General Data Protection Regulation (GDPR) Center

GDPR compliance when using AWS services

The European Union’s General Data Protection Regulation (GDPR) protects European Union (EU) individuals’ fundamental right to privacy and the protection of personal data. The GDPR includes robust requirements that raise and harmonize standards for data protection, security, and compliance. Please review our GDPR FAQs below for more information.

AWS customers can use all AWS services to process personal data (as defined in the GDPR) that is uploaded to the AWS services under their AWS accounts (customer data) in compliance with the GDPR. In addition to our own compliance, AWS is committed to offering services and resources to our customers to help them comply with the GDPR requirements that may apply to their activities. New features are launched regularly, and AWS has 500+ features and services focused on security and compliance. For more information on what AWS is doing read our blog How AWS is helping EU customers navigate the new normal for data protection.

Customer control

Customers have control of their customer data. With AWS, customers can:

  • Determine where their customer data will be stored, including the type of storage and geographic region of that storage.
  • Choose the secured state of their customer data. We offer customers strong encryption for customer data in transit or at rest, and we provide customers with the option to manage their own encryption keys.
  • Manage access to their customer data and AWS services and resources through users, groups, permissions and credentials that customers control.
Learn more »

Transfers outside the European Economic Area (EEA)

AWS customers can continue to use AWS services to transfer customer data from the EEA to non-EEA countries that have not received an adequacy decision from the European Commission (including the United States) in compliance with the GDPR. At AWS, our highest priority is securing customer data, and we implement rigorous technical and organizational measures to protect its confidentiality, integrity, and availability, regardless of which AWS Region the customer has selected. We know that transparency matters to our customers. We list the AWS services that involve a data transfer of customer data on our Privacy Features webpage.

As the regulatory and legislative landscape evolves, we will always work to ensure that our customers can continue to enjoy the benefits of AWS services wherever they operate. Please see our customer update on the EU-US Privacy Shield and our blog posts on the Supplementary Addendum to the AWS Data Processing Addendum and the CISPE Data Protection Code of Conduct for additional information.

GDPR resources

Navigating GDPR Compliance on AWS
Download whitepaper »
What you need to know about Brexit and AWS
Learn more »
AWS Security Blog Posts on GDPR
Learn more »
Privacy Features of AWS Services
Learn more »

GDPR FAQs

Overview and GDPR basics


  • The General Data Protection Regulation (GDPR) is a European privacy law that became enforceable on May 25, 2018. The GDPR replaced the EU Data Protection Directive, also known as Directive 95/46/EC, and intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.

  • The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU individuals in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person, including names, email addresses and phone numbers.

  • AWS acts as both a data processor and a data controller under the GDPR.

    • AWS as a data processor – When customers use AWS services to process personal data in the content they upload to the AWS services, AWS acts as a data processor. Customers can use the controls available in AWS services, including security configuration controls, for the handling of personal data. Under these circumstances, the customer may act as a data controller or data processor itself, and AWS acts as a data processor or sub-processor. AWS offers a GDPR-compliant AWS Data Processing Addendum (AWS DPA) that incorporates AWS’s commitments as data processor. The AWS DPA, which includes Standard Contractual Clauses, is part of the AWS Service Terms and is automatically available for all customers who require this to comply with the GDPR.
    • AWS as a data controller – When AWS collects personal data and determines the purposes and means of processing that personal data – for example, when AWS stores account information (e.g. email addresses provided during the account registration) for account registration, administration, services access, or contact information for the AWS account to provide assistance through customer support activities – it acts as a data controller. Please see the AWS Privacy Notice for details on how AWS processes personal data as a controller.
  • The SCCs are a pre-approved data transfer mechanism under GDPR, applicable in all EU Member States, which enable the lawful transfer of personal data to countries outside of the European Economic Area that have not received an adequacy decision from the European Commission (third countries).

  • The AWS Service Terms include the SCCs adopted by the European Commission (EC) in June 2021, and the AWS DPA confirms that the SCCs will apply automatically whenever an AWS customer uses AWS services to transfer customer data to countries outside of the European Economic Area that have not received an adequacy decision from the EC (third countries). As part of the AWS Service Terms, the new SCCs will apply automatically whenever a customer uses AWS services to transfer customer data to third countries. The few customers that have signed an AWS DPA can continue to rely on that AWS DPA because the new SCCs in the AWS Service Terms replace the previous version of the SCCs. Customers can therefore be comfortable that any customer data they transfer to third countries using AWS services has the same high level of protection that customer data receives in the EEA. For more information, please see the blog post on the implementation of the new Standard Contractual Clauses.

