AWS Data Processing Addendum
This addendum outlines how AWS processes personal data in accordance with the GDPR and other applicable data protection laws. By using AWS services, you agree to these terms.
Key Provisions of the Addendum
Scope
This addendum applies to all AWS services that process personal data under the GDPR, including services like cloud storage, analytics, and machine learning.
Data Categories
AWS processes personal data based on a Controller's instructions under GDPR Article 4(8). This includes data necessary for cloud infrastructure functionality.
Security Requirements
AWS must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Data Subject Requests
AWS will assist Controllers in fulfilling data subject access, correction, and deletion requests within 30 business days upon notification.
Implementation Requirements
Processing Instructions
-
✓Processes personal data only as instructed by the Controller
-
✓Limits retention to the time period instructed or as required by law
Documentation
-
✓Maintaining records of all processing activities
-
✓Providing documentation to Controllers upon request
Need Help Implementing Data Protection?
Our compliance team can help you ensure your data processing with AWS meets all regulatory requirements.
Definitions
Processing
Any operation performed on personal data such as collection, storage, use, or deletion.
Joint Controller
A party sharing data processing decision-making power with another party.
Subided Processing
Where a data processor and controller share decision making with respect to data.
Pseudonimization
Processing data to irreversibly make it unusable without additional information.