DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “Addendum”) by and between you and Amazon is effective as of the effective date of the oneTag Policy between Amazon and you (the “Addendum Effective Date”).
This Addendum supplements the oneTag Policy, as updated from time to
time between you and Amazon, governing the processing of Associates
Personal Data by Amazon in connection with the analytics product oneTag
as described ("oneTag"). If there is any inconsistency
between the terms of this Addendum, the Agreement and the oneTag Policy,
the provisions of this Addendum shall prevail. This Addendum
automatically expires upon: (i) the deletion by Amazon of all Associates
Personal Data in accordance with Section 3(c) or 3(e); (ii)
uninstallation of oneTag from your Site; or (iii) the termination or
expiry of the oneTag Policy or the Agreement, whichever is earlier. All
capitalized terms used in this Addendum will have the meanings given to
them in Section 5 of this Addendum or the oneTag Policy. “Amazon”
means, in respect of the Agreement, the applicable Amazon contracting
party entering into the Agreement, and in respect of the Addendum,
Amazon Europe Core S.à r.l. The terms "controller", "data subject", "personal data breach", "processing", "processor" and "pseudonymization" shall have the same meaning as in the GDPR (and the term "pseudonymized" shall be interpreted accordingly).
- Data Processing Instructions
- Amazon will act as processor in
relation to Associates Personal Data and you will act as controller in
relation to Associates Personal
- Amazon will process Associates Personal
Data as necessary to provide you with access to and use of oneTag
reporting, as further specified in the oneTag Policy and as instructed
by you by virtue of using oneTag. You instruct Amazon to anonymize and
aggregate Associates Personal Data obtained as a result of its provision
of oneTag for the purpose of producing oneTag reporting to you.
- Amazon will only process Associates
Personal Data in accordance with the instructions agreed under this
Addendum and the oneTag Policy, unless your instructions infringes GDPR
or other Applicable Laws. You shall ensure that your instructions comply
with all Applicable Laws in relation to the Associates Personal Data,
and that the processing of Associates Personal Data in accordance with
your instructions will not cause Amazon to be in breach of its
obligations under Applicable Laws. Amazon will notify you if about any
instruction from you which, in Amazon's opinion, infringes Applicable
Law.
- The parties agree that the oneTag
Policy and this Addendum set out the scope of your documented
instructions in relation to Associates Personal Data. Any additional
instructions require prior written agreement between Amazon and you.
- You represent and warrant to Amazon that you are the controller of Associates Personal Data.
- Associate's Obligations
You will comply with
all Applicable Laws, including regarding the collection, processing,
use and disclosure of Associates Personal Data and all data collected
from or about End Users or specific devices which apply to the
utilization of oneTag. You acknowledge and agree that your obligations
under Applicable Laws include, without limitation, (i) having a
documented lawful justification for processing Associates Personal Data
pursuant to the GDPR, including for the purposes agreed under the oneTag
Policy; (ii) publishing (or contractually requiring the publication of)
privacy notices pursuant to the oneTag Policy, E-Privacy Directive and
the GDPR and implementing all other necessary measures to inform End
Users about the processing of Associates Personal Data by you and Amazon
on your behalf, including anonymization and aggregation of Associates
Personal Data; (iii) implementing (and instructing processors to
implement) technical and organizational measures to protect Associates
Personal Data against the risks that are presented by the processing of
such Associates Personal Data, including the risk of accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to, Associates Personal Data; and (iv) obtaining and keeping a
record of legally compliant consent of the relevant End User pursuant to
the E-Privacy Directive for the use of oneTag on your Site and will
have a valid legal basis to collect, process and share Associates
Personal Data with Amazon and to allow Amazon to process the Associates
Personal Data in accordance with Applicable Laws and this Addendum. You
will, within 7 days of a request by Amazon, supply to Amazon evidence
that you have provided requisite notice and obtained the consent
required under this Section 2.
- Amazon's Obligations
- Amazon will treat all
Associates Personal Data as confidential information, and Amazon will
not disclose this information to any third party (other than to its
Affiliates) and will take all reasonable measures to protect the
information against any unauthorized use or disclosure. Confidential
information does not include any information that i) is or becomes
publically available without breach of this Addendum, (ii) was known by
Amazon prior to its receipt from you; (iii) is disclosed to Amazon by
any third party, except where Amazon knows, or reasonably should know,
that such disclosure constitutes a wrongful or tortious act, or (iv)
independently developed by Amazon without use of any confidential data.
Amazon may disclose confidential information as required to comply with
orders of governmental entities that have jurisdiction over it or as
otherwise required by law. Amazon will ensure that persons authorised to
process Associates Personal Data have committed themselves to
confidentiality or are under appropriate statutory duties of
confidentiality.
- Technical and Organizational
Taking into account the state of the art, the costs of implementation
and the nature, scope, context and purposes of the processing, Amazon
will implement and maintain technical and organizational measures to
protect Associates Personal Data against unauthorized or unlawful
processing and against accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, Associates
Personal Data. These measures will be appropriate to the level of risk
presented by the processing of Associates Personal Data on the rights of
data subjects. You acknowledge that Amazon may change the technical and
organizational measures applicable to the processing of Associates
Personal Data, provided that such measures comply with the standards set
forth in Annex I of this Addendum.
- Sub-processing. You agree that
Amazon may use sub-processors to fulfill its contractual obligations
under this Addendum or to provide certain services on its behalf. You
hereby consent and authorize each Amazon Affiliate to act as a
sub-processor under this Addendum. At least 30 days before Amazon
engages a sub-processor (other than an Amazon Affiliate) to carry out
processing activities on behalf of you, Amazon will notify you in
writing (email or post on the Amazon Site shall be sufficient) ("Sub-processor Notification").
If you object to the appointment of the sub-processor you will notify
Amazon promptly in writing within ten (10) business days after receipt
of such Sub-processor Notification. In the event that you put forward an
objection to a new sub-processor, Amazon agrees to engage in good faith
discussions with you to address your objection. Where your objection
can not be resolved within a reasonable period of time, you may
uninstall oneTag in accordance with the oneTag Policy. Where you do not
terminate your use of oneTag, you agree that Amazon will provide the
oneTag services with the new sub-processor.
- Where Amazon authorizes any sub-processor pursuant to this Addendum:
- Amazon will enter into a written agreement with the sub-processor
and impose comparable obligations on the sub-processor as are imposed on
Amazon under this addendum
- Amazon will remain responsible for its compliance with the
obligations of this Addendum and for any acts or omissions of the
sub-processor that cause Amazon to breach any of its obligations under
this addendum
- Assistance of Controller. Taking
into account the nature of the processing and the nature of Associates
Personal Data, Amazon will provide assistance reasonably requested by
you in order to allow you:
- To comply with your obligations to data
subjects who exercise their rights under GDPR or Applicable Laws. You
acknowledge and agree that you will not request assistance from Amazon
to re-attribute any pseudonymized online identifiers or other
pseudonymized Associates Personal Data to an identified or identifiable
individual; and
- To conduct a data protection impact
assessment in respect of the processing of Associates Personal Data, if
required under the GDPR or Applicable Laws. You acknowledge and agree
that the information contained in this Addendum, together with other
written or online materials provided by or made available by Amazon
about the nature of its processing of Associates Personal Data, is
sufficient for you to conduct any data protection impact assessment.
- Deletion of Associates Personal Data.
Upon the earlier to occur of: (i) the termination or expiry of the
oneTag Policy or the Agreement; or (ii) at your request, Amazon will
delete all Associates Personal Data processed by Amazon as a processor
from Amazon’s systems, unless Applicable Law requires Amazon to store
copies of Associates Personal Data. Amazon will comply with your
instruction to delete all Associates Personal Data as soon as reasonably
practicable.
- Notification of Data Breach.
Amazon will notify you of any confirmed personal data breach involving
Associates Personal Data, in accordance with its obligations as
processor under the GDPR or Applicable Laws. To assist you in relation
to any personal data breach notifications you are required to make under
the GDPR or Applicable Laws, Amazon will provide you with such
information about the personal data breach as Amazon is reasonably able
to disclose to you, taking into account the nature of the services
Amazon performs under this Addendum and the Agreement, the information
available to Amazon, and any restrictions on disclosing the information,
such as confidentiality.
- Onward Transfer of Associates Personal Data.
You agree that Amazon may store and process Associates Personal Data in
countries outside of the European Economic Area. Amazon will only
transfer Associates Personal Data to a country outside the European
Economic Area (1) if the recipient to which Associates Personal Data is
transferred is certified under the Privacy Shield, or (2) pursuant to an
alternative recognized compliance standard for the lawful transfer of
Personal Data outside the European Economic Area.
- Audit: Amazon
uses external auditors to regularly verify the security and adequacy of
its technical and organizational measures taken with respect to the
processing of Associates Personal Data. Upon your written request,
Amazon may make available to you document(s) evidencing an audit
performed, or certification awarded, by an auditor, and delivered in
accordance with prevailing industry standards on data security and
privacy (the “Report”) in order to demonstrate
compliance with Amazon's obligations as a processor under the GDPR and
its obligations under this Addendum. The Report will constitute
Amazon’s confidential information, subject to the confidentiality
provisions of the Operating Agreement or an NDA, as applicable. The
Report constitutes all information necessary to demonstrate Amazon's
compliance with its obligations under this Addendum.
- Further Processing: Associates
Personal Data has been anonymized and aggregated on your behalf for the
purposes of providing oneTag reporting to you. You acknowledge and
agree that Amazon may use Associates Personal Data for its own purposes.
Definitions.
Unless otherwise defined in the Agreement, all capitalized terms used
in this Addendum will have the meanings given to them below:
“Applicable Laws”
means applicable laws, rules, regulations, directives and guidelines
including but not limited to the GDPR and the E- Privacy Directive.
“Affiliate” means with
respect to any entity, any other entity that directly or indirectly
controls, is controlled by, or is under common control with such entity.
“Amazon Data” means Personal Data that is preexisting Amazon data used by Amazon.
“Associates Personal Data”
means Personal Data of End Users processed by Amazon on behalf of you
pursuant to your use of oneTag. As of the Addendum Effective Date,
Associates Personal Data consists of: (i) IP address; (ii) URL; (iii)
clicks and glance views of Amazon affiliate links on your Site; (iv)
browser type and operating system; and (v) pseudonymised identifier
(cookie ID). Associates Personal Data excludes, and Amazon acts as an
independent controller in relation to, Amazon Data.
“End User” means a visitor to your Site.
“E-Privacy Directive”
means the Directive 2002/58/EC of the European Parliament and of the
Council of 12 July 2002 concerning the processing of personal data and
the protection of privacy in the electronic communications sector
(Directive on privacy and electronic communications) and any applicable
implementation or successor thereof.
Annex I: Amazon Security Measures
Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Addendum.
Information Security Program. Amazon
will maintain an information security program (including the adoption
and enforcement of internal policies and procedures) designed to (a)
secure Associates Personal Data against accidental or unlawful loss,
access or disclosure, (b) identify reasonably foreseeable external and
internal risks to security and unauthorized access to Amazon’s
associates systems, and (b) minimize security risks, including through
risk assessment and regular testing. Amazon will designate one or more
employees to coordinate and be accountable for the information security
program. The information security program will include the following
measures:
- Network Security. Amazon’s
associates systems will be electronically accessible to employees,
contractors and any other person as necessary to provide the services
under the Addendum and the Amazon will maintain access controls and
policies to manage what access is allowed to the relevant systems from
each network connection and user, including the use of firewalls or
functionally equivalent technology and authentication controls. Amazon
will maintain corrective action and incident response plans to respond
to potential security threats.
Physical Security
- Physical Access Controls. Physical components of Amazon’s associates systems are housed in facilities (the “Facilities”)
where physical barrier controls are used to prevent unauthorized
entrance. Passage through the physical barriers at the Facilities
requires either electronic access control validation (e.g., card access
systems, etc.) or validation by human security personnel (e.g., contract
or in-house security guard service, receptionist, )
- Limited Employee and Contractor Access. Amazon
provides access to the Facilities to those employees and contractors
who have a legitimate business need for such access privileges. When an
employee or contractor no longer has a business need for the access
privileges assigned to him/her, the access privileges are promptly
revoked, even if the employee or contractor continues to be an employee
of Amazon or its Affiliates.
Continued Evaluation.
Amazon will conduct periodic reviews of the security of its systems and
adequacy of its information security program as measured against
industry security standards and its policies and procedures. Amazon will
continually evaluate the security of its systems and associated
services to determine whether additional or different security measures
are required to respond to new security risks or findings generated by
the periodic reviews