FAQ on Trusted Shops Data Protection

Does Trusted Shops conclude an additional data processing agreement with the online retailer?

As part of the Trusted Shops membership agreement, Trusted Shops concludes a data processing agreement with the website owner. The terms and conditions are available here:

The Data Processing Agreement according to GDPR and the appendices (incl. TOM and list of sub-processors) are available from the website indicated in the preamble: https://support.trustedshops.com/lp/en/legal_order_processing_appendices

The processing operations covered by the Data Processing Agreement are also specified in the preamble.

They include above all

  1. The display of the Trustbadge graphic on the website; and
  2. The sending of review request emails on your behalf if you activated tools such as Review Collector, Automation and Trusted Shops API.

When are data processed by processors and for how long are they stored?

Trusted Shops as controller vs. processor

Operation Controller Processor
Use of the B2B online system Trusted Shops  
Use of the B2C online system Trusted Shops  
Use of the review system Trusted Shops  
Content of the Trustbadge / Use of Trusted Shops services Trusted Shops  
Display of the Trustbadge in the shop Online shop Trusted Shops
Review Collector Online shop Trusted Shops
Auto-Collect Online shop Trusted Shops
Application programming in­terface (API) Online shop Trusted Shops
Trusted Shops legally compliant text generator / generator for records of processing activities Online shop Trusted Shops


Display of the Trustbadge, Review Collector, Auto-Collect, API

Online shop owners are controllers because they decide independently on the purposes and means of data processing. They obtain consent forms from data subjects and, on their basis, they send Trusted Shops review requests, which are treated as advertisements.


Trusted Shops is responsible for the content of the Trustbadge and the related processing of data through Trustbadge taking place when using the Trusted Shops services (Trusted Shops buyer membership, Trusted Shops Buyer Protection, review reminders for members).

Trusted Shops acts as the processor, i.e. processes data on behalf of the member (the controller) in the case of the following processing activities: Trusted Shops sends review reminders on your behalf only if Review Collector, Auto-Collect or API are used. The necessary consent forms of data subjects are obtained by the controller. In addition, we present the graphic of the Trustbadge on your website also on your behalf.

For more details see the Trustbadge documentation for online retailers.

Why is information about recipients of review request emails partially hidden in the Control Center?

In the Control Center, there are two overviews available:

  • the Invite History, which is the overview of the sent review request emails,
  • and the Review Inbox, which is the overview of received reviews.

Review invite emails sent in our capacity of processors (see above) can be viewed together with the related information on the recipients in the Invite History.

However, review invite emails sent out by Trusted Shops as the controller cannot be viewed together with the corresponding information on the recipients, because this would mean a change in the purpose of the processing and would also require transferring personal data to a third party, for which no legal ground exists.

Trusted Shops sends out those review invite emails as a controller based on the following legal grounds: "Advertisement to existing customers regarding our own similar services” as per Article 7 (3) of the Act Against Unfair Competition [UWG] and, thus, does not obtain express consent from its customers. This procedure is applied only with respect to contracts with existing customers and involves only Trusted Shops because for us the use of the review system is “our own similar service” and is supplied in addition to the other services as part of the agreement on the use of Trusted Shops Services for consumers. Therefore, such review invite emails cannot be sent out as part of processing of data by the processor on behalf of the online retailer.

In the Review Inbox, the email address of the customer adding a review can be displayed because this information is necessary for the retailer to check the authenticity of the transaction and of the review. Data subjects are duly informed of this fact before their data are processed.

Do I have to adjust my Privacy Policy if I use the Trustbadge?

When displaying/using the Trustbadge for the ordering process on your website, you – as the data controller – are required to:

  • keep information in your records of processing activities up-to-date;
  • ensure the balancing of interests in accordance with Article 6 (1) (f) GDPR; and
  • adjust your Privacy Policy.

For these required adjustments, you can use the following tools:

What data of our customers are processed and stored?

