Amazon Data Processing Agreement
Last Updated: March 5, 2021
This Data Processing Agreement (“DPA”) supplements the Master Products and Services Agreement (the “Service Agreement”) between Amazon and Supplier (or “You”), and governs Supplier’s Processing of Amazon Personal Information. This DPA is intended to satisfy legal requirements under Data Protection Laws. Capitalized terms not defined in this DPA will have the meanings given to them in the Service Agreement.
a. “Amazon Personal Information” means Personal Information Processed by Supplier on behalf of Amazon.
b. “Business” has the meaning set forth in Section 1798.140(c) of the CCPA.
c. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of
d. “Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Amazon Personal Information transmitted, stored or otherwise Processed.
e. “Data Protection Laws” means all applicable data protection, data privacy, and cybersecurity laws, rules, and regulations anywhere in the world in force from time to time to which the Amazon Personal Information is subject. Data Protection Laws shall include, but are not limited to, the California Consumer Privacy Act of 2018 (“CCPA”), the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Brazilian Law No. 13.709/18 (Personal Data Protection Act - LGPD).
f. “Data Subject” means an identified or identifiable natural person to whom Personal Information relates.
g. “Personal Information” shall have the meaning assigned to the terms “personal data” and/or “personal information” under Data Protection Laws and shall, at a minimum, include any information relating to an identified or identifiable natural person.
h. “Process” means any operation or set of operations, which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
i. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Information on behalf of the Controller.
j. “Security Policy” means Amazon’s information security requirements attached as Exhibit A to the Service Agreement.
k. “Service Provider” has the meaning set forth in in Section 1798.140(v) of the CCPA.
l. “Services” means the Products or Services that Supplier provides pursuant to the Service Agreement.
m. “Standard Contractual Clauses” means Annex 1, attached to and forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC.
n. “Subprocessor” means Supplier’s vendors and third-party service providers that Process Amazon Personal Information.
2. The parties agree that Amazon is a Business and/or Controller of Amazon Personal Information, and Supplier is a Service Provider and/or Processor. Amazon hereby instructs Supplier to Process Amazon Personal Information solely to the extent necessary to provide the Services to Amazon. Supplier is not entitled to Process Amazon Personal Information for its own purposes including, without limitation, sharing Amazon Personal Information with third parties (other than approved Subprocessors) or selling Amazon Personal Information (as the term “sell” is defined by the CCPA). Supplier will only Process Amazon Personal Information on behalf of Amazon and solely for the purpose of providing the Services. Supplier shall not retain, use, or disclose Amazon Personal Information: (i) for any purpose (including, but not limited to, any commercial purpose) other than to perform the Services for Amazon or (ii) outside of the direct business relationship between Amazon and
3. Supplier will meet or exceed the technical and organizational data security measures described in the Security Policy.
4. Amazon authorizes Supplier to engage the Subprocessors listed in an Order signed by Amazon provided that Supplier:
a. executes a written contract with each Subprocessor with the same or more protective obligations and data protection measures contained in this DPA and the Security Policy, and provides a copy of such contracts to Amazon upon request; and
b. remains fully responsible and liable for any actions and omissions of Subprocessors and their agents.
5. Supplier shall not add or change its Subprocessors without providing prior written notice to Amazon. Upon receipt of such notice, Amazon shall have ninety (90) days to object to changes concerning the addition or replacement of Subprocessors. If Amazon objects to a Subprocessor, Supplier shall not use such Subprocessor in connection with providing the applicable Service to Amazon. If Supplier cannot provide such Service to Amazon without use of the objected-to Subprocessor, then at Amazon’s option, (a) Amazon may terminate the applicable Service and receive a refund of fees that Amazon pre-paid for the Service for the period of time after the effective date of such termination, or (b) Supplier shall, at no cost to Amazon and within thirty (30) days of receipt of Amazon’s notice of objection, (i) change the Service to avoid using the objected to Subprocessor, or (ii) recommend changes to Amazon’s configuration of the Service that will not unreasonably burden Amazon (in Amazon’s reasonable opinion), to avoid Supplier’s use of the objected to Subprocessor in connection with providing the Service to Amazon.