AWS and GDPR compliance following the Schrems II ruling and EDPB Recommendations


  • On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a ruling regarding the transfer of personal data of EU individuals outside the EEA (Schrems II). In Schrems II, the CJEU ruled that the EU-US Privacy Shield was no longer a valid mechanism to transfer personal data from the EEA to the US. However, in the same ruling, the CJEU confirmed that companies can (subject to implementing supplementary measures, if required) continue to use Standard Contractual Clauses as a valid mechanism for transferring personal data outside of the EEA. The European Data Protection Board (EDPB), a European body composed of representatives of the national data protection authorities, has since provided a non-exhaustive list of supplementary measures in its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (EDPB Recommendations).

    The EDPB Recommendations provide data exporters with examples of supplementary measures that could be put in place. See FAQ Can I continue to use AWS services following the Schrems II judgement?" below for details on AWS’s data transfer resources. 

  • Yes, AWS customers can continue to use AWS services to transfer customer data from Europe to countries outside the EEA who have not received an adequacy decision from the European Commission. The Schrems II ruling validated the use of Standard Contractual Clauses (SCCs) as a mechanism for transferring customer data outside the EEA and AWS customers can continue to rely on the SCCs for any transfer of customer data outside the EEA in compliance with GDPR.

    • Processing location. Customers select the AWS Region in which their customer data will be stored. An overview of available AWS Regions can be found under Regions and Availability Zones. AWS will not process customer data outside the customer’s selected AWS Region unless it is necessary for the purpose of providing the AWS services initiated by the customer, or as necessary to comply with the law or a binding order of a governmental body. Please see our Privacy Features webpage to find out more on data transfers as part of AWS services.
    • Sub-processors. AWS may use sub-processors, i.e. AWS affiliates or third parties to assist with the processing of customer data, to fulfil our obligations to customers under the AWS DPA, or to provide services on our behalf. See FAQ “Does AWS use sub-processors to process customer data?” below for details.
    • Transfer tools. Since the Schrems II ruling has validated the use of SCCs as a mechanism for transferring data to countries outside the EEA who have not received an adequacy decision from the European Commission, our customers can continue to rely on the SCCs included in the AWS DPA if they choose to transfer their data outside the EEA in compliance with the GDPR.
    • Supplementary measures.
      • Customer control. Customers have ownership and control over their customer data at all times through simple, yet powerful, tools that enable them to determine where their customer data will be stored, secure their customer data in transit and at rest, and manage user access to their AWS resources and modify, delete and retrieve customer data.
      • Technical and organizational measures. AWS implements responsible and sophisticated technical and physical controls and processes designed to prevent unauthorized access to or disclosure of customer data (visit the AWS Compliance webpage for more information). We also provide a number of advanced encryption and key management services (including services which allow customers to manager their own keys) that customers can use to protect their customer data both in transit and at rest - encrypted customer data is rendered inaccessible without the applicable decryption keys. Regardless of whether customer data is encrypted or unencrypted, we will always work vigilantly to protect customer data from any unauthorized access.
      • Law enforcement requests. AWS has internal processes to deal with requests that we receive from law enforcement. When we receive a request for customer data from law enforcement, we carefully examine it to authenticate accuracy and to verify that it is appropriate and complies with all applicable laws. Unless legally prohibited from doing so, AWS notifies customers before disclosing customer data so that customers can take further steps to seek protection from disclosure. In the Supplementary Addendum to the AWS DPA (Supplementary Addendum), AWS makes strengthened contractual commitments in relation to dealing with government requests for customer data, including by committing to (i) use every reasonable effort to redirect any governmental body requesting customer data to the relevant customer, (ii) promptly notify the request to the customer if legally permitted to do so (including by using all reasonable and lawful efforts to obtain a waiver of prohibition if necessary), (iii) challenge any overbroad or inappropriate request, including where the request conflicts with EU law, and (iv) if, after exhausting the steps described above, AWS still remains compelled to disclose customer data in response to a governmental request, to disclose only the minimum amount of customer data necessary to satisfy the request.
      • Contractual measures. AWS makes several contractual commitments to the measures described above that are reflected in the AWS DPA and the Supplementary Addendum. The AWS DPA and the Supplementary Addendum include contractual commitments from AWS concerning (1) customer’s selection of AWS Regions in which customer data is stored and processed, (2) both the technical and organizational measures that AWS has implemented to protect the AWS infrastructure and the technical organizational measures that customers may choose to apply to protect their customer data, (3) AWS’s measures to protect customer data and inform the customer in case of a data disclosure request from a governmental body, and (4) AWS’s ability to fulfil its obligations set forth in the AWS DPA in compliance with legislation applicable in a third country in which customer data is processed. The Supplementary Addendum also addresses (5) the statutory rights of individuals to claim for compensation in case of a violation of their rights granted by the GDPR.
  • Yes, AWS may use three types of sub-processors: (1) AWS entities that provide the infrastructure on which the AWS services run; (2) AWS entities that support specific AWS services which may require these entities to process customer data; and (3) third parties that AWS has contracted with to provide processing activities for specific AWS services. The AWS Sub-processors webpage provides more information about the sub-processors that AWS engages in accordance with the AWS DPA, to provide processing activities on customer data on behalf of customers. Sub-processors relevant to an individual customer will depend on the AWS Region the customer selects and the particular AWS services that the customer uses.

