Data protection at AWS

AWS and data protection with GDPR

Are Amazon servers GDPR-compliant?

Cloud computing is becoming increasingly popular. The dominant providers in this market are all based in the USA, including Amazon Web Services (AWS). If personal data is transferred from German and European companies to the USA, this always requires a legal basis. After the European Court of Justice declared the Privacy Shield invalid in its ruling on July 16, 2020, standard contractual clauses are generally used for data transfers. However, these alone are not sufficient.

In its ruling, the ECJ emphasized the responsibility of the controller to assess whether the rights of data subjects in the USA (or other third countries) actually enjoy an equivalent level of protection as in the EU with the conclusion of the standard contractual clauses. In fact, the European supervisory authorities expect additional measures such as anonymization or encryption of the data to be transferred. This blog post sheds light on whether and how AWS takes data protection seriously and supports its customers in its implementation.




Amazon Web Services (AWS) is an American cloud computing provider. It was founded in 2006 as a subsidiary of the online mail order company Since then, AWS has been growing rapidly. In 2017, Gartner named AWS as the leading international provider in cloud computing. A few years ago, the turnover of AWS was 46 billion dollars.



AWS and data protection


As a US company, Amazon Web Services, like comparable services, has been criticized for years with regard to data protection. To compensate for this problem, AWS offers so-called regions, which in turn are divided into availability zones and correspond to physical locations for storing data. For example, the regions Ireland (eu-west-1) and Frankfurt am Main (eu-central-1) can be selected so that instances are only executed there. The problem with this is that servers located in the EU do not protect against access by US authorities under the Cloud Act. This is a problem for AWS and data protection in Germany.

Amazon offers its customers preconfigured standard contractual clauses and also refers to a Data Processing Addendum. However, both documents are designed according to a "high-level approach". They do not really support the customer in carrying out the transfer impact assessment required in the standard contractual clauses. For example, the following description of the processed data categories from the addendum: "Customer Data uploaded to the Services under Customer's AWS accounts." is of course far too superficial to carry out an adequate transfer impact assessment.

To improve data protection, Amazon offers developers the option of encrypting data stored on AWS themselves - even when using an official software development kit. Large customers are offered the use of hardware encryption with individual components.


According to AWS's self-presentation, requests from US authorities are always carefully checked and, if necessary, rejected. With regard to data protection, Amazon AWS also emphasizes that data encrypted by the customer will only be released to US authorities in encrypted form.

For AWS services with encryption, AWS's own KMS service is used, which ensures that AWS itself has no way of decrypting the plaintext.

This means that AWS can be used in compliance with data protection regulations, but only if encryption is actually used and possible residual risks have been assessed as acceptable as part of the transfer impact assessment.

Do you need support with the professional implementation of a transfer impact assessment? Please contact us. We look forward to supporting you with our many years of data protection expertise.

Share this post :