APPENDIX 1 - DATA PROCESSING AGREEMENT ("DPA")
(version 3.0, November 2019)
between the Customer and Trustpilot
(together with the Customer, the "Parties")
1. Scope of the DPA
1.1 This DPA forms part of the service subscription agreement (hereafter referred to as “Agreement”) in place between the Customer and Trustpilot and reflects the Parties' agreement with regards to the processing of personal data.
1.2 Trustpilot acts as a data processor for the Customer, because Trustpilot processes personal data for the Customer as set out in Annex 1.
1.3 The personal data to be processed by Trustpilot concerns the categories of data, the categories of data subjects and the purposes of the processing set out in Annex 1.
1.4 "Personal Data" means any information relating to an identified or identifiable natural person, see article 4(1) of Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation "GDPR").
1.5 "Sensitive Data " means (a) social security number, passport number, driver's license number, or similar identifier (or any portion thereof), (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), (c) employment, financial, genetic, biometric data or data concerning health; (d) data revealing racial, or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; (e) information about natural person’s sex life or sexual orientation; (f) account passwords; (g) date of birth; (h) personal data relating to criminal convictions and offences; (i) mother's maiden name; and (j) any other information that falls within the definition of "special categories of personal data" under the GDPR or any other applicable law relating to privacy and data protection.
2. Processing of Personal Data
2.1 Instructions: Trustpilot is instructed to process the Personal Data only for the purposes of providing the Services as set out in Annex 1. Trustpilot may not process or use the Customer's Personal Data for any other purpose than provided in the instructions, including the transfer of Personal Data to any third country or an international organisation, unless Trustpilot is required to do so according to Union or member state law. In that case, Trustpilot shall inform the Customer in writing of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.2 If the Customer, in the instructions in Annex 1 or otherwise, has given permission to a transfer of Personal Data to a third country or to international organisations, Trustpilot must ensure that there is a legal basis for the transfer, e.g. the EU Commission's Standard Contractual Clauses for the transfer of Personal Data to third countries.
2.3 If Trustpilot is of the opinion that an instruction from the Customer is in violation of the GDPR, or other Union or member state data protection provisions, Trustpilot shall immediately inform the Customer in writing about this.
2.4 If Trustpilot is subject to legislation of a third country, Trustpilot declares not to be aware of the mentioned legislation preventing Trustpilot from fulfilling the DPA, and that Trustpilot will notify the Customer in writing without undue delay, if Trustpilot becomes aware of that such hindrance is present or will occur.
2.5 Sensitive Data will not be processed pursuant to this DPA and the Customer warrants and represents that the Customer will not be sharing, disclosing or otherwise transferring Sensitive Data to Trustpilot.
3. Trustpilot's general obligations
3.1 Trustpilot must ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Trustpilot shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and to prevent that the Personal Data processed is
(i) accidentally or unlawfully destroyed, lost or altered,
(ii) disclosed or made available without authorisation, or
(iii) otherwise processed in violation of applicable laws relevant, including the GDPR, for the Services.
3.3 Trustpilot must also comply with any other applicable data security requirements that are directly incumbent on Trustpilot; including the data security requirements in the country of establishment of Trustpilot, or in the country where the data processing will be performed.
3.4 The appropriate technical and organisational security measures must be determined with due regard for
(i) the current state of the art,
(ii) the cost of their implementation, and
(iii) the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.5 Trustpilot shall upon request provide the Customer with sufficient information to enable the Customer to ensure that Trustpilot complies with its obligations under the DPA, including ensuring that the appropriate technical and organisational security measures have been implemented.
3.6 The Customer is entitled at its own cost to appoint an independent expert who shall have access to Trustpilot's premises and receive the necessary information in order to be able to audit whether Trustpilot complies with its obligations under the DPA, including ensuring that the appropriate technical and organisational security measures have been implemented. The Customer shall provide Trustpilot with 14 days prior written notice and the Customer is obligated to ensure that the expert signs a customary non-disclosure agreement, and treat all information obtained or received from Trustpilot confidentially, and may only share the information with the Customer. Any findings or reports created on the basis of such an inspection must be shared with Trustpilot and shall be regarded as confidential information.
3.7 Trustpilot must provide information related to the provision of the Services to authorities or the Customer's external advisors, including auditors, if this is necessary for the performance of their duties in accordance with Union or member state law.
3.8 Trustpilot must give authorities who by Union or member state law have a right to enter the Customer's or the Customer's supplier's facilities, or representatives of the authorities, access to Trustpilot's physical facilities against proper proof of identity.
3.9 Trustpilot must without undue delay after becoming aware of the facts in writing notify the Customer about:
(i) any request for disclosure of Personal Data processed under the DPA by authorities, unless expressly prohibited under Union or member state law,
(ii) any suspicion or finding of (a) breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Trustpilot in connection with the Services, or (b) other material failure to comply with Trustpilot's obligations under clause 3.2 and 3.3.
