Controller to Processor Policy (C2PP)
This C2PP supplements the terms of the Business Solutions Agreement (“Agreement”) to ensure the Processing of Personal Data in connection with the Agreement is in compliance with applicable data protection and privacy law, including the GDPR. Capitalised terms in this C2PP have the meanings listed in the Definitions below.
Purpose of this C2PP
This C2PP applies to certain Personal Data Processing that Amazon implements on your behalf and under your documented instructions (as fully set out in this C2PP), in connection with the electronic marketing support services provided by Amazon through the Amazon Buyer-Seller messaging service (BSM). The electronic marketing support services (“BSM Marketing Support”) we provide to you consist in (i) making available a tool allowing you to send consent requests and marketing content to customers of the FR Amazon Site over the BSM, and (ii) us keeping on your behalf a record of consents given and withdrawn by customers, in relation to marketing campaigns you deploy as Controller. As Controller, you are fully and solely responsible for your marketing campaigns, including the management and honouring of customers' consents under applicable data protection and privacy law.
Amazon will Process Personal Data under this C2PP only as follows:
Use of Personal Data: We will Process Personal Data as necessary for the Purpose of performing the BSM Marketing Support in accordance with your documented instructions in respect of the BSM Marketing Support as per this C2PP, unless required otherwise by applicable data protection and privacy law. We will inform you of such legal requirement before Processing, unless that law prohibits such information on the grounds of important public interest. For the avoidance of doubt, this C2PP constitutes your sole instructions to us in respect of the Processing of Personal Data in the context of the BSM Marketing Support.
We will inform you if we are of the opinion that any of your instructions relating to the Processing of Personal Data infringe applicable data protection and privacy law.
Confidentiality: We will ensure that the persons we authorise to access the Personal Data only do so as necessary to provide the BSM Marketing Support and are bound by suitable binding confidentiality obligations.
Security: We will implement and maintain appropriate physical, technical and organisational measures that protect Personal Data in accordance with the GDPR, including in respect of Personal Data Breach. We will also implement measures to comply with the GDPR requirement to notify you of any Personal Data Breach, where applicable.
Sub-Processors: We may engage any other sub-Processor without your prior written consent, provided that we notify you of any use of sub-processors, in accordance with this C2PP.
Assistance: We will provide you with assistance as reasonably necessary to allow you to meet your obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to us.
Data subject rights: Taking into account the nature of the Processing, we will assist you, insofar as this is possible, for the fulfilment of your obligation to respond to Data Subjects' data protection rights requests under the GDPR in respect of the Personal Data under this C2PP. You remain fully and solely responsible as regards any responses to any Data Subject request in accordance with applicable data protection and privacy law.
Deletion and Return or Personal Data: Unless you notify us otherwise, On termination of the Agreement, we will delete the Personal Data. Notwithstanding the foregoing, we may retain Personal Data to the extent required otherwise by applicable data protection and privacy law.
If you are in a jurisdiction outside the EEA, you agree (and hereby instruct us) to the transfer of the Personal Data under this C2PP between Amazon, acting as processor and data exporter, and you, acting as controller and data importer, that will be governed by Module Four "transfers processor to controller" of the SCCs (available at: https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf), which are incorporated to this C2PP by reference, with the following precisions:
Amazon Services Europe S.à r.l., 38 avenue John F. Kennedy, Luxembourg, 1855, Luxembourg acts as Processor
Data Protection Officer: Barbara Scarafia. Contacts: firstname.lastname@example.org
Activities relevant to the data transferred under the SCCs: Implementation of the BSM Marketing Support
The applicant (if registering for or using a Service as an individual) under the Agreement, or the business the applicant is employed by or represents (if registering for or using a Service as a business) under the Agreement, acts as Controller.
Activities relevant to the data transferred under the SCCs: Implementation of the BSM Marketing Support.
See section "Processing Details" of this C2PP. In addition, the following information is added:
Demonstrating Compliance: Upon your request and to the extent permitted by applicable data protection and privacy law, we will make available to you the information reasonably necessary to demonstrate our compliance with this C2PP. We will assist with audits, to verify that we comply with our obligations under this C2PP.
For the avoidance of doubt, we will not disclose information of any kind we hold on us and / or on behalf of any other sellers, clients or other persons in any capacity whatsoever (the “Protected Information”). Consequently, we may, in our sole discretion, refuse access to you or your external auditor, to any systems (including databases or servers) and files belonging to, or used by us and containing such Protected Information.
Remediation: Our liability in connection with Processing carried out in the context of this C2PP is subject to the provisions of the "Limitation of Liability" clause of the Agreement. For the avoidance of doubt, we will not be held liable as regards any damages, fines, costs or expenses (including legal expenses and disbursements) incurred by you and resulting from a breach of your obligations as Controller under applicable data protection and privacy law (including but not limited to in relation to compliance with applicable direct marketing rules and the handling of consents in compliance with such rules and applicable data protection and privacy law).
As Controller, you will remain fully responsible under applicable data protection and privacy law for the compliance of Processing implemented pursuant to this C2PP, including but not limited to, your obligations in relation to compliance with applicable direct marketing rules and the handling of consents.
The governing law and jurisdiction provisions of the Agreement will apply to this C2PP.
As used in this C2PP, the following terms have the following meanings:
applicable data protection and privacy law
means the Business Solutions Agreement.
means Amazon Buyer-Seller messaging service.
“BSM Marketing Support”
has the meaning given in this C2PP.
means this Program Policy, including its Schedules and any other document incorporated by reference.
means the EU General Data Protection Regulation 2016/679.
has the meaning given in this C2PP.
“Standard Contractual Clauses”
means the standard contractual clauses deemed by the European Commission as providing sufficient safeguards to enable the lawful transfer of Personal Data from the European Union to another jurisdiction (as updated from time to time).
“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Special Categories of Personal Data”
have the meaning given to such terms in the GDPR.