General Data Protection Regulation (GDPR) Center

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a ruling regarding the transfer of personal data of EU individuals outside the EEA (Schrems II). In Schrems II, the CJEU ruled that the EU-US Privacy Shield was no longer a valid mechanism to transfer personal data from the EEA to the US. However, in the same ruling, the CJEU confirmed that companies can (subject to implementing supplementary measures, if required) continue to use Standard Contractual Clauses as a valid mechanism for transferring personal data outside of the EEA. The European Data Protection Board (EDPB), a European body composed of representatives of the national data protection authorities, has since provided a non-exhaustive list of supplementary measures in its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (EDPB Recommendations).

The EDPB Recommendations provide data exporters with examples of supplementary measures that could be put in place. See FAQ “Can I continue to use AWS services following the Schrems II judgement?" below for details on AWS’s data transfer resources.

Yes, AWS customers can continue to use AWS services to transfer customer data from Europe to countries outside the EEA who have not received an adequacy decision from the European Commission. The Schrems II ruling validated the use of Standard Contractual Clauses (SCCs) as a mechanism for transferring customer data outside the EEA and AWS customers can continue to rely on the SCCs for any transfer of customer data outside the EEA in compliance with GDPR.

• Processing location. Customers select the AWS Region in which their customer data will be stored. An overview of available AWS Regions can be found under Regions and Availability Zones. AWS will not process customer data outside the customer’s selected AWS Region unless it is necessary for the purpose of providing the AWS services initiated by the customer, or as necessary to comply with the law or a binding order of a governmental body. Please see our Privacy Features webpage to find out more on data transfers as part of AWS services.
• Sub-processors. AWS may use sub-processors, i.e. AWS affiliates or third parties to assist with the processing of customer data, to fulfil our obligations to customers under the AWS DPA, or to provide services on our behalf. See FAQ “Does AWS use sub-processors to process customer data?” below for details.
• Transfer tools. Since the Schrems II ruling has validated the use of SCCs as a mechanism for transferring data to countries outside the EEA who have not received an adequacy decision from the European Commission, our customers can continue to rely on the SCCs included in the AWS DPA if they choose to transfer their data outside the EEA in compliance with the GDPR.
• Supplementary measures.
  • Customer control. Customers have ownership and control over their customer data at all times through simple, yet powerful, tools that enable them to determine where their customer data will be stored, secure their customer data in transit and at rest, and manage user access to their AWS resources and modify, delete and retrieve customer data.
  • Technical and organizational measures. AWS implements responsible and sophisticated technical and physical controls and processes designed to prevent unauthorized access to or disclosure of customer data (visit the AWS Compliance webpage for more information). We also provide a number of advanced encryption and key management services (including services which allow customers to manager their own keys) that customers can use to protect their customer data both in transit and at rest - encrypted customer data is rendered inaccessible without the applicable decryption keys. Regardless of whether customer data is encrypted or unencrypted, we will always work vigilantly to protect customer data from any unauthorized access.
  • Law enforcement requests. AWS has internal processes to deal with requests that we receive from law enforcement. When we receive a request for customer data from law enforcement, we carefully examine it to authenticate accuracy and to verify that it is appropriate and complies with all applicable laws. Unless legally prohibited from doing so, AWS notifies customers before disclosing customer data so that customers can take further steps to seek protection from disclosure. In the Supplementary Addendum to the AWS DPA (Supplementary Addendum), AWS makes strengthened contractual commitments in relation to dealing with government requests for customer data, including by committing to (i) use every reasonable effort to redirect any governmental body requesting customer data to the relevant customer, (ii) promptly notify the request to the customer if legally permitted to do so (including by using all reasonable and lawful efforts to obtain a waiver of prohibition if necessary), (iii) challenge any overbroad or inappropriate request, including where the request conflicts with EU law, and (iv) if, after exhausting the steps described above, AWS still remains compelled to disclose customer data in response to a governmental request, to disclose only the minimum amount of customer data necessary to satisfy the request.
  • Contractual measures. AWS makes several contractual commitments to the measures described above that are reflected in the AWS DPA and the Supplementary Addendum. The AWS DPA and the Supplementary Addendum include contractual commitments from AWS concerning (1) customer’s selection of AWS Regions in which customer data is stored and processed, (2) both the technical and organizational measures that AWS has implemented to protect the AWS infrastructure and the technical organizational measures that customers may choose to apply to protect their customer data, (3) AWS’s measures to protect customer data and inform the customer in case of a data disclosure request from a governmental body, and (4) AWS’s ability to fulfil its obligations set forth in the AWS DPA in compliance with legislation applicable in a third country in which customer data is processed. The Supplementary Addendum also addresses (5) the statutory rights of individuals to claim for compensation in case of a violation of their rights granted by the GDPR.