As regards the processing of data by the processor, you as the controller decide what data Trusted Shops will process on your behalf. The minimum scope of the required data: For displaying the Trustbadge, the IP address of the customer will be processed. For sending review invite emails through Review Collector, the function of sending review invite emails automatically, or API, the minimum scope includes the email address, the order number and the order date. Optionally, other data such as forename, surname and product details (only for product reviews) can be transmitted and processed.

For what purposes are data processed – only for review invite emails?

If Review Collector, Auto-Collect or API are used, Trusted Shops sends out review invite emails on your behalf. The data are not used or stored by Trusted Shops for any other purposes than that. Only by adding a review does the customer who received a review invite email agree to the Trusted Shops terms of use and the further use of their data for the purpose of fulfilling the contract.

Are data disclosed to other parties – if yes: to what third parties? Also to third countries?

Trusted Shops uses services of hosting companies and infrastructure providers. In so doing, Trusted Shops GmbH uses also services of U.S.-based providers. An appropriate level of data protection is guaranteed (Privacy Shield certification + standard contractual clauses).

Are data anonymised?

Personal data are transmitted at all times using state-of-the-art encryption technologies. Data are not anonymised in the meaning of data protection laws.

For how long are customer data stored? Are they erased automatically? (After what time are they erased? What is the data erasure concept?)

Whenever the Trustbadge is used, the web server automatically saves a so-called server log file which contains also your IP address, the date and time of the request, the volume of data transferred and the requesting provider (access data), and documents the request. Individual pieces of access data are stored in a security database for the analysis of security vulnerabilities. The log files are automatically erased no later than 90 days of the date created.

Data processed for sending review invite emails are automatically erased after three months – after that, no further review can be added for the transaction. By adding a review before the end of this period, the customer who was invited to write the review agrees to the Trusted Shops terms of use and the further use of their email address for the purpose of generating a login.

How can we comply with the customer request to erase their personal data? Do we have to inform Trusted Shops of every customer request so that the data are also erased by TS?

According to Article 19 GDPR, each recipient to whom the personal data have been disclosed must be informed of the exercise of the rights of data subjects, this includes Trusted Shops, in any case where an operation relates to customers whose data have been processed by Trusted Shops on behalf of the controller.

Should a reference to the customer’s right to object (Article 21 GDPR) be included?

Displaying the Trustbadge

For displaying the Trustbadge, which is where the member acts as the controller and Trusted Shops as the processor (using the services of Akamai), the member must inform the data subject of their right to object. The easiest way to do so is to put up a contact address for sending the objection. In addition, data subjects can optionally be referred to certain tools that they can use to block third party content on the website, e.g. Privacy Badger or Ghostery.

The latter is not mandatory, for prior to the customer's objection taking effect, the data controller must be able to check whether the data processing is necessary for the establishment, exercise or defence of legal claims, or whether compelling legitimate grounds for the processing exist which outweigh the interests, rights and freedoms of the data subject.

Ultimately, this means that the controller may continue to process data based on Article 21 (1) sentence 2 GDPR even in cases where data have already been processed. As follows from the Privacy Policy Template, the storage period for the IP address (no other personal data are affected) can be sometimes longer than 7 days. But such data are stored only in individual cases and only in the so-called security database so that we can fend off DDos attacks, among others. The data are not used for analytical purposes.

For the sake of completeness:

Data processing in the context of recognising registered Trusted Shops member buyers

Trusted Shops, as the controller in this case, is responsible for this type of data processing and informs users thereof in its own Privacy Policy a link to which is integrated in the Trustbadge.

However, the data required for customer recognition (pseudonym of the e-mail address, hash value) are automatically collected from the order data via the Trustbadge. As can be seen in the latest version of the Privacy Policy Template, this processing is based on Article 6 (1) sentence 1, (f) GDPR as well.

With regards to the data subjects’ right to object, please confer the previous paragraph which applies analogously.

The data protection officer at Trusted Shops GmbH:

Trusted Shops GmbH
Data Protection Officer
Subbelrather Str. 15c
50823 Köln

Was this article helpful?

0 out of 0 found this helpful