Data protection guideline – displaying the Trustbadge

When displaying the Trustbadge on your website, you – as the data controller – are required to:

  • keep information in your records of processing activities up-to-date;
  • ensure the balancing of interests in accordance with Article 6 (1) (f) GDPR; and
  • adjust your Privacy Policy.

We have developed this tool with utmost care but cannot guarantee that it is complete and correct. It is intended as a checklist with text templates and as a suggestion on how the aforementioned issues should be processed.

For detailed questions in individual cases, always seek professional legal advice.

Information concerning records of processing activities

The following information should be included in the records of processing activities:

Web server log files of the Trustbadge

This procedure describes how personal data are processed in the context of displaying the Trustbadge on the controller's website.

Detailed description of the processing:

In order to display the Trusted Shops Trustmark and any collected reviews and to offer the Trusted Shops products to customers after they place an order, we have integrated the Trusted Shops Trustbadge on the controller’s website because, in such cases, Trusted Shops GmbH processes data in the capacity of the processor. The Trustbadge is provided by a CDN service provider (Content-Delivery-Network; subcontractor). Trusted Shops GmbH uses the services of a U.S.-based provider. An appropriate level of data protection is guaranteed.

With every use of the Trustbadge, the web server automatically saves a so-called server log file which contains also your IP address, the date and time of the request, the volume of data transferred and the requesting provider (access data), and documents the request.

Legal grounds

Overriding legitimate interests pursuant to Article 6 (1) (f) GDPR

Processing purposes

  • Abuse and fraud prevention
  • Product offering and website optimisation
  • Ensuring trouble-free operation of the website

Data subjects

Website visitors

Processed data

  • IP address
  • Access data
  • Order number (in the case of an order)


IT department of the data processor
Sub-contractor Amazon Web Services (AWS),
410 Terry Avenue North,
Seattle WA 98109-5210, USA,
certified under the EU-U.S. Privacy Shield + EU standard contractual clauses.

Storage period:

Individual pieces of access data are stored in a security database for the analysis of security vulnerabilities. The log files are automatically erased no later than 90 days of their date of creation. 

Technical and organisational measures

According to the Data Processing Agreement with Trusted Shops GmbH acting as the data processor

Balancing of interests in the case of displaying the Trustbadge

Interests of the controller


Controller's own interests: The controller’s interest consists of optimal marketing its products while ensuring safety of purchases using automatic protection offered by Trusted Shops Buyer Protection and authentic customer reviews. The Trustbadge should be reliably displayed; errors resulting from multiple transmissions of identical order numbers should be avoided.


Interests of third parties: Trusted Shops GmbH also has an interest in the fulfilment of contracts with registered buyers, whereas the service provider, who is responsible for the error-free and uninterrupted delivery of the Trustbadge, has an interest in the analysis of security vulnerabilities.


Those interests are also recognised by third parties, e.g. other companies. This indicates that said interests are legitimate.


The controller’s right of freedom to exercise a trade or profession is affected as its fundamental right. This indicates that the said interests are legitimate.


These interests are recognised in other legal regulations as well, e.g. Act Against Unfair Competition [UWG], German Trademark Act [MarkenG]. This indicates that said interests are legitimate.


There is no less severe measure which can guarantee faultless security of the respective purchase, and the submission and verification of an "authentic" customer review than connecting the customer's information to the respective transaction, and automatically providing the relevant transaction data.

Interim result:

The controller has a legitimate interest in the processing.


No other fundamental rights besides the right to the protection of the processed personal data of the data subject are affected.


Only pseudonyms are processed. The data cannot be directly traced back to a particular person, and isn’t traced back by the data recipients.


The data are not public. However, the data are collected from the data subject directly, and they are clearly informed of this. The data are not published.


The data are of high quality; the error rate is low thanks to automatic transfer.


A third party, AWS, processes the data in order to ensure the faultless / uninterrupted delivery of the Trustbadge. The data are transmitted to the USA. An adequate level of protection of the processed data is, however, guaranteed by using the services of a Privacy Shield certified service provider and the EU's standard contractual clauses in agreements.


All visitors of the respective website are affected.


Website visitors know of the data processing, since it is common practice to integrate third-party visual content, and because they are clearly informed of this fact in the Privacy Policy.


The storage period is strictly limited to no more than 90 days; the data are automatically erased upon lapse of this period. The data subject is only minimally affected.

Balancing of interests in the narrow sense

The data subjects are clearly informed of the data processing in the Privacy Policy. Furthermore, data processing is to be expected, as the processing of pseudonyms is inevitable in the light of today's state of technology. The storage period also serves overriding legitimate interests but the data subjects are not excessively affected by this process.

The data subjects also have their own interest in the error-free and uninterrupted delivery of the Trustbadge, as this is the only way to provide the controller's trust-building services in any case. Additionally, for visitors who have already concluded a contract with Trusted Shops GmbH this is the only way to make use of the contractual services.

Overall, the interests, fundamental rights, and freedoms of the data subject are not excessively affected by the data processing. The legitimate interests of the controller and the aforementioned third parties are overriding.

Privacy Policy Template

Privacy Policy Template

Was this article helpful?

1 out of 2 found this helpful