DATA PROCESSING ADDENDUM

This Data Processing Addendum (this “Addendum”) by and between you and Amazon is effective as of the effective date of the oneTag Policy between Amazon and you (the “Addendum Effective Date”). This Addendum supplements the oneTag Policy, as updated from time to time between you and Amazon, governing the processing of Associates Personal Data by Amazon in connection with the analytics product oneTag as described ("oneTag"). If there is any inconsistency between the terms of this Addendum, the Agreement and the oneTag Policy, the provisions of this Addendum shall prevail.  This Addendum automatically expires upon: (i) the deletion by Amazon of all Associates Personal Data in accordance with Section 3(c) or 3(e); (ii) uninstallation of oneTag from your Site; or (iii) the termination or expiry of the oneTag Policy or the Agreement, whichever is earlier. All capitalized terms used in this Addendum will have the meanings given to them in Section 5 of this Addendum or the oneTag Policy. “Amazon” means, in respect of the Agreement, the applicable Amazon contracting party entering into the Agreement, and in respect of the Addendum, Amazon Europe Core S.à r.l. The terms "controller", "data subject", "personal data breach", "processing", "processor" and "pseudonymization" shall have the same meaning as in the GDPR (and the term "pseudonymized" shall be interpreted accordingly). 

• Data Processing Instructions

 

1. Amazon will act as processor in relation to Associates Personal Data and you will act as controller in relation to Associates Personal
2. Amazon will process Associates Personal Data as necessary to provide you with access to and use of oneTag reporting, as further specified in the oneTag Policy and as instructed by you by virtue of using oneTag.  You instruct Amazon to anonymize and aggregate Associates Personal Data obtained as a result of its provision of oneTag for the purpose of producing oneTag reporting to you.   
3. Amazon will only process Associates Personal Data in accordance with the instructions agreed under this Addendum and the oneTag Policy, unless your instructions infringes GDPR or other Applicable Laws. You shall ensure that your instructions comply with all Applicable Laws in relation to the Associates Personal Data, and that the processing of Associates Personal Data in accordance with your instructions will not cause Amazon to be in breach of its obligations under Applicable Laws. Amazon will notify you if about any instruction from you which, in Amazon's opinion, infringes Applicable Law.
4. The parties agree that the oneTag Policy and this Addendum set out the scope of your documented instructions in relation to Associates Personal Data. Any additional instructions require prior written agreement between Amazon and you.
5. You represent and warrant to Amazon that you are the controller of Associates Personal Data.

 

• Associate's Obligations

You will comply with all Applicable Laws, including regarding the collection, processing, use and disclosure of Associates Personal Data and all data collected from or about End Users or specific devices which apply to the utilization of oneTag. You acknowledge and agree that your obligations under Applicable Laws include, without limitation, (i) having a documented lawful justification for processing Associates Personal Data pursuant to the GDPR, including for the purposes agreed under the oneTag Policy; (ii) publishing (or contractually requiring the publication of) privacy notices pursuant to the oneTag Policy, E-Privacy Directive and the GDPR and implementing all other necessary measures to inform End Users about the processing of Associates Personal Data by you and Amazon on your behalf, including anonymization and aggregation of Associates Personal Data; (iii) implementing (and instructing processors to implement) technical and organizational measures to protect Associates Personal Data against the risks that are presented by the processing of such Associates Personal Data, including the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Associates Personal Data; and (iv) obtaining and keeping a record of legally compliant consent of the relevant End User pursuant to the E-Privacy Directive for the use of oneTag on your Site and will have a valid legal basis to collect, process and share Associates Personal Data with Amazon and to allow Amazon to process the Associates Personal Data in accordance with Applicable Laws and this Addendum. You will, within 7 days of a request by Amazon, supply to Amazon evidence that you have provided requisite notice and obtained the consent required under this Section 2.

• Amazon's Obligations

 