Yes, AWS may use three types of sub-processors: (1) AWS entities that provide the infrastructure on which the AWS services run; (2) AWS entities that support specific AWS services which may require these entities to process customer data; and (3) third parties that AWS has contracted with to provide processing activities for specific AWS services. The AWS Sub-processors webpage provides more information about the sub-processors that AWS engages in accordance with the AWS DPA, to provide processing activities on customer data on behalf of customers. Sub-processors relevant to an individual customer will depend on the AWS Region the customer selects and the particular AWS services that the customer uses.

The AWS whitepaper, Navigating Compliance with EU Data Transfer Requirements, provides information about the services and resources that AWS offers customers to help them conduct data transfer assessments in light of the Schrems II ruling, and subsequent recommendations from the European Data Protection Board. The whitepaper also describes the key supplementary measures taken and made available by AWS to protect customer data.

AWS offers helpful information to customers, including several compliance reports from third-party auditors, who have verified our compliance with a variety of security standards and regulations, to prove the high levels of compliance AWS maintains for its infrastructure. These reports show our customers, that we are protecting their customer data they choose to process on AWS. Examples of this include AWS' ISO 27001, 27017, and 27018 compliance. ISO 27018 contains security controls that focuses on protection of customer data.

AWS is also compliant with the CISPE Code of Conduct for data protection. More information on the CISPE Code of Conduct can be found in the FAQ below, "Does AWS comply with a GDPR approved Code of Conduct specific to cloud infrastructure services?"

Yes. As of June 2023, 107 AWS services are compliant with the Cloud Infrastructure Services Providers in Europe (CISPE) Data Protection Code of Conduct. CISPE is a coalition of cloud computing leaders serving millions of European customers. The CISPE Data Protection Code of Conduct (CISPE Code), is the first pan-European data protection code of conduct focused on cloud infrastructure services providers. The CISPE Code was approved by the European Data Protection Board, acting on behalf of the 27 data protection authorities across Europe, and formally adopted by the French Data Protection Authority (CNIL), acting as the lead supervisory authority. In 2017 AWS announced its compliance with an earlier version of the CISPE Code.

The CISPE Code helps customers ensure that their cloud infrastructure service provider offers appropriate operational assurances to demonstrate compliance with the GDPR and protect customer data. A few key benefits of the CISPE Code include:

• Cloud infrastructure focused: Clarifying the role of the cloud infrastructure service provider under GDPR with regard to the processing of customer data – that is, any personal data processed on behalf of the customer using the cloud infrastructure service.
• Data in Europe: Requires cloud infrastructure service providers to give customers the choice to use services to store and process customer data exclusively in the European Economic Area (EEA).
• Data privacy: The CISPE Code assures organizations that their cloud infrastructure service providers meets the requirements applicable to personal data processed on their behalf (customer data) under the GDPR.

The Certificate of Compliance that illustrates AWS compliance status is available on the CISPE Public Register. Listed AWS services have been independently verified as complying with the CISPE Code. The verification process was conducted by Ernst & Young CertifyPoint (EY CertifyPoint), an independent, globally recognized monitoring body accredited by CNIL.

The GDPR does not change the AWS shared responsibility model, which continues to be relevant for customers. The shared responsibility model is a useful approach to illustrate the different responsibilities of AWS (as a data processor or sub-processor) and customers (as either data controllers or data processors) under the GDPR.

