AWS Security Blog

AWS Frankfurt Region Opens—AWS Highlights European Data Protection

With the AWS Frankfurt Region officially launched, we’d like to share European and data protection–specific information we’ve published to assist AWS customers who want to store content containing personal data. This information can be found in the newly released Whitepaper on EU Data Protection, a key resource available to customers who want to use AWS to store content containing personal data or who have concerns about meeting data protection requirements.

The target audience for this whitepaper is any AWS customer who operates with and stores sensitive, regulated, or personal data along with those who have concerns about their regulatory data protection requirements and how to potentially meet said requirements. The whitepaper describes how you can use AWS services in compliance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (also known as the “Directive”). 

We know the security of sensitive and regulated data is of paramount concern to you. In fact a recent study indicated it’s the most important factor as organizations consider moving or adding more of their workloads to the cloud. Specific questions considered in the Whitepaper on EU Data Protection are issues of data protection:

  • Will the content be secure?
  • Where will content be stored?
  • Who will have access to content?
  • What laws and regulations apply to the content and what is needed to comply with these?

In this whitepaper, we start with the AWS “Shared Responsibility” model with an emphasis on data security, outlining tools to be considered in a holistic data protection program (firewall configuration, encryption, access management). Our specific applicable regions are also described, and concerns over government access rights are addressed. Additionally, data protection principles such as “Data Retention,” “Lawful basis,” and “Purpose Limitation” are defined and outlined, providing education about protection summaries as well as AWS’s stance on each principle. Notification examples are also provided around “Data Breaches” and “Customer’s third-party service providers.”

You can use this whitepaper as a reference as you start your research on cloud security to enable data protection. You can also use this whitepaper if you’re simply looking to verify that you’re on the right track with your own privacy policies. Please feel free to reach out to us with any additional concerns or questions.

– Chad Woolf, Director, AWS Risk and Compliance

Additional Resources:


Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.


Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.