When?
The GDPR came into force on 25th May, 2016. It will be applicable from 25th May, 2018.
What does it change?
As user of our products, you are obliged to declare in your privacy policy that the trustbadge integrated in your website is third party content.
What has to be done?
Trusted Shops has prepared a template for your privacy policy which specifically refers to the Trustbadge.
Update privacy policy now
Copy the text which is suitable for your Trusted Shops product usage into your privacy policy.
Trustmark with reviews
Integration of the Trusted Shops Trustbadge
The Trusted Shops Trustbadge is integrated on this website to display our Trusted Shops Trustmark and the collected reviews as well as to offer Trusted Shops products to buyers after an order.
Trustmark without reviews
Integration of the Trusted Shops Trustbadge
The Trusted Shops Trustbadge is integrated on this website to display our Trusted Shops Trustmark as well as to offer Trusted Shops products to buyers after an order.
Reviews without Trustmark
Integration of the Trusted Shops Trustbadge
The Trusted Shops Trustbadge is integrated on this website to display our collected reviews as well as to offer Trusted Shops products to buyers after an order.
This is necessary to safeguard our legitimate prevailing interests in an optimal marketing by ensuring the safety of your purchase according to Article 6 (1) f GDPR. The Trustbadge and the services advertised with it are an offer of the Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, _Germany. The Trustbadge is made available by a CDN provider (Content-Delivery-Network) as part of order processing. The Trusted Shops GmbH uses also service provider from the USA. An adequate level of data protection is guaranteed. Further information to the data security of the Trusted Shops GmbH can be found here: https://www.trustedshops.co.uk/imprint/
When the Trustbadge is called up, the web server automatically saves a server log file which contains, for example, your IP address, the date and time of the call, the amount of data transferred and the requesting provider (access data) and documents the call. Individual access data are stored in a security database for the analysis of security problems. The log files are automatically deleted 90 days after creation at the latest.
Further personal data will be transferred to Trusted Shops GmbH if you decide to use Trusted Shops products after completing an order or have already registered for use. The contractual agreement made between you and Trusted Shops applies. For this purpose personal data is automatically collected from the order data. Whether or not you are already registered as a Trusted Shops customer is automatically checked by means of a neutral parameter, the e-mail address hashed by cryptological one-way function. The e-mail address is converted to this hash value, which cannot be decrypted by Trusted Shops before it is transmitted. After checking for a match, the parameter is deleted automatically.
This is necessary for the fulfillment of our and Trusted Shops' legitimate prevailing interests in the provision of the buyer protection linked to the specific order and the transactional review services in accordance with Art. 6 para. 1 s. 1 lit. f GDPR. Further details, including your right to object, can be found in the Trusted Shops Privacy Policy linked above and within the Trustbadge.
FAQ about the General Data Protection Regulation (GDPR)
and Trusted Shops products
1. Should Trusted Shops adapt their data protection? And if so, how exactly?
Like all European companies, Trusted Shops is already working on implementing the requirements of the GDPR in our activities. In addition to re-working the directory of processing activities and other documentation, this also includes adjusting the data protection statements on websites and updating training for employees regarding the GDPR.
2. Does Trusted Shops offer the option to conclude a contract on data processing?
With the start of the GDPR and in conjunction with the corresponding changes in the statutory requirements, Trusted Shops will offer online shops which use Trusted Shops products the option to conclude a contract on data processing.
Currently, we’re working on creating a standard draft which we will give to interested customers before the GDPR comes into effect. Please understand that due to the number of Trusted Shops customers and the transition phase, Trusted Shops cannot o er individual contract drafts to all customers to check and agree to.
Of course, the draft offered by Trusted Shops will comply with legal provisions and will consider the interests of our customers to an appropriate degree.
3. Should an online retailer declare their use of Trusted Shops products in their data protection statement?
As the change in the law means that the information obligations of website operators increase, an online shop must, in the future, declare in their data protection statement when - as a result of consent from the buyer or as part of a data processing agreement with Trusted Shops - they are transferring personal data to Trusted Shops or allow Trusted Shops to collect such data on the online shop’s website.
The information in the data protection statement should describe the collection and processing of data and name the categories of data collected. Trusted Shops GmbH should be expressly named as the online shop’s data processor. In addition, the data protection statement should explain the purpose of the processing as well as the legal basis for the processing. If consent for the transfer of personal data to Trusted Shops is given, then the right of withdrawal or, if necessary, the right of objection must be stated.
4. What data is collected when Trusted Shops products are used?
A. AN ONLINE SHOP WHICH USES TRUSTED SHOPS PRODUCTS VIA THE API OFFERED:
If an online shop uses Trusted Shops products using the Trusted Shops API, the buyer’s personal data that is transferred to Trusted Shops and the time it will be transferred depend on the individual settings of the API.
Therefore, it is not possible to make any conclusive statement on what data is transferred between the online shop and Trusted Shops when a Trusted Shops API is used. Details on the APIs offered by Trusted Shops are available at api.trustedshops.com.
Please note that transferring personal data of buyers to Trusted Shops via the API needs prior consent from the person concerned as this is a case of transferring personal data for marketing purposes. The online shop is therefore obliged to obtain the appropriate consent in advance.