Under the shared responsibility model, AWS is responsible for securing the underlying infrastructure that supports AWS services (“Security “OF” the cloud”), and customers, acting either as data controllers or data processors, are responsible for any personal data they upload to AWS services (“Security “IN” the cloud”).

AWS responsibility "Security of the cloud" - AWS is responsible for protecting the global infrastructure that runs all of the AWS services. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services, which provide powerful controls to customers, including security configuration controls, for the handling of customer content. AWS provides several compliance reports from third-party auditors who have verified our compliance with a variety of computer security standards and regulations (for more information, visit the AWS Compliance webpage). These reports show our customers, that we are protecting their customer data. Examples include AWS’ ISO 27001, 27017, and 27018 compliance. ISO 27018 contains security controls that focuses on protection of customer data.

Customer responsibility “Security in the Cloud” - AWS customers are responsible for architecting and securing the application and solutions they elect to deploy on AWS services. AWS customers are also responsible for configuring the AWS services in a way that protects the confidentiality, integrity and security needs of their customer data. The specific responsibilities customers have to secure their customer data vary depending on the AWS services customers elect to use and how those services are integrated into customers’ IT environments. AWS customers have visibility and control over their customer data and can implement flexible security controls based on the sensitivity of the specific type of customer data. Customers can do this by utilizing its own security measures and tools, or by using the security measures and tools made available by AWS or other suppliers. In this way, customers can put in place additional layers of security for more sensitive customer data.

AWS makes available products, tools and services that customers can use to architect and secure their applications and solutions and that can be deployed to help handle the requirements of GDPR, including:

• AWS Identity and Access Management (IAM) enables organizations to manage access to AWS services and resources securely. Using IAM, customers can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge.
• AWS CloudTrail allows organizations to log, continuously monitor, and retain information about account activity related to actions in AWS, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default).
• Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads. It monitors for activity that can indicate a possible account compromise, such as unusual API calls or potentially unauthorized deployments. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.
• Amazon Macie is a machine learning tool to assist discovery and classification of personal data stored in Amazon S3.

Please see our whitepaper, Navigating GDPR Compliance on AWS, for further details on how to use AWS resources in compliance with the GDPR.

Yes, you can search for “GDPR” in the AWS Partner Solutions Finder to help find ISVs, MSPs, and SI partners that have products and services to help with GDPR compliance. Customers can also search for “GDPR” solutions on AWS Marketplace.

Yes, the AWS Security Assurance Services team has a number of activities to help customers on their journey to GDPR compliance. This team of industry certified compliance professionals helps customers achieve, maintain, and automate compliance in the cloud by tying together applicable compliance standards to AWS service specific features and functionality. More details on how AWS Professional Services Consultants are helping customers can be found here.

Customers can use AWS Support to receive technical guidance to help them on their road to GDPR compliance. As part of this activity we have teams of Cloud Support Engineers and Technical Account Managers (TAMs) that are trained to help identify and mitigate compliance risks. The level of support AWS provides depends on the AWS Support Plan that customers choose. Customers looking to understand how AWS Premium Support can help them can find more information in the AWS Support Center, available through the AWS Management Console, by using the contact details specified in the Enterprise Support Agreement entered into with AWS, or by visiting the AWS Support webpage. Customers with Enterprise Support should reach out to their TAM with GDPR related questions.

Customers may find the following two programs useful as they pursue GDPR compliance:

• Cloud Operations Review – Available to AWS Enterprise Support customers, this program is designed to help identify gaps in their approach to operating in the cloud. Originating from a set of operational best practices distilled from AWS’ experience with a large set of representative customers, this program provides a review of cloud operations and the associated management practices, which can help organizations in their journey to GDPR compliance. The program uses a four-pillared approach with a focus on preparing, monitoring, operating, and optimizing cloud-based systems in pursuit of operational excellence.
• Well-Architected Review – This program allows organizations to measure their architecture against AWS best practices and to construct architectures that are secure, reliable, high performing, and cost-effective. Well-Architected Reviews also allows customers to understand where they have risks in their architecture and address them before applications are put into production.

