Data protection guideline – provision of the required order data

When using the Trustbadge for the ordering process on your website, you – as the data controller – are required to:

  • keep information in your records of processing activities up-to-date;
  • ensure the balancing of interests in accordance with Article 6 (1) (f) GDPR; and
  • adjust your Privacy Policy.

We have developed this tool with utmost care but cannot guarantee that it is complete and correct. It is intended as a checklist with text templates and as a suggestion on how the aforementioned issues should be processed.

For detailed questions in individual cases, always seek professional legal advice.

Information concerning records of processing activities

The following information should be included in the records of processing activities:

Provision of order data required for the use of the Trusted Shops services

This procedure describes how personal data are processed in the context of providing order data necessary for the use of the Trusted Shops services.

Detailed description of the processing:

In order to display the Trusted Shops Trustmark and any collected reviews, as well as to offer the Trusted Shops products to customers after they place a purchase order, we have integrated the Trusted Shops Trustbadge on the controller’s website because, in such cases, Trusted Shops GmbH processes data in the capacity of the processor.

For customers who use the Trusted Shops services and who have established or are about to establish a contractual relationship with Trusted Shops GmbH, the order data required for the provision of the contractual services are provided and collected through the Trustbadge.

Legal grounds

Overriding legitimate interests pursuant to Article 6 (1) (f) GDPR

Processing purposes

  • Abuse and fraud prevention: only actual transactions can be reviewed / insured
  • Product offering and website optimisation
  • Optimal marketing of the controller’s products thanks to safe purchases based on Trusted Shops Buyer Protection guarantee, and authentic customer reviews ensuring carefree shopping experience

Data subjects

Website visitors

Processed data

  • Order date
  • Order number
  • Customer number
  • Amount
  • Currency
  • First name / Surname
  • Delivery date
  • E-mail address
  • Payment type
  • Product details (only for product reviews)


Trusted Shops GmbH, Subbelrather Str. 15c, 50823 Köln

Storage period

After the contract is completed or a customer account deleted, any further processing of the data is restricted. After expiry of the statutory retention periods, the data are erased, unless the user has expressly consented to the further use of their data or unless we reserve the right to use further data where legally permissible, and insofar as the user has been informed of this fact. The customer account can be deleted at any time.

Technical and organisational measures

Encrypted transfer via SSL and other technical and organisational measures taken by Trusted Shops GmbH based on a separate agreement.

Balancing of interests

Interests of the controller


Controller's own interests: The controller’s interest lies in the optimal marketing of their products while ensuring the safety of purchases through automatic protection in the form of the Trusted Shops Buyer Protection guarantee, and authentic customer reviews.


Interests of third parties: Trusted Shops GmbH also has an interest in the fulfilment of contracts with registered buyers.


Those interests are also recognised by third parties, e.g. other companies. This indicates that said interests are legitimate.


The controller’s right to exercise a trade or profession is affected as its fundamental right. This indicates that said interests are legitimate.


These interests are recognised in other legal regulations as well, e.g. Act Against Unfair Competition [UWG], German Trademark Act [MarkenG]. This indicates that the said interests are legitimate.


There is no less severe measure which can guarantee faultless security of the respective purchase, and the submission and verification of an "authentic" customer review than connecting the customer's information to the respective transaction, and automatically providing the relevant transaction data.

Interim result:

The controller has a legitimate interest in the processing.

Interests / Fundamental rights / Fundamental freedoms of data subjects


No other fundamental rights besides the right to the protection of the processed personal data of the data subject are affected.


The person can directly be identified based on the data alone, there is no pseudonymisation.


Several types of data of the data subject are processed. However, the data are processed only to the extent contractually agreed between Trusted Shops and the data subject and only as far as this is necessary for the provision of contractual services.


The data are not public. However, the data are collected from the data subject directly, and they are clearly informed of this. The data are not published.


The data are of high quality; the error rate is low thanks to automatic transfer.


The data are processed by several companies: by the shop for the purpose of optimal marketing of its products (see above), and by Trusted Shops for the purpose of fulfilling registered buyers' contracts.


Only buyers registered with Trusted Shops who shop in a certified online shop, and only customers who decide to use the Trusted Shops services for the first time through the Trustbadge are affected.


Website visitors know of the data processing, since they are clearly informed of it in the Privacy Policy, and because data subjects affected by such processing expect Trusted Shops to provide the contractual services.

Balancing of interests in the narrow sense

All data subjects have concluded a contract with the data controller or are about to conclude one in the context of the data processing. Thus, the processing also serves the interests of the data subject and should be expected by them. The data subject receives clear information on the data processing when concluding the contract and also in the Privacy Policy.

The automatic collection of data is neither contrary to expectations nor excessively burdensome for the data subject since they expect the contractual services to be provided by the data controller and are interested in the appropriate protection of their purchases, as well as in being able to rely on real customer reviews. This, however, can only be ensured by automatically connecting data information with transactions the authenticity of which can be verified.

The interests, fundamental rights, and freedoms of the data subject are not excessively affected by the data processing. Thanks to transparent information, data subjects are not surprised by the processing taking place. What is more, it is even expected as part of handling their contracts. The automatic processing of the data is also justified by the overriding legitimate interests of the data controller.

Privacy Policy Template

Privacy Policy Template

Was this article helpful?

0 out of 0 found this helpful