3.10 Trustpilot must promptly assist the Customer with the handling of any requests from data subjects under Chapter III of the GDPR, including requests for access, rectification, blocking or deletion, which relates to the processing of Personal Data in connection with the Services.
If Trustpilot receives the data subject access request in relation to the processing of Personal Data on behalf of the Customer, Trustpilot shall not respond to such request, except to inform the requesting data subject whether a review invitation email has been sent on behalf of the Customer (which the Customer hereby agrees with) and to advise the data subject to submit his/her request to the Customer, as the Customer will be responsible for responding to any requests from the data subjects including, where necessary, by using the functionality of the Services.
3.11 Trustpilot must assist the Customer with meeting the other obligations that may be incumbent on the Customer according to Union or member state law related to data processing where the assistance of Trustpilot is implied, and where the assistance of Trustpilot is necessary for the Customer to comply with its obligations. This includes, but is not limited to, at request to provide the Customer with all necessary information about an incident under Clause 3.9 (ii), and all necessary information for an impact assessment in accordance with article 35 and 36 of the GDPR.
3.12 In Annex 1, Trustpilot has stated the servers, offices etc. used to provide the Services. The Customer may at any time request information about the servers, offices used by Trustpilot in connection with the Services and Trustpilot shall respond within 30 days with such information.
4.1 Trustpilot may engage sub-processors. At the time of the DPA, Trustpilot uses the sub-processors listed here to provide the Services. Trustpilot undertakes to inform the Customer of any intended changes concerning the addition or replacement of a sub-processor by providing prior written notice via the Customer's business account. If the Customer can document objective and valid reasons not to accept suggested new sub-processors, the Customer may object to the use of these suggested new sub-processors. If Trustpilot chooses not to suggest alternative sub-processors, or if the Customer has valid and objective reasons to object to all suggested alternatives, the Customer is entitled to terminate the contract with Trustpilot within 14 days after receiving notice hereof.
4.2 Prior to the engagement of a sub-processor, Trustpilot shall conclude a written agreement with the sub-processor, in which at least the same data protection obligations as set out in the DPA shall be imposed on the sub-processor, including an obligation to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
4.3 The Customer has the right to receive a copy of Trustpilot's agreement with the sub-processor as regards the provisions related to data protection obligations. Trustpilot shall remain fully liable to the Customer for the performance of the sub-processor obligations. The fact that the Customer has given consent to the Trustpilot's use of sub-processor is without prejudice for Trustpilot duty to comply with the DPA.
5.1 The Parties may at any time agree to amend this DPA. Amendments must be in writing.
6. Term and consequences of the termination of the DPA
6.1 The DPA enters into force when:
(i) the Customer accepts the Agreement in accordance with section 1.1 of the Agreement; or
(ii) both parties electronically or physically sign the DPA.
6.2 The term of this DPA shall correspond to the term of the Agreement, except to the extent where Trustpilot still processes Personal Data on behalf of the Customer, in which case Trustpilot remains subject to the obligations of the DPA.
6.3 Trustpilot stores Personal Data processed for the Customer for the following periods:
(i) all BCC emails are automatically deleted after 30 days;
(ii) all review invitations data is deleted after 3 years.
6.4 On the Customer's request Trustpilot shall immediately transfer or delete (including anonymise) Personal Data, which Trustpilot is processing for the Customer, unless Union or member state law requires storage of the Personal Data.
7.1 If any of the provisions of the DPA conflict with the provisions of the Agreement, then the provisions of the DPA shall prevail. However, the requirements in clause 3 do not apply to the extent that the Parties in another agreement have set out stricter obligations for Trustpilot. Furthermore, the DPA shall not apply if and to the extend the EU Commission's Standard Contractual Clauses for the transfer of Personal Data to third countries are concluded and such clauses set out stricter obligations for Trustpilot and/or for sub-processors.
7.2 This DPA does not determine the Customer's remuneration of Trustpilot for Services according to the Agreement.
8. Trustpilot’s Data Protection Officer
8.1 The Customer can get in contact with Trustpilot’s data protection officer by sending an email to: firstname.lastname@example.org
This Annex constitutes the Customer's instruction to Trustpilot in connection with Trustpilot's data processing for the Customer, and is an integrated part of the Agreement.
1. The processing of Personal Data
a) Purpose and nature of the processing operations
- Providing the Customer with the Review Invitation Service..
b) Categories of data subjects
- The Customer's customers
c) Categories of Personal Data
Re b) I: Name
Re b) II: Email address
Re b) III: Reference number, such as an order ID or similar.
d) Special categories of data
e) Location(s), including name of country/countries of processing
- The United States
- United Kingdom
 Depending on which Trustpilot service the Customer has chosen, this can respectively be the Automated Feedback Service, Business Generated Links, Unique Links, Kickstart solution and/or API Invitation Link.