AWS has a security incident monitoring and data breach notification process in place and will notify customers of breaches of AWS’s security without undue delay and in accordance with the AWS DPA. AWS also gives customers a number of tools to understand who has access to their resources, when, and from where. One of these tools is AWS CloudTrail which enables governance, compliance, operational auditing, and risk auditing of an AWS account. With AWS CloudTrail, customers can log, continuously monitor, and retain information about account activity related to actions across their AWS infrastructure. This helps organizations understand what is happening with their AWS infrastructure and can take action on any unusual activity, immediately. For more information on other security tools AWS gives customers to help meet their obligations as data controllers under the GDPR, visit the AWS Cloud Security webpage.

AWS gives customers and APN Partners a number of tools to secure their customer data and help protect against cyber-attacks. One such tool is AWS Shield. This is a managed Distributed Denial of Service (DDoS) protection service to safeguard websites and applications running on AWS. AWS Shield Standard is available at no additional charge and provides always-on detection and automatic inline mitigations that can minimize application downtime and latency. For higher levels of protection against attacks targeting web applications running on AWS and using ELB, Amazon CloudFront, and Amazon Route 53 resources, customers and APN Partners can subscribe to AWS Shield Advanced. AWS also publishes and routinely updates AWS Best Practices for DDoS Resiliency that can help customers use AWS to build applications resilient to DDoS attacks.

Other tools AWS has to help protect customer data against cyber-attacks include:

• AWS Identity and Access Management (IAM) enables organizations to manage access to AWS services and resources securely. Using IAM, customers and APN Partners can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge.
• AWS Config allows customers and APN Partners to enable prepackaged rules which help ensure that their AWS resources are in a properly configured and compliant state.
• AWS CloudTrail allows organizations to log, continuously monitor, and retain information about account activity related to actions in AWS, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default).
• Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads. It monitors for activity that can indicate a possible account compromise, such as unusual API calls or potentially unauthorized deployments. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect yourpersonal data in AWS. As organizations manage growing volumes of data, identifying and protecting their personal data at scale can become increasingly complex, expensive, and time-consuming. Amazon Macie automates the discovery of personal data at scale and lowers the cost of protecting your data. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to personal data.

Amazon Macie is certified to internationally recognized standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, and customers and APN Partners can also use Macie to continuously monitor access to their data in order to detect suspicious activity based upon access patterns.

To help customers with GDPR compliance, AWS has a number of tools to control access to personal data contained in their content on AWS. These tools include:

• Security by default means AWS services are designed to be secure by default. If the default configuration is used, access to resources is locked down to just the account owner and root administrator.
• AWS Identity and Access Management (IAM) enables customers to manage access to AWS services and resources securely. Using IAM, organizations can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge.
• AWS Multi-Factor Authentication adds an extra layer of protection on top of an AWS account’s user name and password. AWS gives customers the option of virtual and hardware MFA devices.
• AWS Directory Service allows customers to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience.
• AWS Config allows customers to enable prepackaged rules which help ensure that their AWS resources are in a properly configured and compliant state.
• AWS CloudTrail allows customers to log, continuously monitor, and retain information about account activity related to actions across their AWS infrastructure, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default).
• Amazon Macie uses machine learning to help customers prevent data loss by automatically discovering, classifying, and protecting sensitive data in AWS. This fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks – such as sensitive data that a customer has accidentally made externally accessible.

AWS offers customers and APN Partners the ability to add an additional layer of security to their customer data at rest in the cloud and help them meet their security of processing obligations as data controllers under the GDPR. Encryption tools available on AWS include:

• Data encryption capabilities available in AWS storage and database services, such as Amazon Elastic Block Store, Amazon S3, Amazon Glacier, Amazon DynamoDB, Oracle RDS, SQL Server RDS, and Redshift
• Flexible key management options, including AWS Key Management Service, allowing the choice of whether to have AWS manage the encryption keys or enable customers to keep complete control over keys
• Encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Amazon SQS
• Dedicated, hardware-based cryptographic key storage using AWS CloudHSM, allowing customers to satisfy compliance requirements

In addition, AWS provides APIs for customers and APN Partners to integrate encryption and data protection with any of the services they develop or deploy in an AWS environment,

