The browser is not supported
To display the website correctly, please use one of the following browsers.CautionPlease update your browser, if you proceed with this browser, your shopping experience might not be successful!
Brand Navigation
  1. Sustainability
  2. Media Center
  3. Career
  4. Real Estate
  5. Service & Help
  6. Information

Business partners

Contractual Relationships with Business Partners


The following data protection notice applies to you if you are a business partner of Lidl or if you are a legal representative, employee, shareholder, or beneficial owner of a business partner. Business partners are legal or natural persons who are engaged in negotiations with Lidl to establish a business relationship or who are already parties to such a relationship with Lidl. Contracts concerning employment or training relationships are expressly excluded.


The following data protection notice is designed to inform you about how and to what extent your personal data is processed. Personal data is information that identifies you or could identify you directly or indirectly. The statutory basis is, in particular, the General Data Protection Regulation (GDPR), the national legislation on data protection and any subsidiary legislation issued under the same as may be amended from time to time.


Purposes of Data Processing / Legal Basis


a) Fulfillment of Contractual Obligations (Article 6(1)(b) GDPR)


If you, as a natural person, are a business partner of Lidl, the purposes of processing your data generally arise from carrying out pre-contractual measures that precede a contractually regulated business relationship and from fulfilling obligations arising from the concluded contract.


b) Compliance with Legal Obligations (Article 6(1)(c) GDPR)


In individual cases, the processing of personal data in the business partner context may be necessary to fulfill legal requirements. The specific purposes of data processing result from applicable legal provisions. These legal obligations include, for example, compliance with retention and identification obligations in accordance with anti-money laundering regulations, tax control and reporting obligations, and data processing in response to official requests or compliance audits in connection with the relevant mandatory laws.


c) Protection of Legitimate Interests (Article 6(1)(f) GDPR)


If you are an employee, legal representative (e.g. managing director or authorized signatory), shareholder, or beneficial owner of one of our business partners, we collect and process your data as listed above in the context of the business partner relationship to fulfill our legitimate interests.


These legitimate interests include, in particular, the selection of suitable business partners, conducting social audits to verify compliance with social standards, conducting surveys to evaluate companies, facilitating communication and contact through our company-wide user directory, associating work results with specific business partners, recording business transactions, negotiating with representatives who are not direct business partners, as well as processing data in the context of digitalization efforts. Further legitimate interests include event invitations, the assertion of legal claims and avoidance of legal disadvantages (e.g. in insolvency cases), verification of authorizations (e.g. for cash handlers), prevention of risks and liability claims, prevention of legal and economic risks, detection and handling of potentially harmful emails, access control, clarification of potential compliance violations through internal compliance investigations (e.g. documentation of antitrust violations), prevention of criminal offenses, settlement of damages resulting from business relationships, efficient and fast digital contract signing, proper logging of the signing process for evidentiary purposes, verification of the validity of qualified electronic signatures, and other internal administrative purposes (e.g. user and contract management, project management and billing, process optimization, processing in ticketing systems and IT portals).


d) Based on Consent (Article 6(1)(a) GDPR)


Additionally, the processing of your personal data may be based on your voluntary consent in accordance with Article 6(1)(a) GDPR.

Categories of Data

The specific data processed depends primarily on the agreed services and the nature of our business relationship. Therefore, not all parts of this information may be relevant to you.

We typically collect your data directly from you. However, in certain situations, due to legal requirements or legitimate interests (e.g. as part of business partner compliance checks), it may be necessary to process personal data that we receive from other companies, tax authorities, government agencies, credit bureaus, insolvency registers, publicly accessible sources (such as internet research), or other third parties. This also includes reports received through our whistleblower channels regarding possible compliance violations.


Relevant personal data may include:


• Personal details (e.g., first and last name, address, other contact details, date and place of birth, nationality)

• Identification and authentication data (e.g., commercial register extracts, ID card details, signature samples)

• Company information, as well as position, role, and department within the company, supervisor details

• Data related to our business relationship (e.g., payment data, order details)

• Information about corporate structures and ownership

• Photo and video recordings (e.g., during goods deliveries)

• Log data, username, user ID

• Compliance-related data (e.g., references, insolvency information, negative media coverage, details of criminal investigations related to the service provided)


In some cases, we obtain creditworthiness data from credit agencies when entering into a contract. This data is used to assess financial reliability. Credit agencies store data they receive from banks or companies, including name, date of birth, address, and payment behavior.