6. Supplier will comply with all requirements of this DPA and Data Protection Laws with respect to all Amazon Personal Information it Processes. Without limiting the generality of the foregoing, Supplier will:
a. Process the Amazon Personal Information only on documented instructions from Amazon, unless otherwise required by a law to which Supplier is subject; in such a case, Supplier will inform Amazon of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
b. ensure that persons authorized to Process Amazon Personal Information have committed themselves to appropriate obligations of confidentiality or are under appropriate statutory obligations of confidentiality;
c. take all measures required to protect Amazon Personal Information, including, without limitation, implementing and maintaining reasonable safeguards appropriate to protect Amazon Personal Information;
d. assist Amazon in ensuring compliance with the obligations pursuant to Data Protection Laws including, but not limited to, Articles 32 to 36 of the GDPR taking into account the nature of Processing and the information available to Supplier;
e. make available to Amazon all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, including inspections, conducted by Amazon or another auditor mandated by Amazon in accordance with Section 10 of this DPA.
Supplier will immediately inform Amazon if, in its opinion, an instruction from Amazon infringes Data Protection Laws, or if Supplier believes that it cannot comply with any instruction or any requirements under this DPA, including without limitation whether Supplier is unable to comply with the Standard Contractual Clauses or other lawful transfer mechanism under Section 14 of this DPA.
7. Supplier will without undue delay, and within the period specified by applicable Data Protection Laws, provide notice to Amazon of any Data Breach with, at a minimum, the following details:
a. the nature of the Data Breach including the type of Amazon Personal Information; and
b. an estimation of the number of Data Subjects involved by location, and where possible their names. Supplier will promptly investigate the Data Breach and will provide Amazon with reasonable assistance to satisfy any legal obligations (including obligations to notify government authorities, Data Subjects or others) of Amazon in relation to such Data Breach.
8. This DPA will survive termination of the Service Agreement. Upon termination of the Service Agreement or earlier upon Amazon’s request, and at Amazon’s choice, Supplier will unless any applicable law, competent court, or supervisory or regulatory body prevents Supplier from returning or destroying Amazon Personal Information:
a. destroy all Amazon Personal Information processed and any copies thereof and certify to Amazon on request that Supplier has done so; or
b. if requested by Amazon, return all Amazon Personal Information Processed and the copies thereof to Amazon or another recipient identified by Amazon. If Amazon does not request return of Amazon Personal Information in accordance with the Security Policy within thirty (30) days following termination of the Service Agreement, Supplier shall destroy all Amazon Personal Information in accordance with Section 8 (a) above.
9. Supplier will monitor and self-audit its own compliance with its obligations under Data Protection Laws and this DPA and will provide Amazon with periodic reports, at least annually.
10. At Amazon’s written request, Supplier will allow an audit (on-site or remotely) to verify Supplier’s and any of its Subprocessors’ compliance with obligations under Data Protection Laws and this DPA, to be carried out either (a) by an independent third party audit firm bound by a duty of confidentiality selected by Amazon and approved by Supplier (which approval will not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (b) by a competent government authority. The audit will be carried out in close cooperation with Supplier’s designated representative with relevant knowledge and expertise. Parties will agree on the scope of the audit in advance. Amazon will notify Supplier in writing with a minimum of 10 business days (in the country where the audit will be conducted) prior to any audit being carried out. Amazon will bear the costs of the audit unless the audit uncovers compliance deficits that are material, in which case Supplier will reimburse Amazon for the costs of the audit. If Amazon requests Supplier to incur out-of-pocket costs to assist Amazon in the audit, then Supplier is entitled to a reasonable, pre-approved reimbursement for its costs of the audit incurred by Supplier, to be paid by Amazon only if the audit does not uncover compliance deficits that are material.
11. Supplier will promptly assist Amazon, to the extent reasonably possible, to comply with Data Protection Laws. Without limiting the generality of the foregoing, Supplier will assist Amazon with any data protection impact assessment and consultation procedures, if any, that relate to the Services provided by Supplier to Amazon and the Amazon Personal Information that Supplier Processes for Amazon.
12. Supplier will assist Amazon with any Data Subject requests under Data Protection Laws, including without limitation access, portability, correction, erasure or restriction, and objection to Processing and/or sale requests. If Supplier receives any complaints or requests from Data Subjects, government authorities or others relating to its Processing under this DPA, Supplier will inform Amazon within five (5) days of receipt of such complaint or request, and assist Amazon with developing a response and resolution (but Supplier will not itself respond, except per instructions from Amazon). Supplier will also assist Amazon with the resolution of any request or inquiries that Amazon receives from government authorities or others relating to Supplier and, if and to the extent requested by Amazon, cooperate with any authorities’ requests.
13. Supplier will notify Amazon without undue delay about any legally binding request for disclosure of Amazon Personal Information by a law enforcement authority, unless otherwise prohibited (such as, but not limited to, a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).