B. AN ONLINE SHOP WHICH HAS INTEGRATED THE TRUSTBADGE:
a. Data transfer when visiting an online shop with an integrated Trustbadge
Same as to opening a website, retrieving a Trustbadge that is integrated into an online shop via a browser client (that means simultaneously with opening the website) automatically produces a webserver log entry. As it is a standard format, this includes information on the browser client (date, time, referrer, IP address of the client, user agent...). This data is usage data which accumulates in any data transfer on the internet. In particular, the inclusion of any third-party content involves transfer of this data.
Trusted Shops does not use this usage data to create a usage profile and no conclusion on the website visitor is made. This data is used only to guarantee operation without disruption.
In addition, visiting a shop page which has the Trustbadge incorporated does not result in any personal data (e.g. name, e-mail address etc.) being transferred to us automatically or being stored.
b. Data transfer when placing an order in an online shop
If the buyer does not them self use Trusted Shops products, only the order number is transmitted to Trusted Shops when the Trustbadge is integrated. This is for verifying later guarantees or reviews.
Other data - in particular personal data - is only transmitted if Trusted Shops products for the buyer are actively used by the shop customer and they agree to the data transfer and/or have done so in the past for future purchases.
Only data which is necessary for using our products is collected. When using the Trusted Shops buyer protection with shop reviews, this data generally comprises the order date, order number, a customer number (if one exists), the order total, the currency, the expected delivery date (if needed), the payment method and the buyer’s e-mail address. When product reviews are integrated by the shop, the URL of the product and the product image, the product name, the product SKU, GTIN and MPN as well as the manufacturer are collected. If a review request is sent without the Trusted Shops’ buyer protection, only the order number and the e-mail address are needed. Trusted Shops does not collect further personal data of users in this way.
Whether the buyer is already registered for a particular product usage is checked automatically using a neutral parameter of the e-mail address hashed by a cryptographic one-way hash function (MD 5 procedure). Before being transferred, the e-mail address is converted into a hash value which cannot be decrypted by Trusted Shops. If there is no match, the parameter is discarded. The e-mail address is then only collected if the buyer has decided to use Trusted Shops products. The buyer’s e-mail address in plain writing or other data are not transferred as part of the automatic transfer.
The data received is only used for executing the contracts concluded and is stored internally for the duration of the mutual contract fulfilment. Afterwards, the data is then blocked from further use and is deleted for good after all commercial and tax law-related retention periods have passed.
If the buyer decides to not use Trusted Shops products for buyers and leaves the site, data is neither transmitted to Trusted Shops nor stored or processed by Trusted Shops.
5. What needs to be considered when sending review requests?
A review request constitutes an advertisement
When sending an e-mail review request, conditions relating to data protection and competition law must be considered as sending such an e-mail is a way of using personal data for advertising purposes. The review request constitutes an advertisement.
OBTAINING CONSENT
As a result, sending a review request always requires getting express consent. Simply having the e-mail address is not sufficient. This is also the case if the e-mail address is passed on to a third party for them to send a review request. This is the case, for example, when using the Review Collector or the Automatic Collection by Trusted Shops. In the General Membership Conditions, Trusted Shops contractually obliges the online retailer to obtain effective consent. If data is transferred without obtaining consent beforehand, this is not just a contractual infringement by the online retailer; Trusted Shops can, in the event of any damages, obtain compensation from the online retailer.
Therefore, when activating the functionality, this pre-condition is expressly referred to.
An action by the customer is needed: This can a checkbox or a separate button for consent to receiving review request or it can be another action, e.g. filling in a field which is only needed for registering for a review request. Therefore, when activating the function, this condition is explicitly pointed out.
SCOPE
The scope of the consent and its consequences must be explicit: what data is passed on to whom, who uses it, for what purpose and do they use it regularly or just once etc. Should a third party send the review requests, the consent declaration must also include consent to pass on the e-mail address to third parties for the purposes of sending a review request. If the review request is sent by Trusted Shops, the online shop must obtain consent for the e-mail address to be given to Trusted Shops for the purposes of sending a review request.
In addition, it must also be made clear that the consent can be withdrawn at any time. The retailer must be able to prove that consent was obtained.
CONSENT CAN BE GIVEN, FOR EXAMPLE, VIA A CHECKBOX IN THE CUSTOMER ACCOUNT:
Consent with checkbox:
[ ] After every purchase that I make, I would like to be sent an e-mail reminding me to submit a review and I agree that my e-mail address will be given to Trusted Shops GmbH for this purpose.
or (if the review request is sent by the online shop itself)
[ ] I would like to review my purchases. Please send me an e-mail for this after every purchase I make.
Obtaining consent in the log-in area or through a link in the order confirmation e-mail has the advantages that, in the first case, the e-mail address is confirmed and in the second case, only the owner of the e-mail address gets the link. In both cases, a so-called double opt-in as verification would be superfluous.
REVIEW POSTCARDS
Enclosing a review postcard is fine. It could, for example, be a flyer with a quick link to the review profile. The stricter rules for e-mail advertising do not apply to this sending method.
In the case of personal contact, the customer can be asked to give feedback immediately. As no e-mail address is used for this, prior consent is not necessary.