  • The AWS whitepaper, Navigating Compliance with EU Data Transfer Requirements, provides information about the services and resources that AWS offers customers to help them conduct data transfer assessments in light of the Schrems II ruling, and subsequent recommendations from the European Data Protection Board. The whitepaper also describes the key supplementary measures taken and made available by AWS to protect customer data.

  • AWS offers helpful information to customers, including several compliance reports from third-party auditors, who have verified our compliance with a variety of security standards and regulations, to prove the high levels of compliance AWS maintains for its infrastructure. These reports show our customers, that we are protecting their customer data they choose to process on AWS. Examples of this include AWS' ISO 27001, 27017, and 27018 compliance. ISO 27018 contains security controls that focuses on protection of customer data.

    AWS is also compliant with the CISPE Code of Conduct for data protection. More information on the CISPE Code of Conduct can be found in the FAQ below, "Does AWS comply with a GDPR approved Code of Conduct specific to cloud infrastructure services?"

  • Yes. As of June 2023, 107 AWS services are compliant with the Cloud Infrastructure Services Providers in Europe (CISPE) Data Protection Code of Conduct. CISPE is a coalition of cloud computing leaders serving millions of European customers. The CISPE Data Protection Code of Conduct (CISPE Code), is the first pan-European data protection code of conduct focused on cloud infrastructure services providers. The CISPE Code was approved by the European Data Protection Board, acting on behalf of the 27 data protection authorities across Europe, and formally adopted by the French Data Protection Authority (CNIL), acting as the lead supervisory authority. In 2017 AWS announced its compliance with an earlier version of the CISPE Code.

    The CISPE Code helps customers ensure that their cloud infrastructure service provider offers appropriate operational assurances to demonstrate compliance with the GDPR and protect customer data. A few key benefits of the CISPE Code include:

    • Cloud infrastructure focused: Clarifying the role of the cloud infrastructure service provider under GDPR with regard to the processing of customer data – that is, any personal data processed on behalf of the customer using the cloud infrastructure service.
    • Data in Europe: Requires cloud infrastructure service providers to give customers the choice to use services to store and process customer data exclusively in the European Economic Area (EEA).
    • Data privacy: The CISPE Code assures organizations that their cloud infrastructure service providers meets the requirements applicable to personal data processed on their behalf (customer data) under the GDPR.

    The Certificate of Compliance that illustrates AWS compliance status is available on the CISPE Public Register. Listed AWS services have been independently verified as complying with the CISPE Code. The verification process was conducted by Ernst & Young CertifyPoint (EY CertifyPoint), an independent, globally recognized monitoring body accredited by CNIL.

Technical and organizational measures


  • The GDPR does not change the AWS shared responsibility model, which continues to be relevant for customers. The shared responsibility model is a useful approach to illustrate the different responsibilities of AWS (as a data processor or sub-processor) and customers (as either data controllers or data processors) under the GDPR.

    Under the shared responsibility model, AWS is responsible for securing the underlying infrastructure that supports AWS services (“Security “OF” the cloud”), and customers, acting either as data controllers or data processors, are responsible for any personal data they upload to AWS services (“Security “IN” the cloud”).

