European Union Data Protection Authorities Approve Amazon Web Services’ Data Processing Agreement

• 1020 words

As you all know security, privacy, and protection of our customer’s data is our number one priority and as such we work very closely with regulators to ensure that customers can be assured that they are getting the right protections when processing and storing data in the AWS. I am especially pleased that the group of European Union (EU) data protection authorities known as the Article 29 Working Party has approved the AWS Data Processing Agreement (DPA), assuring customers that it meets the high standards of EU data protection laws. The media alert below that went out today gives the details:

European Union Data Protection Authorities Approve Amazon Web Services’ Data Processing Agreement

Customers All Over the World Are Assured that AWS Agreement Meets Rigorous EU Privacy Laws

Brussels – March 31, 2015 – Amazon Web Services (AWS) today announced that the group of European Union (EU) data protection authorities known as the Article 29 Working Party has approved the AWS Data Processing Agreement (DPA), assuring customers that it meets the high standards of EU data protection laws. The approval of the AWS DPA, which embodies the Standard Contractual Clauses (often referred to as Model Clauses), means that AWS customers wishing to transfer personal data from the European Economic Area (EEA) to other countries can do so with even more knowledge that their content on AWS will be given the same high level of protection it receives in the EEA. For more detail on the approval from the Article 29 Working Party, visit the Luxembourg Data Protection Authority webpage here: http://www.cnpd.public.lu/en/actualites/international/2015/03/AWS/index.html

The AWS cloud is already being used extensively across the EU by startups, government agencies, educational institutions and leading enterprises such as Réseau Ferré de France and Veolia, in France, St James’s Place and Shell in the UK and Talanx and Hubert Burda Media in Germany. AWS customers have always had the freedom to choose the location where they store and process their content with the assurance that AWS will not move it from their chosen region. Customers have access to 11 AWS regions around the globe, including two in the EU – Ireland (Dublin) and Germany (Frankfurt) – which are comprised of multiple Availability Zones for customers to build highly secure and available applications. The DPA with Model Clauses gives AWS customers more choice when it comes to data protection and assures them that their content receives the same high levels of data protection, in accordance with European laws, no matter which AWS infrastructure region they choose around the world. The DPA is now available on request to all customers that require it.

“The security, privacy, and protection of our customer’s data is our number one priority,” said Dr Werner Vogels, Chief Technology Officer, Amazon.com. “Providing customers a DPA that has been approved by the EU data protection authorities is another way in which we are giving them assurances that they will receive the highest levels of data protection from AWS. We have spent a lot of time building tools, like security controls and encryption, to give customers the ability to protect their infrastructure and content. We will always strive to provide the highest level of data security for AWS customers in the EU and around the world.”

In the letter issued to AWS, the Article 29 Working Party said, “The EU Data Protection Authorities have analysed the arrangement proposed by Amazon Web Services” and “have concluded that the revised Data Processing Addendum is in line with Standard Contractual Clause 2010/87/EU and should not be considered as ‘ad-hoc’ clauses.” This means customers can sign the AWS Data Processing Addendum with Model Clauses without the need for authorization from data protection authorities, as would be necessary for contract clauses intended to address EU privacy rules that have not been approved, known as “ad hoc clauses.”

As well as having a DPA that has been approved by the Article 29 Working Party, AWS is fully compliant with all applicable EU data protection laws and maintains robust global security standards, such as ISO 27001, SOC 1, 2, 3 and PCI DSS Level 1. In 2013, the AWS Cloud was approved by De Nederlandsche Bank for use in the Dutch financial services sector, opening the door for financial services firms in The Netherlands to store confidential data and run mission-critical applications on AWS. AWS has teams of Solutions Architects, Account Managers, Trainers and other staff in the EU expertly trained on cloud security and compliance to assist AWS customers as they move their applications to the cloud. AWS also helps customers meet local security standards and has launched a Customer Certification Workbook, developed by independent certification body TÜV TRUST IT, providing customers with guidance on how to become certified for BSI IT Grundschutz in Germany. A copy of the workbook can be found at: http://aws.amazon.com/compliance/

“The EU has the highest data protection standards in the world and it is very important that European citizens’ data is protected,” said Antanas Guoga, Member of the European Parliament. “I believe that the Article 29 Working Party decision to approve the data processing agreement put forward by Amazon Web Services is a step forward to the right direction. I am pleased to see that AWS puts an emphasis on the protection of European customer data. I hope this decision will also help to drive further innovation in the cloud computing sector across the EU.”

“For us, like many companies, data privacy is paramount,” said JP Schmetz, Chief Scientist at Hubert Burda Media. “One of the reasons we chose AWS is the fact that they put so much emphasis on maintaining the highest levels of security and privacy for all of their customers. This is why we are moving mission critical workloads to AWS.”

For more information on AWS Model Clauses please visit: http://aws.amazon.com/compliance/eu-data-protection More information on AWS’ data protection practices can be found on the AWS Data Protection webpage at: http://aws.amazon.com/compliance/data-privacy-faq/. A full list of compliance certifications and a list of the robust controls in place at AWS to maintain security and data protection for customers can be found on the AWS compliance webpage at: http://aws.amazon.com/compliance/.