Vereinbarung zur Auftragsverarbeitung

(version 4.0)

Introduction

This data processing agreement (“DPA”), including the annex below, is part of our Terms of Use and Sale for Businesses and applies only to the extent stated within them (see the Privacy and data use section).

Definitions

Words or expressions defined in “quotation marks” have the same meanings each time they are used in this DPA. Unless we say otherwise below, any words or expressions that are defined in the Terms of Use and Sale for Businesses have the same meanings when used in this DPA too.

  • Applicable Data Protection Law” means all laws and regulations applicable to Trustpilot A/S’s processing of Relevant Data under the Terms of Use and Sale for Businesses, including the GDPR and any legislation and/or regulations implementing, or made under or pursuant to the GDPR, such as the UK GDPR or the UK Data Protection Act 2018.
  • Personal Data”, “Special Categories of Personal Data”, “Controller” and “Processor” have the meanings given in the GDPR.
  • Relevant Data” means personal data data as described in the annex below.
  • Trustpilot A/S”, “we”, “us” or “our” means Trustpilot A/S (registration number 30276582), Pilestraede 58, 5th Floor, 1112 Copenhagen K, Denmark.

Relationship between you and Trustpilot A/S

  1. To the extent that Trustpilot A/S delivers review invitation services to you and you are a Controller of the Relevant Data under GDPR, then you (the Controller) appoint Trustpilot A/S as a Processor to process that Relevant Data.
  2. This DPA will apply to you and us for as long as our Terms of Use and Sale for Businesses apply to you, or for as long as we process Relevant Data on your behalf – whichever is longer.

Instructions

  1. You instruct Trustpilot A/S to process the Relevant Data in accordance with this DPA and only for the purpose described in the annex below (or as otherwise may be agreed between you and Trustpilot A/S in writing) (the “Purpose”). Trustpilot A/S may not process the Relevant Data for any other purpose, unless it is required to under EU law, EU member state law or UK law. In that case, Trustpilot A/S will write to you about why it needs to process the Relevant Data, unless it is restricted by law from informing you.
  2. If Trustpilot A/S believes that an instruction given by you violates the Applicable Data Protection Law, Trustpilot A/S will let you know immediately.
  3. Trustpilot A/S is not currently aware of being subject to legislation that would prevent it from fulfilling the DPA, but it will let you know without undue delay if that changes or is expected to change.

Transfers of Relevant Data

  1. Trustpilot A/S will not transfer Relevant Data outside of the European Economic Area and the UK unless it has taken necessary measures to ensure that the transfer complies with the Applicable Data Protection Law. These measures may include transferring the Relevant Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

Prohibited data

  1. You agree that you won’t disclose to Trustpilot A/S for processing any Personal Data for which you do not have the rights, permissions or consents required under Applicable Data Protection Law to enable Trustpilot A/S to lawfully process it.

Confidentiality

  1. Trustpilot A/S will ensure that any person that it authorises to process the Relevant Data will keep the Relevant Data confidential under a statutory obligation of confidentiality or other commitment.

Security practices

  1. Trustpilot A/S currently implements the technical and organisational measures described in our white paper on security practices for Trustpilot review invitation services.
  2. Trustpilot A/S may change these measures from time to time, but will always maintain appropriate technical and organisational measures that ensure a level of security appropriate to the risk and protect the Relevant Data from being:
    • accidentally or unlawfully destroyed, lost or altered,
    • disclosed or made available without authorisation, or
    • otherwise processed in violation of the Applicable Data Protection Law.
  3. Trustpilot A/S will also comply with any other applicable data security requirements that are directly imposed on it, including the data security requirements of the country in which Trustpilot A/S is established and where the data processing will be performed.
  4. The appropriateness of the technical and organisational security measures will be based on:
    • the current state of the art;
    • the cost of their implementation; and
    • the nature, scope, context and purposes of processing, as well as the likelihood of risks and the impact on the data protection rights and freedoms of data subjects.
  5. On your request, Trustpilot A/S will provide you with sufficient information to enable you to check that Trustpilot A/S is complying with its obligations under the DPA, including that it has implemented the technical and organisational security measures described above.

Audit

  1. You may at your own cost appoint an independent expert who (so long as the expert isn’t a competitor of Trustpilot) will be given access to Trustpilot A/S premises and the information necessary to audit whether Trustpilot A/S complies with its obligations under the DPA - including whether the appropriate technical and organisational security measures have been implemented.
  2. You’ll need to let us know at least 14 days before you want your expert to have access. And, before we give them access, they’ll need to enter a customary non-disclosure agreement with Trustpilot A/S that ensures that they treat all information they obtain or receive from Trustpilot A/S and/or its affiliates confidentially - and may only share that information with you.
  3. Any findings or reports created on the basis of the expert’s inspection and audit must be shared with Trustpilot A/S and will be treated as confidential information.

Requests from authorities

  1. Trustpilot A/S will give authorities, which have a right under EU law, EU member state law or UK law to enter your suppliers’ facilities, access to Trustpilot A/S physical facilities, provided that their representatives can show proper proof of identity.
  2. Trustpilot A/S must, without undue delay after becoming aware of the facts, notify you in writing about any request from an authority for disclosure of the Relevant Data, unless Trustpilot A/S is expressly prohibited from informing you under EU law,EU member state law or UK law.

Security incidents

  1. Trustpilot A/S shall, without undue delay after becoming aware of the facts, inform you in writing about any suspicion or finding of:
    • a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Relevant Data transmitted, stored or otherwise processed by Trustpilot A/S; and
    • any other material failure to comply with Trustpilot A/S obligations under sections 10 and 11 of this DPA.

Cooperation and data subjects’ rights

  1. Trustpilot A/S will promptly assist you with the handling of any requests from data subjects under Chapter III of the GDPR and, where commercially practicable, under any other Applicable Data Protection Law, including requests for access, rectification, blocking or deletion, which relates to our processing of the Relevant Data.
  2. If Trustpilot A/S receives such a request, Trustpilot A/S will not respond to it other than to inform the requesting data subject:
    • whether a review invitation email has been sent to the data subject on your behalf; and
    • that he/she should submit his/her request to you, given that you will be responsible for responding to these requests.
  3. Trustpilot A/S will assist you with meeting the other obligations that may be imposed on you under EU law, EU member state law or UK law related to data processing where our assistance is necessary for you to comply with your obligations. This includes providing reasonable cooperation to you in connection with any data protection impact assessment that may be required in accordance with article 35 and 36 of the GDPR.
  4. Trustpilot A/S will also provide information related to the provision of the services to authorities or your external advisors and auditors if this is necessary for the performance of their duties in accordance with EU law, EU member state law or laws in the UK.
  5. In the annex below, Trustpilot A/S has stated the servers, offices etc. used to provide the services under the Terms of Use and Sale for Businesses. You may request information about the servers, offices used by Trustpilot A/S in connection with these services and Trustpilot A/S will respond within 30 days.

Sub-processors

  1. Trustpilot A/S may engage third-party sub-processors to process the Relevant Data for the Purpose, provided that Trustpilot A/S imposes data protection obligations on each sub-processor that require it to protect the Relevant Data to at least the same standard imposed on Trustpilot A/S in this DPA. Trustpilot A/S lists its current sub-processors here. If Trustpilot A/S intends to add a newsub-processor, Trustpilot A/S will inform you in advance about any such addition.
  2. You can object to any additional or replacement sub-processor before it is appointed, provided that your objection is based on objective and reasonable grounds relating to data protection. If Trustpilot A/S chooses not to suggest an alternative sub-processor, or if you object to all of Trustpilot A/S alternative sub-processors, you may terminate your subscription (if any) by giving us 14 days’ notice. See section 37 of the Terms of Use and Sale for Businesses if you want those terms (including this DPA) to be terminated immediately.
  3. On your request, we will give you a copy of the data protection obligations in Trustpilot A/S agreement with the sub-processor.
  4. Trustpilot A/S will be liable for any breach of this DPA that is caused by an act, error or omission of one or more of its sub-processors.

Deletion or return of Relevant Data

  1. Trustpilot A/S will retain the Relevant Data for the following periods:
    • 30 days for all BCC emails; and
    • 3 years for all other Relevant Data.
  2. After these periods have ended, or on your earlier request, Trustpilot A/S will immediately return or delete (including anonymise) the Relevant Data in a manner and form decided by Trustpilot A/S, acting reasonably. This won’t apply to the extent that Trustpilot A/S is required by applicable law to retain some or all of the Relevant Data.

Data Protection Officer

You can reach our data protection officer by sending an email to: privacy@trustpilot.com

ANNEX

Purpose

  • Providing you with one or more of our review invitation services, as defined in the Terms of Use and Sale for Businesses (when you send (or we send on your behalf) invitations to your consumers asking them to write a review on our platform about your services and/or your products).

Categories of data subjects

  • Your consumers

Categories of Personal Data

  • Name
  • Email address
  • Reference number, such as an order ID or similar
  • Any other Personal Data included in the order confirmation messages that you send to your consumers who make purchases from you.

Special Categories of Personal Data

Trustpilot A/S does not intentionally collect or process any Special Categories of Personal Data, as it is not needed for the purposes of providing you with the review invitation services. However, Special Categories of Personal Data may be processed if you choose to include this data within the order confirmation messages that you send to your consumers who make purchases from you and the type of review invitation service used involves Trustpilot A/S being copied on such messages.

Processing locations

  • Denmark
  • Ireland
  • United States
  • Germany
  • Australia
  • Lithuania
  • United Kingdom