14. If Supplier is established in, or transfers Amazon Personal Information to, a country outside the European Economic Area (the “EEA”) or a country that is not covered by an adequacy decision of the European Commission, by agreeing to the DPA, Supplier enters into the Standard Contractual Clauses. Supplier shall not transfer Personal Information to a country outside the EEA or to a country that is not covered by an adequacy decision of the European Commission (including to any Subprocessors) unless the transfer is subject to the Standard Contractual Clauses and written technical and organizational security measures to protect the Personal Information that are at least as protective of Personal Information as the Security Policy. If a Subprocessor is a Data Importer, Supplier will inform Amazon in an Order and will procure such Data Importer’s agreement to the Standard Contractual Clauses as an additional Data Importer. If the Standard Contractual Clauses are invalidated or replaced, Amazon and Supplier will promptly implement an alternative data transfer mechanism as required by the GDPR. In respect of any transfers of Amazon Personal Information from one jurisdiction to another not covered by the foregoing, Supplier shall not make such transfer unless the transfer is permitted in accordance with Data Protection Laws (including that any relevant transfer is subject to a lawful transfer mechanism). Supplier shall do all things reasonably necessary to comply with this Section, including entering into any further agreements with Amazon or Amazon’s Affiliates for this purpose. Amazon may at any time suspend or terminate any international transfer of Amazon Personal Information under this DPA without liability to Supplier if Amazon is of the opinion that such transfer is, or is likely to, breach any requirement of Data Protection Law.
15. All obligations under this DPA apply in addition to, not in lieu of, any other contractual, statutory and other obligations of Supplier.
16. The parties agree that Amazon’s Affiliates are intended third party beneficiaries of this DPA and such provisions are intended to inure to the benefit of Amazon Affiliates. Without limiting the foregoing, Amazon Affiliates will be entitled to enforce this DPA as if each were a signatory to this DPA.
17. In case of any conflict or inconsistency with respect to the Processing of Personal Information, the terms that are most protective of the Personal Information shall apply.
18. If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
19. Supplier agrees that it shall be responsible for all costs associated with its compliance with this DPA.
20. To the extent required to comply with Data Protection Laws, or the requirements of a competent supervisory authority, (i) Amazon or Amazon Affiliate(s) may update this DPA at this URL from time to time by posting an updated DPA on this URL, and Your continued provision of Services constitutes Your acceptance of the updated DPA or (ii) Amazon or Amazon Affiliate(s) may require Supplier or its affiliates to execute a new data processing agreement or comparable terms to this DPA with the relevant Amazon Affiliate(s).
Commission Decision C(2010)593 Standard Contractual Clauses (processors)
These Standard Contractual Clauses will apply to any transfers of personal data from Amazon to a Supplier established in a country outside the European Economic Area or that is not covered by an adequacy decision of the European Commission, as well as for transfers from such Supplier to subprocessors established outside the European Economic Area that are not covered by an adequacy decision of the European Commission in connection with Supplier’s provision of Services to Amazon. The parties hereby adopt these Standard Contractual Clauses to govern all such transfers. Capitalized terms not defined herein have the meanings given in the Service Agreement.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection:
Name of the data exporting organisation:
Amazon and its Affiliates - (the data exporter)
the Supplier listed in an Order subject to the Service Agreement between Amazon and
Supplier - (the data importer)
Clause 1 - Definitions
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2 - Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3 - Third-party beneficiary clause
a) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
b) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
c) The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter
and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
d) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4 - Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant
provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level ofsecurity appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be
transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5 - Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it
agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6 - Liability
case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7 - Mediation and jurisdiction
Clause 8 - Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9 - Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10 - Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not
contradict the Clause.
Clause 11 - Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Clause 12 - Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal
data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is Amazon and its Affiliates.
The data importer is Supplier (as defined in the Data Processing Agreement).
The personal data transferred concern the categories of data subjects listed in an Order subject to the Service Agreement between Amazon and Supplier (an “Order”).
Categories of data
The personal data transferred concern the categories of data listed in an Order.
Special categories of data (if appropriate)
The personal data transferred concern the special categories of data (if any) listed in an Order.
The personal data transferred will be subject to the basic processing activities listed in an
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data Importer and Data Exporter hereby incorporate into this Appendix 2 the Security Policy attached as an Exhibit to the Master Products and Services Agreement between Amazon and Supplier. Data Importer will comply in all respects with the information security requirements therein.