If you enter into a contract with us using a digital signature, we process related data, such as your email address, IP address, and timestamps of document interactions. For contracts signed with a qualified electronic signature, we additionally process the certificate data of your signature. These data are accessible to all individuals involved in the contract approval and signing process.

Recipients / Categories of Recipients

Within our company, access to your provided data is granted to those areas that require it to fulfill contractual or legal obligations, to protect legitimate interests, or as authorized by your separate consent declaration.

This typically includes the procurement department or purchasing teams, as well as the recipients of services within the Lidl national organization with which the business partner has entered into a relationship, and Lidl Stiftung & Co. KG, which supports Lidl national organizations.

As part of contractual relationships, legal obligations, and legitimate interests, service providers, government agencies, or other processors may also access your personal data. Compliance with data protection regulations is contractually ensured in these cases.

Data may also be transferred to companies within the Schwarz Group to fulfill contractual obligations. If you have entered into a framework agreement with the Schwarz Group as an authorized service recipient, the respective procurement and purchasing departments (Schwarz Beschaffung GmbH) have access to relevant business partner contact details, and national compliance departments have access to business partner compliance check data. The legal basis for this is Article 26 GDPR under joint controllership. Outside our corporate group, data will only be shared if we are legally obligated to do so (e.g. for government investigations).

Data Retention Period

Personal data is retained as long as necessary to fulfill the above-mentioned purposes. The relevant retention periods, particularly those under the tax legislation, require storage for up to twelve years. In certain cases, data may be retained beyond this period (e.g. for construction documentation).

Obligation to Provide Data

As part of our business relationship, you must provide the personal data necessary for initiating, executing, and terminating the relationship, as well as for fulfilling the associated obligations. This includes data we are legally required to collect or that we process based on legitimate interests. Without these data, we will generally be unable to enter into a business relationship with you.

Data Transfers to Third Countries

If we transfer personal data to recipients outside the European Economic Area (EEA), such transfers will only occur if the EU Commission has confirmed an adequate level of data protection, if appropriate safeguards have been agreed upon (e.g. EU standard contractual clauses), if you have provided consent, or if we are legally obligated to do so.

Your rights as data subjects

You have the right to request information about the personal data stored about you, free of charge in accordance with Article 15(1) GDPR. If the legal requirements are met, you also have the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR). If you have provided us with the processed data, you have a right to data portability in accordance with Article 20 GDPR. If data processing is carried out on the basis of Article 6(1)(1)(e) or (f) GDPR, you have the right to object in accordance with Article 21 GDPR. If the data processing is based on consent in accordance with Article 6(1)(1)(a) or Article 9(2)(a) GDPR, you can withdraw your consent at any time with effect for the future without affecting the lawfulness of the previous processing.

You also have the right to lodge a complaint with a data protection supervisory authority. Competent supervisory authority for data protection in Cyprus is the Office of the Commissioner for Personal Data Protection (Kipranoros 15, 1061 Nicosia, Cyprus, +357 22 818456, commissioner@dataprotection.gov.cy).

Name and Contact Details of the Data Controller and the Data Protection Officer

The controller of your data within the meaning of Article 4, point 7 GDPR is Lidl Cyprus, 2, Pigasou Str., CY – 7100, Aradippou, Larnaca if your business relationship has been established with it. In case you have concluded a contract with another company of the Schwarz Group, the company with which you are cooperating is the data controller for the data processed in the context of this business relationship.

For data processing with joint controllership, the relevant information is provided by the company with which you are cooperating. This company is also responsible for fulfilling the obligations of the GDPR.

For information on the processing of your data and to exercise your rights, please send a request at any time to the address Lidl Cyprus, 2, Pigasou Str., CY – 7100, Aradippou, Larnaca to the attention of the Data Protection Officer or an e-mail to dataprotection@lidl.com.cy.