Questa pagina riguarda la vendita in: Regno Unito

Vat Services on Amazon Data Processing Addendum

The English version of this agreement is the definitive legal version. Translations into other languages are available for your ease of reference only.

This data processing addendum ("DPA") forms part of the VAT Services on Amazon Online Agreement ("Principal Agreement") available here, as updated from time to time between: (i) Amazon Services Europe S.à.r.l. ("Amazon"); and (ii) the entity registering for and using VAT Services on Amazon ("you" or “Merchant”), jointly the “Parties” or separately the “Party”.

Capitalized terms not otherwise defined herein will have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement will remain in full force and effect.

Article 1: Definitions

The following terms, used in this DPA with a capital letter, will have the meaning given to them in this article, unless clearly indicated otherwise by the context:


means an entity that owns or controls, is owned or controlled by or is under common control or ownership with either Amazon or Merchant (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

Applicable Data Protection Legislation

means the EU General Data Protection Regulation 2016/679 ("GDPR"), any other applicable law with respect to the protection of personal data and any data protection laws substantially amending, replacing or superseding the GDPR following the exit by the United Kingdom from the European Union;

Contractual Relationship

means the Principal Agreement between the Parties defining the delivery of the services and/or products or the collaboration between the Parties, including all its amendments and annexes and anything that is subsequently agreed between the Parties with respect to this DPA;


means this data processing addendum, including its annexes;

“Off-Amazon Transaction Data”

means transaction data, which may include Personal Data, in respect of transactions by Merchant made via channels other than the Amazon Site, including Merchant’s own website if applicable;

“On-Amazon Transaction Data”

means transaction data, which may include Personal Data, in respect of transactions by Merchant made via the Amazon Site;

“Process” or “Processing”, "Controller", "Processor", "Data Subject" and "Personal Data Breach"

will have the same meaning as in the Applicable Data Protection Legislation;

“Restricted Transfer”

means a transfer of Personal Data from one Party or its Affiliate to the other Party or its Affiliate, where such transfer would be prohibited by Applicable Data Protection Legislation in the absence of the Standard Contractual Clauses. For the avoidance of any doubt:

  1. without limitation to the generality of the foregoing, the Parties to this DPA intend that transfers of Personal Data from the UK to the European Economic Area (“EEA”) or from the EEA to the UK, following the exit by the UK from the European Union will be Restricted Transfers for such time and to such extent that such transfers would be prohibited by UK Applicable Data Protection Legislation or EU Applicable Data Protection Legislation (as the case may be) in the absence of the Standard Contractual Clauses; and
  2. where a transfer of Personal Data from one country to another country is of a type authorised by Applicable Data Protection Legislation in the exporting country for example in the case of transfers from within the European Union to a country or scheme (such as the US Privacy Shield) which is approved by the European Commission as ensuring an adequate level of protection or any transfer which falls within a permitted derogation, such transfer will not be a Restricted Transfer for the purposes of this DPA;

“Standard Contractual Clauses”


  1. the standard contractual clauses for Restricted Transfers as set out in Commission Decision C(2004)5721, as updated, amended, replaced or superseded from time to time by the European Commission; or
  2. where required from time to time by a Supervisory Authority for use with respect to any specific Restricted Transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Applicable Data Protection Legislation for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time such Supervisory Authority or Applicable Data Protection Legislation;

“Supervisory Authority”


  1. an independent public authority established by a Member State of the European Union pursuant to Article 51 of the GDPR; and
  2. any similar regulatory authority responsible for the enforcement of Applicable Data Protection Legislation.

“Technical and Organisational Measures”

means the technical and organisational measures as defined in the GDPR and as further detailed in Annex 2 of this DPA;

Article 2: Role of the Parties; Purpose of the DPA

The Parties acknowledge that Amazon will act as a separate Controller in relation to On-Amazon Transaction Data and as a Processor in relation to Off-Amazon Transaction Data. Merchant will act as a (separate) Controller in relation to both On-Amazon Transaction Data and Off-Amazon Transaction Data. The purpose of this DPA is to define the conditions under which Amazon undertakes to perform Processing of Personal Data on behalf of Merchant as defined in the Contractual Relationship or described in Annex 1 of this DPA. Within the framework of their Contractual Relationship the Parties agree to comply with the Applicable Data Protection Legislation and, in particular, the GDPR.

