Sell on Amazon Sign In
This article applies to selling in: France

Controller to Processor Policy (C2PP)

Controller to Processor Policy (C2PP)

This C2PP supplements the terms of the Business Solutions Agreement (“Agreement”) to ensure the Processing of Personal Data in connection with the Agreement is in compliance with applicable data protection and privacy law, including the GDPR. Capitalised terms in this C2PP have the meanings listed in the Definitions below.

Purpose of this C2PP

This C2PP applies to certain Personal Data Processing that Amazon implements on your behalf and under your documented instructions (as fully set out in this C2PP), in connection with the electronic marketing support services provided by Amazon through the Amazon Buyer-Seller messaging service (BSM). The electronic marketing support services (“BSM Marketing Support”) we provide to you consist in (i) making available a tool allowing you to send consent requests and marketing content to customers of the FR Amazon Site over the BSM, and (ii) us keeping on your behalf a record of consents given and withdrawn by customers, in relation to marketing campaigns you deploy as Controller. As Controller, you are fully and solely responsible for your marketing campaigns, including the management and honouring of customers' consents under applicable data protection and privacy law.

Processing Details

Amazon will Process Personal Data under this C2PP only as follows: 

  • Data Subjects: Individual customers on the FR Amazon Site (i.e. Amazon.fr)
  • Categories of Personal Data: Data Subjects' choices (i.e., consent, refusal, withdrawal) in respect of electronic marketing by you through the BSM
  • Special Categories of Personal Data: No Special Categories of Personal Data
  • Purpose of Processing: Provision of the BSM Marketing Support
  • Nature of Processing: Collection, hosting and transfer of Personal Data as necessary to provide the BSM Marketing Support
  • Frequency of Processing: Permanent for the whole duration of the Agreement
  • Duration: For the duration of the Agreement
  • Approved Sub-Processors: Yes, you, as Controller, grant a general authorization to engage our affiliates as sub-Processors
  • Approved Data Transfers (if any): Yes, see Approved Transfer Mechanism below
  • Approved Transfer Mechanism: Standard Contractual Clauses (“SCC”)

Processing Commitments

Use of Personal Data: We will Process Personal Data as necessary for the Purpose of performing the BSM Marketing Support in accordance with your documented instructions in respect of the BSM Marketing Support as per this C2PP, unless required otherwise by applicable data protection and privacy law. We will inform you of such legal requirement before Processing, unless that law prohibits such information on the grounds of important public interest. For the avoidance of doubt, this C2PP constitutes your sole instructions to us in respect of the Processing of Personal Data in the context of the BSM Marketing Support.

We will inform you if we are of the opinion that any of your instructions relating to the Processing of Personal Data infringe applicable data protection and privacy law.

Confidentiality: We will ensure that the persons we authorise to access the Personal Data only do so as necessary to provide the BSM Marketing Support and are bound by suitable binding confidentiality obligations.

Security: We will implement and maintain appropriate physical, technical and organisational measures that protect Personal Data in accordance with the GDPR, including in respect of Personal Data Breach. We will also implement measures to comply with the GDPR requirement to notify you of any Personal Data Breach, where applicable.

Sub-Processors: We may engage any other sub-Processor without your prior written consent, provided that we notify you of any use of sub-processors, in accordance with this C2PP.

Assistance: We will provide you with assistance as reasonably necessary to allow you to meet your obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to us.

Data subject rights: Taking into account the nature of the Processing, we will assist you, insofar as this is possible, for the fulfilment of your obligation to respond to Data Subjects' data protection rights requests under the GDPR in respect of the Personal Data under this C2PP. You remain fully and solely responsible as regards any responses to any Data Subject request in accordance with applicable data protection and privacy law. 

Deletion and Return or Personal Data: Unless you notify us otherwise, On termination of the Agreement, we will delete the Personal Data. Notwithstanding the foregoing, we may retain Personal Data to the extent required otherwise by applicable data protection and privacy law.

