This Privacy Policy, in addition to the authorization granted to Giplo (hereinafter also the "Data Processor") to access to the account and sales data of the Authorized User (a seller who uses the Amazon system and services for its own wholesale or retail business, hereinafter also "Owner"), sets out Giplo’s prerogatives and duties as Data Processor of the Authorized User concerning the processing of common personal data related to the following purposes:
Access, collection, storage, processing of data concerning the sales made by the Owner; other tasks necessary for the fulfilment of the task assigned to the Data Processor.
The subjects whose data are processed (hereinafter also "Stakeholders") can be customers of the Owner, operators of the latter and any other subject that is necessary for the correct execution of the processing specified above.
Personal/identification data (name, surname), purchase/consumption preferences, contact details (including residential address), bank details or in any case relating to payment systems. The Owner, by virtue of the authorization granted to the Data Processor to access to his account and the consequent acceptance of this policy, hereby declares that the processing will not include particular data (for example, data on the state of health of the Stakeholders or in any case data included in Article 9 of the GDPR) or data related to minors.
The processing of personal carried out by the Data Processor will last for the time necessary for the correct execution of the task conferred by the Owner, in any case in compliance with Amazon's "Data Protection Policy" (DPP of Amazon Services API). At the end of the processing period or at the request of the Owner or Amazon (compatibly with the DPP and AUP policies), the Data Processor will delete all personal data that he is not be required to keep due to legal obligations. At request of the Owner, the Data Processor will return the data to the Owner at the end of the processing (before cancellation).
The processing will take place with or without the aid of electronic/automated tools, at the headquarters of the Data Processor and in cloud at the Amazon Web Service (AWS) data center.
The Owner, by virtue of the authorization granted to the Data Processor to access to his account and the consequent acceptance of this policy, hereby declares to have acquired the data that will be processed by the Data Processor in accordance with:
The Owner consequently shall indemnify and hold the Data Processor harmless for any related consequence/liability
The Data Processor will carry out the aforementioned processing of data only on behalf of the Owner, in compliance with the applicable privacy legislation (including the GDPR), the policy of Amazon Services API (DPP and AUP) and the instructions of the Owner, adopting all the appropriate technical and organizational measures to meet legal and contractual requirements (including Article 32 of EU Reg. 2016/679 and the policies of Amazon Services API referred to above) and ensuring the protection of the related rights of the interested party. If specific instructions of Owner conflict with the provisions of the law or with the policy of Amazon Services API (DPP and AUP), the Data processor will promptly notify the Data Controller this conflict, undertaking to collaborate with the latter in order to identify an applicable solution.
The Data Processor undertakes to identify and authorize in writing the Persons in charge of processing (i.e. subjects part of his organization who are authorized to execute, in whole or in part, the processing of personal data), assigning the related tasks and guaranteeing their commitment to confidentiality. Furthermore, the Data Processor will identify and appoint in writing the System Administrator, monitoring its activity, with reference to what set out in the Provision of 27 November 2008 of the Italian Privacy Guarantor. The authorization granted to the Persons in charge of processing will be limited to the activities strictly necessary for the execution of the relative duties, according to the principle of minimizing access to personal data. Each Persons in charge of processing will be provided, by the system administrator, with adequate authentication credentials to access to personal data. These credentials will be changed by the Persons in charge of processing at the time of the first access, will be known only by the latter (with the signing of a specific obligation of confidentiality) and connected to specific access privileges and processing of personal data. Credentials will comply with legal requirements and those established by the Amazon Services API (DPP and AUP) policies. The access credentials will be changed, by the Persons in charge of processing, every 3 months or whenever it fears the loss of confidentiality of them. Any right of access/data processing will be immediately revoked when the person in charge of processing terminates its job function which required this right of access/processing. It is expressly forbidden for the Persons in charge of processing to transfer, store, access or otherwise process personal data through non-company devices, including CDs, USB keys, PCs, etc.
The Data Processor declares to use the Amazon Web Service cloud services (in particular for data retention) which, therefore, assumes the status of sub-processor. The Data Processor undertakes to identify and appoint in writing any future and additional sub-processors, promptly notifying the Owner. In this regard, The Owner, by virtue of the authorization granted to the Data Processor to access to his account and the consequent acceptance of this policy, hereby authorize the Data processor to appointment new sub-processors, ensuring that they comply with the same provisions set out in this policy, to art. 28 par. 2 and 4 EU Reg. 2016/679 and the provisions of the Amazon Services API policy (DPP and AUP). In any case, the Data Processor guarantees that the personal data covered by this policy will not be disclosed
The Data Processor undertakes to implement specific company procedures of risk analysis, as well as technical and organizational measures to guarantee the confidentiality of personal data and the rights of the Stakeholders, in accordance with the policy of Amazon Services API (DPP and AUP) and with articles 32 and 36 EU Reg. 2016/679. The procedural measures will also include an appropriate and periodic training plan for the Persons in charge of processing concerning the confidentiality of personal data and IT security, in view of the business needs, the regulatory prescriptions and the policies of Amazon Services API (DPP and AUP).
Each processing activity will be systematically organized in a document defined as the Register of processing activities, with indication of the purposes, the legal bases of processing, the categories of interested parties and data processed, the subjects involved in the processing and the duration of the processing itself, according to the regulatory provisions and the policy of Amazon Services API (DPP and AUP). The Register of processing activities will also contain a list of all the security measures implemented pursuant to the previous point (9) and, in general, will acknowledge the compliance of the Data Processor with the regulatory provisions and contractual terms of privacy.
Upon express request, the Data Processor will make available to the Owner all the information necessary to demonstrate that it is in compliance with all its obligations, as referred to above, also by allowing control activities, including inspections, carried out by the Owner, by Amazon or another person appointed by them.
The Data Processor undertakes to actively collaborate with the Owner and with Amazon in order to execute the rights and requests of the Stakeholders, as per regulatory and contractual provisions, as well as with reference to the Amazon Services API (DPP and AUP) policies.
In the event of a data breach (i.e. when a personal data is in any way modified, compromised, cancelled/destroyed, made inaccessible, stolen, disclosed/communicated illegitimately to third parties or knowable by them or when the security measures - including and above all IT – set out by the Data Processor were violated, the Persons in charge of processing who becomes aware of this violation must immediately notify the System Administrator (hereinafter, potential "Data breach"). Following the assessment and awareness of the Data breach, the Data Processor will communicate within 24 hours the Data Breach to the Owner and to Amazon, in compliance with the provisions of the law (in particular of articles 33 and 34 of EU Reg. 2016/679) and of the policy of Amazon Services API (DPP and AUP) collaborating, if necessary, in the subsequent communication to the competent Guarantor Authority and to the individual Stakeholders, as well as identifying the necessary measures to minimize the risks of the event and prevent it from occurring again.