Article 3: Term of the Agreement

This DPA will come into force on 25/05/2018 or on the effective date of the Contractual Relationship if it becomes effective after 25/05/2018. Amazon may Process the Personal Data transmitted by Merchant for as long as necessary for the performance of the assignment as specified in the Contractual Relationship or Annex 1 of this DPA.

Article 4: Obligations of Amazon in relation to the Processing of Personal Data

Amazon agrees to comply with the following obligations:

Article 4.1: Data Processing

Amazon agrees to Process the Personal Data in relation to Off-Amazon Transaction Data only in accordance with the written instructions of Merchant set out in the Contractual Relationship or in Annex 1 of this DPA (the “Documented Instructions”). Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Amazon and Merchant.

Should Amazon reasonably consider that an instruction constitutes a violation of the GDPR or another provision of EU or Member State law on Data Protection (“Challenged Instruction”), it will promptly inform Merchant of such situation. Upon providing such notification, Amazon will be entitled to suspend performance of the Challenged Instruction and to continue to Process the Personal Data in relation to Off-Amazon Transaction Data in accordance with previously provided instructions. Merchant will not be entitled to any indemnity or damages for such stay in performance.

Article 4.2: Confidentiality
Amazon will ensure that persons authorised to Process the Personal Data in relation to Off-Amazon Transaction Data for purposes of the Contractual Relationship undertake to respect the confidentiality of the Personal Data or be subject to an appropriate legal obligation of confidentiality.

Article 4.3: Technical and Organisational Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, Amazon will implement appropriate Technical and Organisational Measures to ensure a level of security appropriate to the risk. These will include, inter alia and as appropriate, those listed in Annex 2. In assessing the appropriate level of security, account will be taken in particular of the risks that are presented by Processing, in particular resulting from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Article 4.4: Sub-Processing

Merchant acknowledges and agrees that Amazon may use another Processor to fulfil its contractual obligations under this DPA or to provide certain services on its behalf (hereinafter the “Sub-Processor”). By agreeing to the terms of this DPA, Merchant grants Amazon the general authorisation to recruit Sub-Processors and allows Amazon to continue to work with Sub-Processors that had already been appointed on the effective date of the DPA. Merchant hereby specifically authorises Amazon to engage any Amazon Affiliate as a Sub-Processor.

A list of Sub-Processors engaged by Amazon can be accessed here. If Amazon engages a new Sub-Processor, the aforementioned list will be updated accordingly, allowing Merchant to object to these changes. Where Merchant objects to the appointment of a Sub-Processor, Merchant acknowledges and agrees that Amazon will no longer deliver any services under the Contractual Relationship that require Processing of Personal Data in relation to Off-Amazon Transaction Data.

These terms and conditions will apply to all Sub-Processors:

  1. Any Sub-Processors engaged by Amazon must implement appropriate technical and organisational measures such that the Processing meets GDPR requirements; and
  2. Amazon will impose on the Sub-Processor the same Data Protection obligations as those set out in Article 4 of this DPA.

Article 4.5: Rights of Data Subjects

Merchant will provide the Data Subjects with information pursuant to their rights (Chapter III of the GDPR), both in its own capacity as Controller in all cases and on behalf of Amazon as Controller as regards On-Amazon Transaction Data. Merchant will be responsible for handling any Data Subject request relating to its Processing activities. Amazon will notify Merchant of any request from a Data Subject it may receive.

Taking into account the nature of the Processing, and by means of appropriate Technical and Organisational Measures, Amazon will provide assistance reasonably requested by Merchant to allow Merchant to fulfil its obligation to comply with requests made by Data Subjects to Merchant for exercising their rights.

Notwithstanding the foregoing, to the extent any Data Subject issues a request to Merchant that only relates to Amazon’s Processing of On-Amazon Transaction Data as a Controller, Merchant will redirect the Data Subject toward Amazon for the handling of such a request.