1. Amazon will treat all Associates Personal Data as confidential information, and Amazon will not disclose this information to any third party (other than to its Affiliates) and will take all reasonable measures to protect the information against any unauthorized use or disclosure. Confidential information does not include any information that i) is or becomes publically available without breach of this Addendum, (ii) was known by Amazon prior to its receipt from you; (iii) is disclosed to Amazon by any third party, except where Amazon knows, or reasonably should know, that such disclosure constitutes a wrongful or tortious act, or (iv) independently developed by Amazon without use of any confidential data. Amazon may disclose confidential information as required to comply with orders of governmental entities that have jurisdiction over it or as otherwise required by law. Amazon will ensure that persons authorised to process Associates Personal Data have committed themselves to confidentiality or are under appropriate statutory duties of confidentiality.
2. Technical and Organizational Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, Amazon will implement and maintain technical and organizational measures to protect Associates Personal Data against unauthorized or unlawful processing and against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Associates Personal Data. These measures will be appropriate to the level of risk presented by the processing of Associates Personal Data on the rights of data subjects. You acknowledge that Amazon may change the technical and organizational measures applicable to the processing of Associates Personal Data, provided that such measures comply with the standards set forth in Annex I of this Addendum.
3. Sub-processing. You agree that Amazon may use sub-processors to fulfill its contractual obligations under this Addendum or to provide certain services on its behalf. You hereby consent and authorize each Amazon Affiliate to act as a sub-processor under this Addendum. At least 30 days before Amazon engages a sub-processor (other than an Amazon Affiliate) to carry out processing activities on behalf of you, Amazon will notify you in writing (email or post on the Amazon Site shall be sufficient) ("Sub-processor Notification"). If you object to the appointment of the sub-processor you will notify Amazon promptly in writing within ten (10) business days after receipt of such Sub-processor Notification. In the event that you put forward an objection to a new sub-processor, Amazon agrees to engage in good faith discussions with you to address your objection.  Where your objection can not be resolved within a reasonable period of time, you may uninstall oneTag in accordance with the oneTag Policy. Where you do not terminate your use of oneTag, you agree that Amazon will provide the oneTag services with the new sub-processor.
   1. Where Amazon authorizes any sub-processor pursuant to this Addendum:
      1. Amazon will enter into a written agreement with the sub-processor and impose comparable obligations on the sub-processor as are imposed on Amazon under this addendum
      2. Amazon will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the sub-processor that cause Amazon to breach any of its obligations under this addendum
4. Assistance of Controller. Taking into account the nature of the processing and the nature of Associates Personal Data, Amazon will provide assistance reasonably requested by you in order to allow you:
   1. To comply with your obligations to data subjects who exercise their rights under GDPR or Applicable Laws. You acknowledge and agree that you will not request assistance from Amazon to re-attribute any pseudonymized online identifiers or other pseudonymized Associates Personal Data to an identified or identifiable individual; and
   2. To conduct a data protection impact assessment in respect of the processing of Associates Personal Data, if required under the GDPR or Applicable Laws. You acknowledge and agree that the information contained in this Addendum, together with other written or online materials provided by or made available by Amazon about the nature of its processing of Associates Personal Data, is sufficient for you to conduct any data protection impact assessment.
5. Deletion of Associates Personal Data. Upon the earlier to occur of: (i) the termination or expiry of the oneTag Policy or the Agreement; or (ii) at your request, Amazon will delete all Associates Personal Data processed by Amazon as a processor from Amazon’s systems, unless Applicable Law requires Amazon to store copies of Associates Personal Data. Amazon will comply with your instruction to delete all Associates Personal Data as soon as reasonably practicable.
6. Notification of Data Breach. Amazon will notify you of any confirmed personal data breach involving Associates Personal Data, in accordance with its obligations as processor under the GDPR or Applicable Laws. To assist you in relation to any personal data breach notifications you are required to make under the GDPR or Applicable Laws, Amazon will provide you with such information about the personal data breach as Amazon is reasonably able to disclose to you, taking into account the nature of the services Amazon performs under this Addendum and the Agreement, the information available to Amazon, and any restrictions on disclosing the information, such as confidentiality.
7. Onward Transfer of Associates Personal Data. You agree that Amazon may store and process Associates Personal Data in countries outside of the European Economic Area. Amazon will only transfer Associates Personal Data to a country outside the European Economic Area (1) if the recipient to which Associates Personal Data is transferred is certified under the Privacy Shield, or (2) pursuant to an alternative recognized compliance standard for the lawful transfer of Personal Data outside the European Economic Area.

 

• Audit: Amazon uses external auditors to regularly verify the security and adequacy of its technical and organizational measures taken with respect to the processing of Associates Personal Data. Upon your written request, Amazon may make available to you document(s) evidencing an audit performed, or certification awarded, by an auditor, and delivered in accordance with prevailing industry standards on data security and privacy (the “Report”) in order to demonstrate compliance with Amazon's obligations as a processor under the GDPR and its obligations under this Addendum.  The Report will constitute Amazon’s confidential information, subject to the confidentiality provisions of the Operating Agreement or an NDA, as applicable. The Report constitutes all information necessary to demonstrate Amazon's compliance with its obligations under this Addendum.

• Further Processing: Associates Personal Data has been anonymized and aggregated on your behalf for the purposes of providing oneTag reporting to you.  You acknowledge and agree that Amazon may use Associates Personal Data for its own purposes.

 

• Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this Addendum will have the meanings given to them below:

  “Applicable Laws” means applicable laws, rules, regulations, directives and guidelines including but not limited to the GDPR and the E- Privacy Directive.

  “Affiliate” means with respect to any entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with such entity.

  “Amazon Data” means Personal Data that is preexisting Amazon data used by Amazon.

  “Associates Personal Data” means Personal Data of End Users processed by Amazon on behalf of you pursuant to your use of oneTag. As of the Addendum Effective Date, Associates Personal Data consists of: (i) IP address; (ii) URL; (iii) clicks and glance views of Amazon affiliate links on your Site; (iv) browser type and operating system; and (v) pseudonymised identifier (cookie ID). Associates Personal Data excludes, and Amazon acts as an independent controller in relation to, Amazon Data.

  “End User” means a visitor to your Site.

  “E-Privacy Directive” means the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) and any applicable implementation or successor thereof.

Annex I: Amazon Security Measures

Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Addendum.

• Information Security Program. Amazon will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) secure Associates Personal Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable external and internal risks to security and unauthorized access to Amazon’s associates systems, and (b) minimize security risks, including through risk assessment and regular testing. Amazon will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:

  1. Network Security. Amazon’s associates systems will be electronically accessible to employees, contractors and any other person as necessary to provide the services under the Addendum and the Amazon will maintain access controls and policies to manage what access is allowed to the relevant systems from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Amazon will maintain corrective action and incident response plans to respond to potential security threats.

  2. Physical Security

     1. Physical Access Controls. Physical components of Amazon’s associates systems are housed in facilities (the “Facilities”) where physical barrier controls are used to prevent unauthorized entrance. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, )
     2. Limited Employee and Contractor Access. Amazon provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Amazon or its Affiliates.

• Continued Evaluation. Amazon will conduct periodic reviews of the security of its systems and adequacy of its information security program as measured against industry security standards and its policies and procedures. Amazon will continually evaluate the security of its systems and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews