Speaking as an FBM, the GDPR has massive implications for marketplace sellers and we cannot hide under any Amazon policy, because you (the FBM) process buyer’s personal data (name and address for posting purposes for example).

You need to document the lawful basis under which you process the data (e.g contract, consent etc), what data you receive, where it comes from, what you do with it and how long your store it. And you have to have a clear privacy policy which outlines this. Amazon’s privacy policy doesn’t cover you, because an FBM processes personal data differently to Amazon. That’s just for starters. I have spent the past few days reading it all (110 pages) and beginning to map data and document it.

The best place to start is the ICO website, where they give you a 12-step guide of things to do now. Also templates for documenting stuff.

The worst thing you can do is stick your head in the sand and think it doesn’t apply to you because you sell on Amazon/Ebay etc. Good luck, 2 months to get it done

Athough we’ve heard of this, we’ve not bothered looking into it.

We’ve just checked on the ICO website under the Registration - Self Assessment page and received the following :

1. Do you use CCTV for the purposes of crime prevention?
   No
2. Are you processing personal information?
   No
   You are under no requirement to register

I’ve just spent 90 minutes talking to ICO about this. I explained that I have access to people’s name and address as I need them to post out orders. I was advised to email Amazon and find out if I am considered a Data Processor which means I am acting under their (Amazon’s) instructions, or Data Controller which means I determine the manner and purpose in how the data is used as ICO weren’t clear given the circumstances.

If you’re deemed to be a Data Controller you have to explain what you do with the Data even if you don’t keep a copy of the buyer’s address, you have to inform them that you delete it after the order has been shipped, which on Amazon you cannot do.

What we really need is confirmation from Amazon.

How I currently understand it, If you only ship and process orders through seller central then you are not liable for any data as all this is given and stored by Amazon on their servers, however if you do not process orders via Seller central and use a 3rd party software say Linnworks to process your orders then you are liable as you are retaining a copy of the customer data.

The fact that you have access to personal data on Amazon, whether you print it, view it or download it, you need to document how you use that data.

i’m surprised Amazon haven’t asked all sellers to complete a form or sign a contract that covers the GDPR regs.

Amazon’s Privacy Notice states it was last updated July 2017 so i expect this will change in the next few weeks.

I wont be doing anything until any of the platforms we use tell us to.

It’s hard to imagine that any changes needed have passed Amazon, Ebay, Etsy etc etc because to date none of them have issued us with a statements requiring change.

Thanks PP I have used it for amazon and adapted it for our website as well.

Here’s the biggest problem I see here.
We need to keep records for tax purposes. We also need to keep records for dealing with warranty items and resending invoices to customers. We can’t rely on Amazon, they give us access to order information for the last 365 days. The “other place” if you sell on there, give us 90 days.

GDPR requires us to keep a record of consent from every customer. How can we possibly do that when selling via marketplaces. If we email every customer for every order … 1: We’ll probably end up banned. 2: Half of them wouldn’t reply.

What then? Hold back the order, cancel it or break the law?

Full compliance will be close to impossible.

Edit: I’ve just checked, I’m wrong about 365 days Amazon records. Trouble is you can’t look up names or address to find an order. Quite often this is the only info a customer can give us.

But also on the ICO website it says there a 6 lawful bases (A-F) for processing personal data, only 1 of which needs to apply in any instance. A) is consent. B) is Contract: “the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.”
If we are processing the data because of a contract with the customer to ship the goods, we apparently do not need their explicit consent to process their data.