Article 4.6: Assistance to Merchant with respect to the Impact Assessment and Prior Consultation

Amazon will provide assistance reasonably requested by Merchant to allow Merchant to meet its obligations with respect to impact assessment and prior consultation (as described in the articles 35 and 36 of the GDPR), taking into account the nature of Processing and the information available to Amazon. Merchant acknowledges and agrees that information contained in this DPA, together with other written or online materials provided or made available by Amazon about the nature of its Processing of Personal Data, is sufficient for Merchant to conduct any such impact assessment and consultation.

Article 4.7: Personal Data Breach

Amazon will notify Merchant of any Personal Data Breach in relation to Off-Amazon Transaction Data as soon as reasonably possible, and without undue delay, after having become aware of such Personal Data Breach and take reasonable steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach. This notification will be accompanied, where possible and taking into account the nature of the services, by the information available to Amazon and any restrictions on disclosing the information such as confidentiality, by any useful documentation enabling Merchant, if necessary, to notify the competent Supervisory Authority of such Personal Data Breach.

Notification(s) of Personal Data Breaches, if any, will be delivered to one or more of Merchant’s administrators by any means Amazon selects, including via email. It is Merchant’s sole responsibility to ensure Controller’s administrators maintain accurate contact information and secure transmission at all times. Amazon’s obligation to report or respond to a Personal Data Breach under this section is not and will not be construed as an acknowledgement by Amazon of any fault or liability with respect to the Personal Data Breach.

Article 4.8: Deletion of Off-Amazon Transaction Data

Upon the earlier to occur of the termination or expiry of the Principal Agreement or at Merchant’s request, Amazon will delete all Personal Data in relation to Off-Amazon Transaction Data transmitted by Merchant, provided that Amazon may retain such Personal Data for a longer period to the extent required by applicable law or to the extent necessary to establish, exercise or defend its legal rights, comply with its legal obligations, or as otherwise permitted by the Principal Agreement.

Article 4.9: Documentation and Audit

Merchant may audit Amazon’s controls relating to Processing Personal Data in relation to Off-Amazon Transaction Data transmitted by Merchant. Following receipt of any such audit request by Merchant, Amazon and Merchant will agree to a reasonable start date, scope and duration, and security and confidentiality controls, applicable to the audit. Merchant agrees that the sole purpose of the audit is to allow Merchant to reasonably verify Amazon’s compliance with its obligations under this DPA. Merchant is not entitled to receive (1) information about any system, hardware, software, technology, know-how, program, process, or policy that does not involve Personal Data relating to Off-Amazon Transaction Data and the obligations set out in this DPA, (2) any information that, in Amazon’s reasonable opinion, could compromise the security of any Amazon systems or premises or cause Amazon or any Amazon Affiliate to breach its obligations under the GDPR or other applicable laws and regulations or privacy obligations to Amazon customers or any third party, or (3) any information that Merchant seeks to access for any reason other than good faith fulfilment of Merchant’s obligations under the Applicable Data Protection Legislation. Any audit requests must set out the reasons justifying the audit. Amazon may object to any third party auditor appointed by Merchant to conduct any audit under this Article if the auditor is, in Amazon’s reasonable opinion, not suitably qualified or independent. Any such objection will require Merchant to appoint another auditor or conduct the audit itself. Amazon will be entitled to a reasonable fee from Merchant upon providing and making available all the necessary information.

Article 4.10: Restricted Transfers

The Parties hereby enter into the Standard Contractual Clauses, which are incorporated into this DPA by reference, in respect of any Restricted Transfer. For the purposes of clause II h) of the Standard Contractual Clauses, the Parties will be deemed to have selected option (iii). Annex 2 to the Standard Contractual Clauses will be deemed to be prepopulated with the relevant sections of Annex 1 to this DPA. Subject to the Standard Contractual Clauses in respect of any Restricted Transfer, Merchant agrees that Amazon may transfer, store and Process Personal Data to and in countries outside of the EEA for purposes of Processing set forth in this DPA.

