The EU Data Protection Directive refers to the Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (also known as Directive 95/46/EC). Broadly, this Directive sets out a number of data protection requirements, which apply when personal data is being processed.
The Standard Contractual Clauses (also known as "model clauses") are a set of standard provisions defined and approved by the European Commission that can be used to enable personal data to be transferred in a compliant way by a data controller to a data processor outside the European Economic Area.
The Article 29 Working Party was set up under the EU Data Protection Directive of the European Parliament and of the Council. It is made up of representatives from the data protection authorities of all the EU Member States as well as from the European Commission. The Article 29 Working Party works to harmonise the application of data protection rules throughout the EU and also advises the EU Commission on the adequacy of data protection standards in non-EU countries.
The Article 29 Working Party has approved the AWS Data Processing Agreement which includes the Model Clauses. The Article 29 Working Party has found that the AWS Data Processing Agreement meets the requirements of the Directive with respect to Model Clauses. This means that the AWS Data Processing Agreement is not considered “ad hoc”. For more detail on the approval of the AWS Data Processing Agreement from the Article 29 Working Party, please visit: http://www.cnpd.public.lu/en/actualites/international/2015/03/AWS/index.html
The Luxembourg Data Protection Authority (the CNPD) acted as the lead authority on behalf of the Article 29 Working Party in accordance with procedure of the Article 29 Working Party.
For more information on how customers can enter into the AWS Data Processing Addendum, please visit here (sign-in required).
AWS customers that collect and store personal information in the Cloud are Data Controllers in the sense of Directive 95/46/EC.
More information can be found about the role of the customer and AWS in the section “Data Protection in the EU The Directive” in the AWS "Whitepaper on EU Data Protection".
AWS maintains certification with robust security standards, such as ISO 27001, SOC 1/2/3 and PCI DSS Level 1. We operate a shared responsibility model in the Cloud, under which AWS is responsible for the security of the underlying Cloud infrastructure (Security of the Cloud) and customers are responsible for the security of their data and applications (Security in the Cloud). AWS has teams of Solutions Architects, Account Managers, Consultants, Trainers and other staff in the EU expertly trained on cloud security and compliance to assist AWS customers in achieving high levels of security and compliance in the Cloud, following Cloud Security Best Practices. AWS also helps customers meet local security standards. For example, AWS alongside auditor TÜV TRUST IT, has published a Customer Certification Workbook that provides guidance on achieving German BSI IT Grundschutz compliance in the Cloud.
AWS data centres are built in clusters in various countries around the world. We refer to each of our data center clusters in a given country as a "Region." Customers have access to eleven AWS Regions around the globe, including two Regions in the EU – Ireland (Dublin) and Germany (Frankfurt). Customers can choose to use one Region, all Regions or any combination of Regions.
AWS customers choose the AWS Region(s) where their content will be stored. This allows customers with specific geographic requirements to establish environments in a location(s) of their choice. For example, AWS customers in Europe can choose to deploy their AWS services exclusively in one of the Regions in the EU (Germany or Ireland). If the customer elects to do so, their content will be stored in Germany or Ireland, as they choose, unless the customer explicitly selects to move or replicate their content in a different AWS Region.
Customers can replicate and back up content in more than one Region, but AWS does not move customer content outside of the customer’s chosen Region(s), except to provide services as requested by customers or comply with applicable law.