The Role of AWS Under the GDPR

Under the GDPR, AWS acts as both a data processor and a data controller.

Under Article 32, controllers and processors are required to “…implement appropriate technical and organizational measures” that consider “the state of the art and the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. The GDPR provides specific suggestions for what types of security actions may be required, including:

• The pseudonymization and encryption of personal data.

• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

• The ability to restore the availability and access to personal data in a timely manner, in the event of a physical or technical incident.

• A process to regularly test, assess, and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing.

AWS as a Data Processor

When customers and AWS Partner Network (APN) Partners use AWS Services to process personal data in their content, AWS acts as a data processor. Customers and APN Partners can use the controls available in AWS services, including security configuration controls, to process personal data. Under these circumstances, the customer or APN Partners may act as a data controller or a data processor, and AWS acts as a data processor or sub-processor. The GDPR-compliant AWS DPA incorporates the commitments of AWS as a data processor.

AWS as a Data Controller

When AWS collects personal data and determines the purposes and means of processing that personal data, it acts as a data controller. For example, when AWS processes account information for account registration, administration, services access, or contact information for the AWS account to provide assistance through customer support activities, it acts as a data controller.