    AWS responsibility "Security of the cloud" - AWS is responsible for protecting the global infrastructure that runs all of the AWS services. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services, which provide powerful controls to customers, including security configuration controls, for the handling of customer content. AWS provides several compliance reports from third-party auditors who have verified our compliance with a variety of computer security standards and regulations (for more information, visit the AWS Compliance webpage). These reports show our customers, that we are protecting their customer data. Examples include AWS’ ISO 27001, 27017, and 27018 compliance. ISO 27018 contains security controls that focuses on protection of customer data.

    Customer responsibility “Security in the Cloud” - AWS customers are responsible for architecting and securing the application and solutions they elect to deploy on AWS services. AWS customers are also responsible for configuring the AWS services in a way that protects the confidentiality, integrity and security needs of their customer data. The specific responsibilities customers have to secure their customer data vary depending on the AWS services customers elect to use and how those services are integrated into customers’ IT environments. AWS customers have visibility and control over their customer data and can implement flexible security controls based on the sensitivity of the specific type of customer data. Customers can do this by utilizing its own security measures and tools, or by using the security measures and tools made available by AWS or other suppliers. In this way, customers can put in place additional layers of security for more sensitive customer data.

    AWS makes available products, tools and services that customers can use to architect and secure their applications and solutions and that can be deployed to help handle the requirements of GDPR, including:

    • AWS Identity and Access Management (IAM) enables organizations to manage access to AWS services and resources securely. Using IAM, customers can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge.
    • AWS CloudTrail allows organizations to log, continuously monitor, and retain information about account activity related to actions in AWS, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default).
    • Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads. It monitors for activity that can indicate a possible account compromise, such as unusual API calls or potentially unauthorized deployments. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.
    • Amazon Macie is a machine learning tool to assist discovery and classification of personal data stored in Amazon S3.

    Please see our whitepaper, Navigating GDPR Compliance on AWS, for further details on how to use AWS resources in compliance with the GDPR.

  • Yes, you can search for “GDPR” in the AWS Partner Solutions Finder to help find ISVs, MSPs, and SI partners that have products and services to help with GDPR compliance. Customers can also search for “GDPR” solutions on AWS Marketplace.

  • Yes, the AWS Security Assurance Services team has a number of activities to help customers on their journey to GDPR compliance. This team of industry certified compliance professionals helps customers achieve, maintain, and automate compliance in the cloud by tying together applicable compliance standards to AWS service specific features and functionality. More details on how AWS Professional Services Consultants are helping customers can be found here.

  • Customers can use AWS Support to receive technical guidance to help them on their road to GDPR compliance. As part of this activity we have teams of Cloud Support Engineers and Technical Account Managers (TAMs) that are trained to help identify and mitigate compliance risks. The level of support AWS provides depends on the AWS Support Plan that customers choose. Customers looking to understand how AWS Premium Support can help them can find more information in the AWS Support Center, available through the AWS Management Console, by using the contact details specified in the Enterprise Support Agreement entered into with AWS, or by visiting the AWS Support webpage. Customers with Enterprise Support should reach out to their TAM with GDPR related questions.

    Customers may find the following two programs useful as they pursue GDPR compliance:

    • Cloud Operations Review – Available to AWS Enterprise Support customers, this program is designed to help identify gaps in their approach to operating in the cloud. Originating from a set of operational best practices distilled from AWS’ experience with a large set of representative customers, this program provides a review of cloud operations and the associated management practices, which can help organizations in their journey to GDPR compliance. The program uses a four-pillared approach with a focus on preparing, monitoring, operating, and optimizing cloud-based systems in pursuit of operational excellence.
    • Well-Architected Review – This program allows organizations to measure their architecture against AWS best practices and to construct architectures that are secure, reliable, high performing, and cost-effective. Well-Architected Reviews also allows customers to understand where they have risks in their architecture and address them before applications are put into production.

  • AWS has a security incident monitoring and data breach notification process in place and will notify customers of breaches of AWS’s security without undue delay and in accordance with the AWS DPA. AWS also gives customers a number of tools to understand who has access to their resources, when, and from where. One of these tools is AWS CloudTrail which enables governance, compliance, operational auditing, and risk auditing of an AWS account. With AWS CloudTrail, customers can log, continuously monitor, and retain information about account activity related to actions across their AWS infrastructure. This helps organizations understand what is happening with their AWS infrastructure and can take action on any unusual activity, immediately. For more information on other security tools AWS gives customers to help meet their obligations as data controllers under the GDPR, visit the AWS Cloud Security webpage.  

