AWS Data Processing Addendum (DPA) - Navigating GDPR Compliance on AWS

AWS Data Processing Addendum (DPA)

AWS offers a GDPR-compliant AWS Global Data Processing Addendum (GDPR DPA), which enables customers to comply with GDPR contractual obligations. The AWS GDPR DPA is incorporated into the AWS Service Terms and applies automatically to all customers globally who require it to comply with the GDPR whenever customers use AWS services to process personal data, regardless of which data protection laws apply to that processing.

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a ruling regarding the EU-US Privacy Shield and Standard Contractual Clauses (SCCs), also known as “model clauses.” The CJEU ruled that the EU-US Privacy Shield is no longer valid for the transfer of personal data from the European Union (EU) to the United States (US). However, in the same ruling, the CJEU validated that companies can continue to use SCCs as a mechanism for transferring data outside of the EU.

Following this ruling, AWS customers and partners can continue to use AWS to transfer their content from Europe to the US and other countries, in compliance with EU data protection laws – including the General Data Protection Regulation (GDPR). AWS customers can rely on the SCCs included in the AWS Data Processing Addendum (DPA) if they choose to transfer their data outside the European Union in compliance with GDPR. As the regulatory and legislative landscape evolves, we will work to ensure that our customers and partners can continue to enjoy the benefits of AWS everywhere they operate. An example of such an evolving scenario is the new adequacy decision on the new “EU-US Data Privacy Framework”, adopted by the European Commission, on 10 July 2023. For additional information, see the EU-US Privacy Shield FAQ.

Furthermore, AWS announced strengthened contractual commitments that go beyond what’s required by the Schrems II ruling and currently provided by other cloud providers to protect the personal data that customers entrust AWS to process (customer data). Significantly, these new commitments apply to all customer data subject to GDPR processed by AWS, whether it is transferred outside the European Economic Area (EEA) or not. These commitments are automatically available to all customers using AWS to process their customer data, with no additional action required, through a new supplementary addendum to the AWS GDPR Data Processing Addendum, which is also incorporated in the AWS Service Terms.

AWS has published an additional whitepaper, Navigating Compliance with EU Data Transfer Requirements, to help customers conducting both their data transfer assessments and understanding the key supplementary measures made available to protect customer data according to the recommendations released by the European Data Protection Board (EDPB).