- Guidelines for Businesses
- Data Processing Agreement
- U.S. Privacy Laws Supplement
- Content Refresh Guidelines
- Legal Brand Guidelines
- SEO requirements for partners
Data Processing AgreementSeptember 2021
- “Personal Data”, “Special Categories of Personal Data”, “Controller” and “Processor” have the meanings given in the GDPR.
- “Relevant Data” means personal data data as described in the annex below.
- “Trustpilot A/S”, “we”, “us” or “our” means Trustpilot A/S (registration number 30276582), Pilestraede 58, 5th Floor, 1112 Copenhagen K, Denmark.
Relationship between you and Trustpilot A/S
- To the extent that Trustpilot A/S delivers review invitation services to you and you are a Controller of the Relevant Data under GDPR, then you (the Controller) appoint Trustpilot A/S as a Processor to process that Relevant Data.
- You instruct Trustpilot A/S to process the Relevant Data in accordance with this DPA and only for the purpose described in the annex below (or as otherwise may be agreed between you and Trustpilot A/S in writing) (the “Purpose”). Trustpilot A/S may not process the Relevant Data for any other purpose, unless it is required to under EU law, EU member state law or UK law. In that case, Trustpilot A/S will write to you about why it needs to process the Relevant Data, unless it is restricted by law from informing you.
- If Trustpilot A/S believes that an instruction given by you violates the Applicable Data Protection Law, Trustpilot A/S will let you know immediately.
- Trustpilot A/S is not currently aware of being subject to legislation that would prevent it from fulfilling the DPA, but it will let you know without undue delay if that changes or is expected to change.
Transfers of Relevant Data
- Trustpilot A/S will not transfer Relevant Data outside of the European Economic Area and the UK unless it has taken necessary measures to ensure that the transfer complies with the Applicable Data Protection Law. These measures may include transferring the Relevant Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
- You agree that you won’t disclose to Trustpilot A/S for processing any Personal Data for which you do not have the rights, permissions or consents required under Applicable Data Protection Law to enable Trustpilot A/S to lawfully process it.
- Trustpilot A/S will ensure that any person that it authorises to process the Relevant Data will keep the Relevant Data confidential under a statutory obligation of confidentiality or other commitment.
Trustpilot A/S currently implements the technical and organisational measures described in our white paper on security practices for Trustpilot review invitation services.
Trustpilot A/S may change these measures from time to time, but will always maintain appropriate technical and organisational measures that ensure a level of security appropriate to the risk and protect the Relevant Data from being:
- accidentally or unlawfully destroyed, lost or altered,
- disclosed or made available without authorisation, or
- otherwise processed in violation of the Applicable Data Protection Law.
Trustpilot A/S will also comply with any other applicable data security requirements that are directly imposed on it, including the data security requirements of the country in which Trustpilot A/S is established and where the data processing will be performed.
The appropriateness of the technical and organisational security measures will be based on:
- the current state of the art;
- the cost of their implementation; and
- the nature, scope, context and purposes of processing, as well as the likelihood of risks and the impact on the data protection rights and freedoms of data subjects.
On your request, Trustpilot A/S will provide you with sufficient information to enable you to check that Trustpilot A/S is complying with its obligations under the DPA, including that it has implemented the technical and organisational security measures described above.
- You may at your own cost appoint an independent expert who (so long as the expert isn’t a competitor of Trustpilot) will be given access to Trustpilot A/S premises and the information necessary to audit whether Trustpilot A/S complies with its obligations under the DPA - including whether the appropriate technical and organisational security measures have been implemented.
- You’ll need to let us know at least 14 days before you want your expert to have access. And, before we give them access, they’ll need to enter a customary non-disclosure agreement with Trustpilot A/S that ensures that they treat all information they obtain or receive from Trustpilot A/S and/or its affiliates confidentially - and may only share that information with you.
- Any findings or reports created on the basis of the expert’s inspection and audit must be shared with Trustpilot A/S and will be treated as confidential information.
Requests from authorities
- Trustpilot A/S will give authorities, which have a right under EU law, EU member state law or UK law to enter your suppliers’ facilities, access to Trustpilot A/S physical facilities, provided that their representatives can show proper proof of identity.
- Trustpilot A/S must, without undue delay after becoming aware of the facts, notify you in writing about any request from an authority for disclosure of the Relevant Data, unless Trustpilot A/S is expressly prohibited from informing you under EU law,EU member state law or UK law.
- Trustpilot A/S shall, without undue delay after becoming aware of the facts, inform you in writing about any suspicion or finding of:
- a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Relevant Data transmitted, stored or otherwise processed by Trustpilot A/S; and
- any other material failure to comply with Trustpilot A/S obligations under sections 10 and 11 of this DPA.
Cooperation and data subjects’ rights
Trustpilot A/S will promptly assist you with the handling of any requests from data subjects under Chapter III of the GDPR and, where commercially practicable, under any other Applicable Data Protection Law, including requests for access, rectification, blocking or deletion, which relates to our processing of the Relevant Data.
If Trustpilot A/S receives such a request, Trustpilot A/S will not respond to it other than to inform the requesting data subject:
- whether a review invitation email has been sent to the data subject on your behalf; and
- that he/she should submit his/her request to you, given that you will be responsible for responding to these requests.
Trustpilot A/S will assist you with meeting the other obligations that may be imposed on you under EU law, EU member state law or UK law related to data processing where our assistance is necessary for you to comply with your obligations. This includes providing reasonable cooperation to you in connection with any data protection impact assessment that may be required in accordance with article 35 and 36 of the GDPR.
Trustpilot A/S will also provide information related to the provision of the services to authorities or your external advisors and auditors if this is necessary for the performance of their duties in accordance with EU law, EU member state law or laws in the UK.
- Trustpilot A/S may engage third-party sub-processors to process the Relevant Data for the Purpose, provided that Trustpilot A/S imposes data protection obligations on each sub-processor that require it to protect the Relevant Data to at least the same standard imposed on Trustpilot A/S in this DPA. Trustpilot A/S lists its current sub-processors here. If Trustpilot A/S intends to add a newsub-processor, Trustpilot A/S will inform you in advance about any such addition.
- On your request, we will give you a copy of the data protection obligations in Trustpilot A/S agreement with the sub-processor.
- Trustpilot A/S will be liable for any breach of this DPA that is caused by an act, error or omission of one or more of its sub-processors.
Deletion or return of Relevant Data
Trustpilot A/S will retain the Relevant Data for the following periods:
- 30 days for all BCC emails; and
- 3 years for all other Relevant Data.
After these periods have ended, or on your earlier request, Trustpilot A/S will immediately return or delete (including anonymise) the Relevant Data in a manner and form decided by Trustpilot A/S, acting reasonably. This won’t apply to the extent that Trustpilot A/S is required by applicable law to retain some or all of the Relevant Data.
Data Protection Officer
You can reach our data protection officer by sending an email to: firstname.lastname@example.org
Categories of data subjects
- Your consumers
Categories of Personal Data
- Email address
- Reference number, such as an order ID or similar
- Any other Personal Data included in the order confirmation messages that you send to your consumers who make purchases from you.
Special Categories of Personal Data
Trustpilot A/S does not intentionally collect or process any Special Categories of Personal Data, as it is not needed for the purposes of providing you with the review invitation services. However, Special Categories of Personal Data may be processed if you choose to include this data within the order confirmation messages that you send to your consumers who make purchases from you and the type of review invitation service used involves Trustpilot A/S being copied on such messages.