AWS provides specific features and services which help customers to meet requirements of the GDPR:

Access Control: Allow only authorized administrators, users and applications access to AWS resources

• Multi-Factor-Authentication (MFA)
• Fine granular access to objects in Amazon S3-Buckets/ Amazon SQS/ Amazon SNS and others
• API-Request Authentication
• Geo-Restrictions
• Temporary access tokens through AWS Security Token Service

Monitoring and Logging: Get an overview about activities on your AWS resources

• Asset Management and Configuration with AWS Config
• Compliance auditing and security analytics with AWS CloudTrail
• Identification of configuration challenges through AWS Trusted Advisor
• Fine granular logging of access to Amazon S3 objects
• Detailed information about flows in the network through Amazon VPC Flow Logs
• Rule-based configuration checks and actions with AWS Config Rules
• Filtering and monitoring of HTTP access to applications with AWS WAF functions in AWS CloudFront

Encryption: Encrypt Data on AWS

• Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS)
• Centralized managed Key Management (by AWS Region)
• IPsec tunnels into AWS with the VPN-Gateways
• Dedicated HSM modules in the cloud with AWS CloudHSM

Strong Compliance Framework and Security Standards: We demonstrate compliance with rigorous international standards, such as:

• ISO 27001 for technical measures
• ISO 27017 for cloud security
• ISO 27018 for cloud privacy
• SOC 1, SOC 2 and SOC 3, PCI DSS Level 1,
• BSI’s Common Cloud Computing Controls Catalogue (C5)
• ENS High

The GDPR is an EU regulation and post-Brexit, no longer applies to the UK.  The UK government incorporated the requirements of GDPR into UK law as the “UK GDPR”.

AWS offers a UK GDPR-compliant UK GDPR Addendum to the AWS DPA that incorporates AWS’s commitments as a data processor under the UK GDPR. The UK GDPR Addendum is part of the AWS Service Terms and applies automatically for all customers who require a data processing agreement to comply with the UK GDPR.

The UK GDPR Addendum, which is part of the AWS Service Terms, includes the SCCs adopted by the EC and the international data transfer addendum (IDTA) issued by the UK data protection regulator (the Information Commissioners Office).  The IDTA amends the SCCs to ensure they constitute an appropriate safeguard under the UK GDPR for international data transfers to countries outside of the UK that have not been recognised as providing an adequate level of protection for personal data (UK third countries). The UK GDPR Addendum confirms that the SCCs (as amended by the IDTA) will automatically apply whenever a customer uses AWS services to transfer customer data subject to the UK GDPR (UK customer data) to UK third countries.  As part of the UK GDPR Addendum in the AWS Service Terms, the SCCs (as amended by the IDTA) will apply automatically whenever a customer uses AWS services to transfer UK customer data to UK third countries.

AWS offers a Swiss Addendum to the AWS Data processing Addendum (the “Swiss Addendum”) that incorporates AWS’s commitments as data processor under the Swiss Federal Data Protection Act (the “FDPA”). The Swiss Addendum is part of the AWS Service Terms (see Section 1.14.4) and applies automatically when the FDPA applies to a customer’s use of the AWS services to process customer data.

The Swiss Addendum to the AWS Data processing Addendum which is part of the AWS Service Terms (see Section 1.14.4), includes the Standard Contractual Clauses (the “SCCs”) adopted by the European Commission and amended as required by the Swiss Federal Data Protection and Information Commissioner. The Swiss Addendum confirms that the SCCs (as amended by the Swiss Addendum) will automatically apply whenever a customer uses AWS services to transfer customer data subject to the FDPA to third countries.

We recommend that customers with questions regarding the GDPR contact their AWS account manager first. If customers have signed up for Enterprise Support, they can reach out to their Technical Account Manager (TAM) as well. TAMs work with Solutions Architects to help customers identify potential risks and potential mitigations. TAMs and account teams can also point customers and APN Partners with specific resources based on their environment and needs.

AWS also has teams of Enterprise Support Representatives, Professional Services Consultants, and other staff to help with GDPR questions. You can contact us with questions here.