EU-US Privacy Shield

EUUSprivacyshield
  • How does the new EU-US Privacy Shield affect how customers use AWS?

    AWS customers can already transfer personal data from the EU to the US in a compliant way; The EU-US Privacy Shield aims to enable the compliant transfer of personal data from data controllers in the EU to data controllers (or processors) in the US. AWS offers customers a Data Processing Addendum, including Model Clauses (Data Processing Addendum) that was approved in 2015 by the EU data protection authorities, known as the Article 29 Working Party. This Data Processing Addendum enables our customers, when using AWS to transfer personal data outside the European Economic Area (EEA), to any country, including to the US. For this reason, the EU-US Privacy Shield does not affect the way customers use, or work, with AWS. Customers can continue transferring their content from AWS’ EU regions to the US regions with the knowledge that AWS is compliant with EU data protection requirements.

  • Is AWS certified under the EU-US Privacy Shield?

    Yes, AWS is certified under the EU-US Privacy Shield. View the certification here.

  • Where can I find more information about the EU-US Privacy Shield?

    More details on the obligations for US service providers under the EU-US Privacy Shield can be found on the European Commission website and on the US Department of Commerce Website.

  • How can I use AWS and comply with current EU Data Protection laws?

    AWS offers customers a number of compliance measures they can rely on to comply with European data protection laws. For example, customers are able to rely on the AWS Data Processing Addendum, which includes the Model Clauses as approved by the Article 29 Working Party (Data Processing Addendum). The Data Processing Addendum is available to all AWS customers transferring data from the EU to any of AWS regions around the world, whether in the US or not. The Data Processing Addendum gives customers the assurance that AWS will give customers’ data the same high levels of security, privacy and data protection that it would receive in the EU.

    AWS customers have granular control over their data they store in the AWS cloud. AWS also enables a high level of security and maintains certification with robust security standards, such as ISO 27001, SOC 1/2/3 and PCI DSS Level 1. AWS can assist customers directly with teams of Solutions Architects, Account Managers, Consultants, Trainers and other staff in the EU who are expertly trained on cloud security and compliance to assist AWS customers in achieving high levels of security and compliance in the Cloud. AWS also helps customers meet many local security standards; for example, AWS alongside auditor TÜV TRUST IT, has published a Customer Certification Workbook that provides guidance on achieving German BSI IT Grundschutz compliance in the Cloud.

  • Will the EU-US Privacy Shield also cover me for data transfers to countries other than the US?

    With our EU-approved Data Processing Addendum, AWS customers can run their global operations using AWS in full compliance with EU law and transfer personal data from an AWS region in the EEA to any other region in the world. This is available to all AWS customers who are processing personal data, whether they are established in Europe or are a global company operating in the EEA. The EU-US Privacy Shield is only intended to cover transfers of personal data from the EU to the US. Once AWS is certified this particular certification will only be applicable to customers who wish to transfer personal data from the EU to the US.

  • I have signed the AWS Data Processing Addendum, how does the new EU-US Privacy Shield affect this?

    Customers who already have a signed Data Processing Addendum with AWS can continue to rely on that legal agreement after AWS is certified under the EU-US Privacy Shield. The EU-US Privacy Shield simply gives customers an additional compliance mechanism to rely on that specifically applies to transfers of personal data from the EU to the US. The AWS Data Processing Addendum gives customers that are transferring data from the EEA to any AWS region around the world (whether in the US or not) assurance that AWS will give their content the same high levels of security, privacy control, and data protection that it would receive in the EU. The same will be true when transferring personal data from the EU to the US under the EU-US Privacy Shield.

  • Does the new EU-US Privacy Shield supersede the AWS Data Processing Addendum with Model Clauses?

    No. The EU-US Privacy Shield only covers customers transferring personal data from the EU to the US. The AWS Data Processing Addendum with Model Clauses covers customers transferring personal data from the EEA to any of the AWS regions around the world, including the US.

  • What regions does the EU-US Privacy Shield cover when using AWS?

    The EU-US Privacy Shield simply covers transfers of personal data from the EU to the US. Once AWS is certified, this will provide a further basis for AWS customers to transfer personal data from an AWS region in the EEA to one in the US.

    AWS already offers customers a Data Processing Addendum, including Model Clauses (Data Processing Addendum). This was approved in 2015 by the EU data protection authorities, known as the Article 29 Working Party, and it allows customers to transfer personal data from an AWS region in the EEA to one outside the EEA in full compliance with EU data protection law. The EU-US Privacy Shield is not relevant for customers that are not transferring personal data from AWS’ EU regions to the US. With AWS, customers determine which infrastructure region their personal data will be stored in, knowing it will not be moved without their doing so. This allows customers to deploy AWS services in the locations of their choice, in accordance with their specific geographic requirements, including in established AWS regions in Dublin, London, Paris and Frankfurt.

  • What do I need to do to be covered by the AWS Data Processing Addendum when using AWS?

    There is nothing customers need to do once they enter into the AWS Data Processing Addendum. Provided the customer complies with its own obligations as data controller or data processor, the AWS Data Processing Addendum will cover transfers of personal data by customer from any AWS region in the EEA to one outside the EEA.

  • How do I lodge a complaint with AWS about how my data has been handled under the EU-US Privacy Shield?

    Once AWS has been certified, customers wishing to contact AWS to ask questions or discuss the EU-US Privacy Shield can get in touch with a member of our team at privacyshield@amazon.com.

  • How does the Brexit announcement affect EU-US Privacy Shield?

    The Brexit announcement does not currently affect the EU-US Privacy Shield.

compliance-contactus-icon
Have Questions? Connect with an AWS Compliance Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »