Does Trusted Shops conclude an additional data processing agreement with the online retailer?
As part of the Trusted Shops membership agreement, Trusted Shops concludes a data processing agreement with the website owner. The terms and conditions are available here:
The Data Processing Agreement according to GDPR and the appendices (incl. TOM and list of sub-processors) are available from the website indicated in the preamble: https://support.trustedshops.com/lp/en/legal_order_processing_appendices
The processing operations covered by the Data Processing Agreement are also specified in the preamble.
They include above all
- The display of the Trustbadge graphic on the website; and
- The sending of review request emails on your behalf if you activated tools such as Review Collector, Automation and Trusted Shops API.
When are data processed by processors and for how long are they stored?
Trusted Shops as controller vs. processor
|Use of the B2B online system||Trusted Shops|
|Use of the B2C online system||Trusted Shops|
|Use of the review system||Trusted Shops|
|Content of the Trustbadge / Use of Trusted Shops services||Trusted Shops|
|Display of the Trustbadge in the shop||Online shop||Trusted Shops|
|Review Collector||Online shop||Trusted Shops|
|Auto-Collect||Online shop||Trusted Shops|
|Application programming interface (API)||Online shop||Trusted Shops|
|Trusted Shops legally compliant text generator / generator for records of processing activities||Online shop||Trusted Shops|
Display of the Trustbadge, Review Collector, Auto-Collect, API
Online shop owners are controllers because they decide independently on the purposes and means of data processing. They obtain consent forms from data subjects and, on their basis, they send Trusted Shops review requests, which are treated as advertisements.
Trusted Shops is responsible for the content of the Trustbadge and the related processing of data through Trustbadge taking place when using the Trusted Shops services (Trusted Shops buyer membership, Trusted Shops Buyer Protection, review reminders for members).
Trusted Shops acts as the processor, i.e. processes data on behalf of the member (the controller) in the case of the following processing activities: Trusted Shops sends review reminders on your behalf only if Review Collector, Auto-Collect or API are used. The necessary consent forms of data subjects are obtained by the controller. In addition, we present the graphic of the Trustbadge on your website also on your behalf.
For more details see the Trustbadge documentation for online retailers.
Why is information about recipients of review request emails partially hidden in the Control Center?
In the Control Center, there are two overviews available:
- the Invite History, which is the overview of the sent review request emails,
- and the Review Inbox, which is the overview of received reviews.
Review invite emails sent in our capacity of processors (see above) can be viewed together with the related information on the recipients in the Invite History.
However, review invite emails sent out by Trusted Shops as the controller cannot be viewed together with the corresponding information on the recipients, because this would mean a change in the purpose of the processing and would also require transferring personal data to a third party, for which no legal ground exists.
Trusted Shops sends out those review invite emails as a controller based on the following legal grounds: "Advertisement to existing customers regarding our own similar services” as per Article 7 (3) of the Act Against Unfair Competition [UWG] and, thus, does not obtain express consent from its customers. This procedure is applied only with respect to contracts with existing customers and involves only Trusted Shops because for us the use of the review system is “our own similar service” and is supplied in addition to the other services as part of the agreement on the use of Trusted Shops Services for consumers. Therefore, such review invite emails cannot be sent out as part of processing of data by the processor on behalf of the online retailer.
In the Review Inbox, the email address of the customer adding a review can be displayed because this information is necessary for the retailer to check the authenticity of the transaction and of the review. Data subjects are duly informed of this fact before their data are processed.
When displaying/using the Trustbadge for the ordering process on your website, you – as the data controller – are required to:
- keep information in your records of processing activities up-to-date;
- ensure the balancing of interests in accordance with Article 6 (1) (f) GDPR; and
For these required adjustments, you can use the following tools:
- Data protection guideline – displaying Trustbadge
- Data protection guideline – recognition of registered Trusted Shops customers
- Data protection guideline – provision of the required order data
- Template text for your privacy declaration (Trustbadge)
What data of our customers are processed and stored?
As regards the processing of data by the processor, you as the controller decide what data Trusted Shops will process on your behalf. The minimum scope of the required data: For displaying the Trustbadge, the IP address of the customer will be processed. For sending review invite emails through Review Collector, the function of sending review invite emails automatically, or API, the minimum scope includes the email address, the order number and the order date. Optionally, other data such as forename, surname and product details (only for product reviews) can be transmitted and processed.
For what purposes are data processed – only for review invite emails?
Are data disclosed to other parties – if yes: to what third parties? Also to third countries?
Trusted Shops uses services of hosting companies and infrastructure providers. In so doing, Trusted Shops GmbH uses also services of U.S.-based providers. An appropriate level of data protection is guaranteed (Privacy Shield certification + standard contractual clauses).
Are data anonymised?
Personal data are transmitted at all times using state-of-the-art encryption technologies. Data are not anonymised in the meaning of data protection laws.
For how long are customer data stored? Are they erased automatically? (After what time are they erased? What is the data erasure concept?)
Whenever the Trustbadge is used, the web server automatically saves a so-called server log file which contains also your IP address, the date and time of the request, the volume of data transferred and the requesting provider (access data), and documents the request. Individual pieces of access data are stored in a security database for the analysis of security vulnerabilities. The log files are automatically erased no later than 90 days of the date created.
How can we comply with the customer request to erase their personal data? Do we have to inform Trusted Shops of every customer request so that the data are also erased by TS?
According to Article 19 GDPR, each recipient to whom the personal data have been disclosed must be informed of the exercise of the rights of data subjects, this includes Trusted Shops, in any case where an operation relates to customers whose data have been processed by Trusted Shops on behalf of the controller.
Should a reference to the customer’s right to object (Article 21 GDPR) be included?
Displaying the Trustbadge
For displaying the Trustbadge, which is where the member acts as the controller and Trusted Shops as the processor (using the services of Akamai), the member must inform the data subject of their right to object. The easiest way to do so is to put up a contact address for sending the objection. In addition, data subjects can optionally be referred to certain tools that they can use to block third party content on the website, e.g. Privacy Badger or Ghostery.
The latter is not mandatory, for prior to the customer's objection taking effect, the data controller must be able to check whether the data processing is necessary for the establishment, exercise or defence of legal claims, or whether compelling legitimate grounds for the processing exist which outweigh the interests, rights and freedoms of the data subject.
For the sake of completeness:
Data processing in the context of recognising registered Trusted Shops member buyers
With regards to the data subjects’ right to object, please confer the previous paragraph which applies analogously.
The data protection officer at Trusted Shops GmbH:
Trusted Shops GmbH
Data Protection Officer
Subbelrather Str. 15c