Article 5: Liability

Amazon will not be liable towards Merchant for any breach of Applicable Data Protection Legislation that is attributable in whole or in part to Merchant or Merchant’s instructions. Merchant warrants that all Personal Data that Merchant provides to Amazon has been collected and treated in accordance with Applicable Data Protection Legislation. In case of breach of this obligation, Merchant will indemnify, defend and hold Amazon harmless from and against all losses, liabilities, claims and damages arising from claims of a third party or a Supervisory Authority.

Article 6: Other Provisions

Article 6.1: Jurisdiction and Governing Law

The Parties declare that the court given jurisdiction in the Contractual Relationship between the Parties will also have jurisdiction over any dispute and any claims that may arise as a result of this DPA, including any disputes relating to its existence, its legal validity or its termination or the consequences of its nullity. The Parties declare that this DPA, as well as all non-contractual or other obligations attached to this DPA, will be governed by the laws of the country determined in the Contractual Relationship between the Parties.

Article 6.2: Validity and Enforceability

The invalidity or non-enforceability of any provision of the DPA, whatever it may be, will not affect the validity or enforceability of any other provision of the DPA. The corresponding provision will be either (i) replaced by a valid and enforceable provision that is closest to the original intention of the Parties or, if this is not possible, (ii) will be interpreted as if the invalid or unenforceable provision had never been part of this DPA.


This Annex 1 contains certain details regarding the Processing of the Personal Data transmitted by the Controller, as stipulated in Article 28(3) of the GDPR.

Subject-matter and duration of the Processing of the Personal Data transmitted by the Controller:

The subject matter and duration of the Processing of the Personal Data transmitted by the Controller are as described in the Contractual Relationship and this DPA.

Nature and purpose (aim) of the Processing of the Personal Data transmitted by the Controller:

The Processing of the Personal Data transmitted by the Controller is for purposes of the Contractual Relationship.

Types of Personal Data transmitted by the Controller:

The following types of Personal Data may be transmitted by the Controller: Personal Data relating to Merchant, Merchant’s customers, and/or its or their respective representatives and/or suppliers, such as names, addresses, contact information, identification numbers and other data relevant for tax compliance purposes and relating to a natural person.

Categories of Data Subjects to which the Personal Data transmitted by the Controller relates:

The Personal Data transmitted by the Controller relates to the following categories of Data Subjects: Merchant, Merchant’s customers, and/or its or their respective representatives and/or suppliers.


To ensure the Processing of Personal Data under the Contractual Relationship, Amazon will implement and maintain the following Technical and Organisational Measures:

Information Security Program. Amazon will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help secure Personal Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable external and internal risks to security and unauthorised access to Amazon’s systems, and (c) minimise security risks, including through risk assessment and regular testing. Amazon will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include, for example, the following measures:

  1. Install and maintain a working network firewall to protect data accessible via the Internet;
  2. Keep security patches up-to-date;
  3. Encrypt data sent across networks;
  4. Use and regularly update anti-malware software;
  5. Avoid use of supplier-supplied defaults for system passwords and other security parameters;
  6. Mandate the use of “strong passwords” on all systems, or, in the absence of a mandatory (system enforced) password quality checker, enforce account lockout after no more than 10 consecutive incorrect password attempts;
  7. Maintain a policy that addresses information security for employees and suppliers;
  8. Use a continuous security lifecycle to identify, assess, protect and monitor systems containing Amazon data; and
  9. Restrict remote access to the entire network and employ remote access controls to verify the identity of users connecting.
Accedi per utilizzare lo strumento e ottenere assistenza personalizzata (compatibile solo con browser per computer). Accedi

Ti abbiamo aiutato?
Grazie del feedback.
Come possiamo migliorare questa pagina di aiuto? Nota: Questo modulo non consente di creare un caso per richiedere assistenza al servizio di supporto al venditore. Specifica gli errori presenti nel contenuto.
Che cosa hai trovato utile?
Grazie ancora per averci fornito la tua opinione.
Grazie del feedback. In caso di altre domande, Contact Us.

Raggiungi milioni di clienti

Inizia a vendere su Amazon

© 1999-2020,, Inc. or its affiliates