General Data Protection Regulation (GDPR) Center
GDPR compliance when using AWS services
The European Union’s General Data Protection Regulation (GDPR) protects European Union (EU) individuals’ fundamental right to privacy and the protection of personal data. The GDPR includes robust requirements that raise and harmonize standards for data protection, security, and compliance. Please review our GDPR FAQs below for more information.
AWS customers can use all AWS services to process personal data (as defined in the GDPR) that is uploaded to the AWS services under their AWS accounts (customer data) in compliance with the GDPR. In addition to our own compliance, AWS is committed to offering services and resources to our customers to help them comply with the GDPR requirements that may apply to their activities. New features are launched regularly, and AWS has 500+ features and services focused on security and compliance. For more information on what AWS is doing read our blog How AWS is helping EU customers navigate the new normal for data protection.
Focuses
Customer control
Customers have control of their customer data. With AWS, customers can:
- Determine where their customer data will be stored, including the type of storage and geographic region of that storage.
- Choose the secured state of their customer data. We offer customers strong encryption for customer data in transit or at rest, and we provide customers with the option to manage their own encryption keys.
- Manage access to their customer data and AWS services and resources through users, groups, permissions and credentials that customers control.
Transfers outside the European Economic Area (EEA)
AWS customers can continue to use AWS services to transfer customer data from the EEA to non-EEA countries that have not received an adequacy decision from the European Commission (including the United States) in compliance with the GDPR. At AWS, our highest priority is securing customer data, and we implement rigorous technical and organizational measures to protect its confidentiality, integrity, and availability, regardless of which AWS Region the customer has selected. We know that transparency matters to our customers. We list the AWS services that involve a data transfer of customer data on our Privacy Features webpage.
As the regulatory and legislative landscape evolves, we will always work to ensure that our customers can continue to enjoy the benefits of AWS services wherever they operate. Please see our customer update on the EU-US Privacy Shield and our blog posts on the Supplementary Addendum to the AWS Data Processing Addendum and the CISPE Data Protection Code of Conduct for additional information.
Overview and GDPR basics
Open allWhat is the GDPR?
Who does the GDPR apply to?
Is AWS a data processor or a data controller under the GDPR?
What are the Standard Contractual Clauses (SCCs)?
How does AWS incorporate the SCCs into the AWS GDPR DPA with customers?
AWS and GDPR compliance following the Schrems II ruling and EDPB Recommendations
Open allWhat are the Schrems II ruling and the EDPB Recommendations?
Can I continue to use AWS services following the Schrems II ruling?
Does AWS use sub-processors to process customer data?
How does AWS help customers when they conduct data transfer assessments?
How can I prove to a data protection authority that my use of the AWS services complies with the GDPR?
Does AWS comply with the GDPR approved CISPE Code of Conduct specific to cloud infrastructure services?
Yes. Cloud Infrastructure Services Providers in Europe (CISPE) Data Protection Code of Conduct Public Register includes a list of adherent AWS services. CISPE is a coalition of cloud computing leaders serving millions of European customers. The CISPE Data Protection Code of Conduct (CISPE Code), is the first pan-European data protection code of conduct focused on cloud infrastructure services providers. The CISPE Code was approved by the European Data Protection Board, acting on behalf of the 27 data protection authorities across Europe, and formally adopted by the French Data Protection Authority (CNIL), acting as the lead supervisory authority. In 2017 AWS announced its compliance with an earlier version of the CISPE Code.
Technical and organizational measures
Open allDo AWS Partners offer products and services to help with GDPR compliance?
Does AWS offer professional services help on GDPR compliance?
How can AWS Support help me in my journey to GDPR compliance?
How can AWS help customers meet their obligations under the GDPR, regarding notifications of personal data breaches?
How does AWS help me to protect my customer data against cyber-attacks?
What tools are available to help me identify personal data within my content on AWS?
How can I control access to personal data within my content on AWS?
To help customers with GDPR compliance, AWS has a number of tools to control access to personal data contained in their content on AWS. These tools include:
- Security by default means AWS services are designed to be secure by default. If the default configuration is used, access to resources is locked down to just the account owner and root administrator.
- AWS Identity and Access Management (IAM) enables customers to manage access to AWS services and resources securely. Using IAM, organizations can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge.
- AWS Multi-Factor Authentication adds an extra layer of protection on top of an AWS account’s user name and password. AWS gives customers the option of virtual and hardware MFA devices.
- AWS Directory Service allows customers to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience.
- AWS Config allows customers to enable prepackaged rules which help ensure that their AWS resources are in a properly configured and compliant state.
- AWS CloudTrail allows customers to log, continuously monitor, and retain information about account activity related to actions across their AWS infrastructure, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default).
- Amazon Macie uses machine learning to help customers prevent data loss by automatically discovering, classifying, and protecting sensitive data in AWS. This fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks – such as sensitive data that a customer has accidentally made externally accessible.
How can I encrypt customer data in AWS to prevent unauthorized access?
What services does AWS offer customers to help them comply with the GDPR?
AWS provides specific features and services which help customers to meet requirements of the GDPR:
Access Control: Allow only authorized administrators, users and applications access to AWS resources
- Multi-Factor-Authentication (MFA)
- Fine granular access to objects in Amazon S3-Buckets/ Amazon SQS/ Amazon SNS and others
- API-Request Authentication
- Geo-Restrictions
- Temporary access tokens through AWS Security Token Service
Monitoring and Logging: Get an overview about activities on your AWS resources
- Asset Management and Configuration with AWS Config
- Compliance auditing and security analytics with AWS CloudTrail
- Identification of configuration challenges through AWS Trusted Advisor
- Fine granular logging of access to Amazon S3 objects
- Detailed information about flows in the network through Amazon VPC Flow Logs
- Rule-based configuration checks and actions with AWS Config Rules
- Filtering and monitoring of HTTP access to applications with AWS WAF functions in AWS CloudFront
Encryption: Encrypt Data on AWS
- Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS)
- Centralized managed Key Management (by AWS Region)
- IPsec tunnels into AWS with the VPN-Gateways
- Dedicated HSM modules in the cloud with AWS CloudHSM
Strong Compliance Framework and Security Standards: We demonstrate compliance with rigorous international standards, such as:
- ISO 27001 for technical measures
- ISO 27017 for cloud security
- ISO 27018 for cloud privacy
- SOC 1, SOC 2 and SOC 3, PCI DSS Level 1,
- BSI’s Common Cloud Computing Controls Catalogue (C5)
- ENS High
AWS and the UK GDPR
Open allDoes the GDPR still apply to the UK?
How can customers use AWS in compliance with the UK GDPR?
How can customers transfer customer data in compliance with the UK GDPR?
The UK GDPR Addendum, which is part of the AWS Service Terms, includes the SCCs adopted by the EC and the international data transfer addendum (IDTA) issued by the UK data protection regulator (the Information Commissioners Office). The IDTA amends the SCCs to ensure they constitute an appropriate safeguard under the UK GDPR for international data transfers to countries outside of the UK that have not been recognised as providing an adequate level of protection for personal data (UK third countries). The UK GDPR Addendum confirms that the SCCs (as amended by the IDTA) will automatically apply whenever a customer uses AWS services to transfer customer data subject to the UK GDPR (UK customer data) to UK third countries. As part of the UK GDPR Addendum in the AWS Service Terms, the SCCs (as amended by the IDTA) will apply automatically whenever a customer uses AWS services to transfer UK customer data to UK third countries.