through Lidl Plus and purchase them later in the branch, we process this information:

■ to make the subsequent purchase at a Lidl branch possible,

■ to show reservation history,

■ to present you offers specifically tailored to your preferences and interests, as well as participation in advertising campaigns.

The legal basis for this is Article 6(1)(b) of GDPR, i.e. we process the above-mentioned data based on our contractual relationship with you.

Recipients/categories of recipients

We transfer a list of the reserved products and your order number to the relevant Lidl Group company. The Lidl company will use this data at its own risk for the subsequent implementation of the purchase contract.

Purposes/legal grounds of data processing

Through Lidl Plus you have the opportunity to benefit from discounted offers from selected partners. For some of these offers you must identify yourself as a Lidl Plus customer via your digital customer card. In this case, our business partner informs us about the use of the special offer, as well as the related information (e.g. time, quantity, location).

If special offers are proposed within Lidl Plus for the conclusion of a contract with our business partners, we will receive your contact details from them (e.g. email address and mobile phone number) so that we can correctly assign the special offer to your account.

We use the information about the use of partner offers for the above-mentioned determination of your interests and for displaying personalized advertising.

The legal basis for this is Article 6(1)(b) of GDPR, i.e. we process the above-mentioned data based on our contractual relationship with you.

Recipients/categories of recipients

If you take advantage of partner offers through Lidl Plus, we only pass on to the partner the information that you are a Lidl Plus user so that they can provide you with the relevant offer.

Purposes/legal grounds of data processing:

In order to store your digital deposit vouchers in your Lidl app and redeem them at the cashier desk, you must identify yourself at the deposit voucher machines and at the cashier. When storing and redeeming digital deposit vouchers, we process the following data in connection with your customer number and pass it on to the relevant national company:

■ Voucher ID,

■ final amount of the deposit voucher,

■ date of creation and redemption of the deposit voucher,

■ branch,

■ type of packaging for which the deposit is made (bottle, box, glass, etc.),

■ type of redemption (automatic, manual).

The legal basis for this is Article 6(1)(b) of GDPR, i.e. we process the above-mentioned data based on our contractual relationship with you.

Recipients/categories of recipients

If in Lidl Plus, within the My Deposits service, you want to redeem your digital deposit vouchers at the cashier desk, we transfer the deposit vouchers you have selected to the Lidl Group Company, which pays out the value of the deposit vouchers.

Purposes/legal grounds of data processing

In Lidl Plus you can activate a special discount collector and receive permissions to access digital services of various business partners (“Digital Services”). Once you have received access permission, we will process the following data:

■ start and end date of your access permit,

■ end date of the free month,

■ available accesses,

■ information about activating the digital services discount collector,

■ shopping values reached in the discount collector.

We use the access permissions information for the above-mentioned determination of your interests and for displaying personalized advertising.

The legal basis for this is Article 6(1)(b) of GDPR, i.e. we process the above-mentioned data based on our contractual relationship with you.

Recipients/categories of recipients

If you have activated the discount collector for digital services in Lidl Plus and have received permission to access the digital services of Schwarz Digits Content GmbH, we will pass it on the following data for the performance of the contract with you and for fraud prevention purposes:

■ customer number,

■ preferred Lidl branches, date of access permission receipt,

■ end date of the access permit and the free month,

■ country and language,

■ first and last name,

■ email address,

■ mobile phone number,

■ device data.

The legal basis for this transfer is the legitimate interest of Schwarz Digits Content GmbH in the performance of the contract with you (Article 6 (1) (f) of GDPR).

Your personal data will only be transferred without your prior consent in the cases mentioned in sections 3.1 - 3.13 if this is legally permissible. This is the case when:

■ we have a legitimate interest in transferring your personal data for administrative purposes within the Lidl group of companies and your rights and interests in your personal data protection within the meaning of Article 6(1)(f) of the GDPR do not outweigh them

or

■ We use third parties for data processing, which we have carefully selected and have contractually obligated them to process your personal data only in accordance with our instructions.

The data provided during registration is transmitted within the Lidl group of companies for internal administration purposes, including general customer service.

Such a transfer of personal data is justified by our legitimate interest in transferring the data for administrative purposes within our group of companies (Article 6(1)(f) of GDPR).

In certain circumstances, it may be necessary for your personal data to be transferred to a third country or several third countries outside the European Union (EU)/European Economic Area (EEA).

The European Commission has certified through an adequacy decision that certain third countries have a level of data protection comparable to that of GDPR. An overview of third countries with an adequacy decision can be found here. For service providers based in the USA, this only applies if they are certified under the EU-US Data Privacy Framework.

If there is no adequacy decision, we ensure the protection of the transfer with other measures. These may include, for example, binding corporate rules, standard contractual clauses of the European ¬Commission, certificates or recognized codes of conduct.

Unless otherwise stated, the transfer to a third country takes place either on the basis of an adequacy decision or on the basis of one of the measures mentioned above. If you have any questions on this subject, you can contact our Data Protection Officer (section 2).

We delete or anonymize your personal data as soon as it is no longer necessary for the stated purposes. In principle, we store your personal data for the period of your participation in Lidl Plus. If you are inactive for 24 months or delete your Lidl Plus account, we will inform you of the upcoming deletion of the data. You have the opportunity to cancel the deletion within 72 hours by registering again. If your data must be stored longer due to statutory retention periods or to secure, assert or enforce legal claims, we will store your data after the account has been deleted. The storage will only be for as long as permitted by law.

All personal data that you have provided to us in the course of customer service surveys will be deleted or anonymized at the latest 90 days after the final feedback. Experience has shown that after 90 days, no further inquiries are generally received. If you exercise your rights as a data subject, your personal data will be stored for 3 years after the final response as proof that we have provided comprehensive information and complied with legal requirements.

The log files in which we record your interactions with Lidl Plus (e.g. your registration, password reset, etc.) are stored for a period of 90 days.

You have the right to request free information about the personal data stored about you pursuant to Article 15(1) of GDPR.

Furthermore, subject to legal requirements, you have the right to correction (Article 16 of GDPR), deletion (Article 17 of GDPR) and restriction of processing (Article 18 of GDPR). If you have provided us with the processed data for use, you have the right to data portability in accordance with Article 20 of GDPR.

If the data processing is based on Article 6(1)(1)(e) or (f) of GDPR, you have the right to object pursuant to Article 21 of GDPR. If you object to the data processing, it will only continue to be processed if we can demonstrate compelling legitimate grounds that outweigh your interest in objecting. You can send your objection at any time to dataprotection@lidlplus.bg.

If data processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of GDPR, you may withdraw your consent at any time with effect for the future without affecting the lawfulness of the previous processing.

You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority is the data protection supervisory authority of the federal state in which you live or in which the controller has its registered office.