International Transfers

If you are in a jurisdiction outside the EEA, you agree (and hereby instruct us) to the transfer of the Personal Data under this C2PP between Amazon, acting as processor and data exporter, and you, acting as controller and data importer, that will be governed by Module Four "transfers processor to controller" of the SCCs (available at: https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf), which are incorporated to this C2PP by reference, with the following precisions: 

  • Clause 7 is applicable.
  • Clause 11(a): The option regarding the possibility for Data Subjects to lodge a complaint with an independent dispute resolution body is not retained. 
  • Clause 14 is not applicable to the extent we do not combine the Personal Data received from you with Personal Data we have collected as Processor in the EU.
  • Clause 15 is not applicable to the extent we do not combine the Personal Data received from you with Personal Data we have collected as Processor in the EU.
  • Clause 17: The Parties agree that the law should be that of Luxembourg.
  • Clause 18: The Parties agree that any dispute arising from these Clauses shall be resolved by the courts of Luxembourg.
  • Annex I, A:

Data exporter: 

Amazon Services Europe S.à r.l., 38 avenue John F. Kennedy, Luxembourg, 1855, Luxembourg acts as Processor

Data Protection Officer: Barbara Scarafia. Contacts: eu-privacy@amazon.fr

Activities relevant to the data transferred under the SCCs: Implementation of the BSM Marketing Support

Data importer: 

The applicant (if registering for or using a Service as an individual) under the Agreement, or the business the applicant is employed by or represents (if registering for or using a Service as a business) under the Agreement, acts as Controller.

Activities relevant to the data transferred under the SCCs: Implementation of the BSM Marketing Support. 

  • Annex I, B: 

See section "Processing Details" of this C2PP. In addition, the following information is added: 

  1. Purpose of the data transfer: Provision of the BSM Marketing Support 
  2. Period for which Personal Data will be retained: For the duration provided for under the Agreement
  3. Transfers to (sub-)processors, also specify subject matter, nature and duration of the processing: not applicable

Demonstrating Compliance: Upon your request and to the extent permitted by applicable data protection and privacy law, we will make available to you the information reasonably necessary to demonstrate our compliance with this C2PP. We will assist with audits, to verify that we comply with our obligations under this C2PP.

For the avoidance of doubt, we will not disclose information of any kind we hold on us and / or on behalf of any other sellers, clients or other persons in any capacity whatsoever (the “Protected Information”). Consequently, we may, in our sole discretion, refuse access to you or your external auditor, to any systems (including databases or servers) and files belonging to, or used by us and containing such Protected Information.

Remediation: Our liability in connection with Processing carried out in the context of this C2PP is subject to the provisions of the "Limitation of Liability" clause of the Agreement. For the avoidance of doubt, we will not be held liable as regards any damages, fines, costs or expenses (including legal expenses and disbursements) incurred by you and resulting from a breach of your obligations as Controller under applicable data protection and privacy law (including but not limited to in relation to compliance with applicable direct marketing rules and the handling of consents in compliance with such rules and applicable data protection and privacy law).

Controller Obligations

As Controller, you will remain fully responsible under applicable data protection and privacy law for the compliance of Processing implemented pursuant to this C2PP, including but not limited to, your obligations in relation to compliance with applicable direct marketing rules and the handling of consents.

General

The governing law and jurisdiction provisions of the Agreement will apply to this C2PP. 

Definitions

As used in this C2PP, the following terms have the following meanings:

Agreement

applicable data protection and privacy law

means the Business Solutions Agreement. 

 

 

BSM

 

means Amazon Buyer-Seller messaging service.

 

BSM Marketing Support

 

has the meaning given in this C2PP.

 

C2PP

means this Program Policy, including its Schedules and any other document incorporated by reference.

 

GDPR

means the EU General Data Protection Regulation 2016/679.

 

Protected Information

has the meaning given in this C2PP.

Standard Contractual Clauses

means the standard contractual clauses deemed by the European Commission as providing sufficient safeguards to enable the lawful transfer of Personal Data from the European Union to another jurisdiction (as updated from time to time).

 

Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Special Categories of Personal Data

have the meaning given to such terms in the GDPR. 

Sign in to use the tool and get personalized help (desktop browser required). Sign In


Reach hundreds of millions of customers

Start selling on Amazon


© 1999-2022, Amazon.com, Inc. or its affiliates