Sorry for the dramatic title. The following announcement is not only for SellerLegend’s GDPR compliance. it is as much for YOUR GDPR compliance.

Before you read what follows, please do not get irate with us and do not shoot the messenger. The regulations are what they are. We will not be drawn into defending or criticizing the regulations, there is simply not enough time left to lament. And the fines too gargantuan to ignore.

GDPR is a new legal requirement applicable to ALL businesses trading in the EU and handling personal data (we all do), no matter where you are located in the world. If you sell on Amazon in the EU, you are subjected to GDPR. There are no exceptions.

GDPR is a hefty piece of legislation, which requires you to produce at a minimum 13 different documents to explain and demonstrate how you manage your business in terms of data security. And data means every scrap of paper/handwritten lists/spreadsheets/pdfs/documents/system you use in your business to handle your buyers’ data.

An important part of GDPR is for you to have the adequate business processes to control the data you have entrusted to 3rd parties. That includes SellerLegend, as well as any other tool/system/company/assistance you use. For example, it applies to your VA’s as well.

During our own compliance review which has been ongoing for the past two months, we have identified we need to create 26 (out of about a potential 42) different documents to fully comply.

But documenting, while time-consuming and costly, is not the major task. Once documented, you need to implement and comply with what you have specified in the documents. And that is the true killer.

I cannot stress enough that *you* as an Amazon seller MUST comply with GDPR. It has nothing to do with SellerLegend. It has to do with your OWN business.

I am attaching a draft of our first public document, which is called the Data Processing Agreement. This is in addition and distinct to the TOS, Privacy policy, cookies policy etc. It is a binding, legal contract specifically between you and SellerLegend, which you will need to physically sign. It explains what our obligations are to:

1. Protect your data
2. Assist *you* in complying with GDPR
3. Allow *you* to communicate with the regulator when there is a security breach. (Yes, you are responsible for the regulatory communication if any of your processors is breached)

And oh, BTW, if you use multiple seller tools which handle personal data (most do), you need to sign one of those with EACH ONE of the tool providers. And if you use 3rd party processors (Mailchimp, Zendesk, Slack, Trello et al), you need one of those too.

Below is our first draft of the DPA, which we hope to implement on May 1st, about 25 days before the GDPR deadline. Please read it, it will reveal some of the obligations you must satisfy – although this will only reveal the top of the tip of the iceberg.
07.2_Supplier_Data_Processing_Agreement