  • AWS gives customers and APN Partners a number of tools to secure their customer data and help protect against cyber-attacks. One such tool is AWS Shield. This is a managed Distributed Denial of Service (DDoS) protection service to safeguard websites and applications running on AWS. AWS Shield Standard is available at no additional charge and provides always-on detection and automatic inline mitigations that can minimize application downtime and latency. For higher levels of protection against attacks targeting web applications running on AWS and using ELB, Amazon CloudFront, and Amazon Route 53 resources, customers and APN Partners can subscribe to AWS Shield Advanced. AWS also publishes and routinely updates AWS Best Practices for DDoS Resiliency that can help customers use AWS to build applications resilient to DDoS attacks.

    Other tools AWS has to help protect customer data against cyber-attacks include:

    • AWS Identity and Access Management (IAM) enables organizations to manage access to AWS services and resources securely. Using IAM, customers and APN Partners can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge.
    • AWS Config allows customers and APN Partners to enable prepackaged rules which help ensure that their AWS resources are in a properly configured and compliant state.
    • AWS CloudTrail allows organizations to log, continuously monitor, and retain information about account activity related to actions in AWS, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default).
    • Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads. It monitors for activity that can indicate a possible account compromise, such as unusual API calls or potentially unauthorized deployments. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.
  • Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect yourpersonal data in AWS. As organizations manage growing volumes of data, identifying and protecting their personal data at scale can become increasingly complex, expensive, and time-consuming. Amazon Macie automates the discovery of personal data at scale and lowers the cost of protecting your data. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to personal data.

    Amazon Macie is certified to internationally recognized standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, and customers and APN Partners can also use Macie to continuously monitor access to their data in order to detect suspicious activity based upon access patterns.

  • To help customers with GDPR compliance, AWS has a number of tools to control access to personal data contained in their content on AWS. These tools include:

    • Security by default means AWS services are designed to be secure by default. If the default configuration is used, access to resources is locked down to just the account owner and root administrator.
    • AWS Identity and Access Management (IAM) enables customers to manage access to AWS services and resources securely. Using IAM, organizations can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge.
    • AWS Multi-Factor Authentication adds an extra layer of protection on top of an AWS account’s user name and password. AWS gives customers the option of virtual and hardware MFA devices.
    • AWS Directory Service allows customers to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience.
    • AWS Config allows customers to enable prepackaged rules which help ensure that their AWS resources are in a properly configured and compliant state.
    • AWS CloudTrail allows customers to log, continuously monitor, and retain information about account activity related to actions across their AWS infrastructure, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default).
    • Amazon Macie uses machine learning to help customers prevent data loss by automatically discovering, classifying, and protecting sensitive data in AWS. This fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks – such as sensitive data that a customer has accidentally made externally accessible.
       
  • AWS offers customers and APN Partners the ability to add an additional layer of security to their customer data at rest in the cloud and help them meet their security of processing obligations as data controllers under the GDPR. Encryption tools available on AWS include:

     
    In addition, AWS provides APIs for customers and APN Partners to integrate encryption and data protection with any of the services they develop or deploy in an AWS environment.
  • AWS provides specific features and services which help customers to meet requirements of the GDPR:

    Access Control: Allow only authorized administrators, users and applications access to AWS resources

    • Multi-Factor-Authentication (MFA)
    • Fine granular access to objects in Amazon S3-Buckets/ Amazon SQS/ Amazon SNS and others
    • API-Request Authentication
    • Geo-Restrictions
    • Temporary access tokens through AWS Security Token Service

    Monitoring and Logging: Get an overview about activities on your AWS resources

    Encryption: Encrypt Data on AWS

    • Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS)
    • Centralized managed Key Management (by AWS Region)
    • IPsec tunnels into AWS with the VPN-Gateways
    • Dedicated HSM modules in the cloud with AWS CloudHSM

    Strong Compliance Framework and Security Standards: We demonstrate compliance with rigorous international standards, such as:

AWS and the UK GDPR


AWS and the Swiss Federal Data Protection Act


Contact


  • We recommend that customers with questions regarding the GDPR contact their AWS account manager first. If customers have signed up for Enterprise Support, they can reach out to their Technical Account Manager (TAM) as well. TAMs work with Solutions Architects to help customers identify potential risks and potential mitigations. TAMs and account teams can also point customers and APN Partners with specific resources based on their environment and needs.
     

    AWS also has teams of Enterprise Support Representatives, Professional Services Consultants, and other staff to help with GDPR questions. You can contact us with questions here.

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »