AWS Security ChangesHomeSearch

AWS whitepapers documentation change

Service: whitepapers · 2026-04-16 · Documentation low

File: whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.md

Summary

Updated GDPR compliance documentation with current AWS Data Processing Addendum details, data transfer mechanisms using Standard Contractual Clauses, and strengthened contractual commitments from February 2021 including governmental request handling procedures.

Security assessment

The changes update GDPR compliance documentation to reflect current AWS contractual commitments and data transfer mechanisms. While it discusses security-related contractual protections (governmental request handling, data minimization, challenge procedures), there is no evidence of addressing a specific security vulnerability or incident. The changes appear to be routine compliance documentation updates to reflect current regulatory requirements and AWS contractual terms.

Diff

diff --git a/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.md b/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.md
index fb494371f..d932c8d15 100644
--- a//whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.md
+++ b//whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.md
@@ -1 +1 @@
-[](/pdfs/whitepapers/latest/navigating-gdpr-compliance/navigating-gdpr-compliance.pdf#aws-data-processing-addendum-dpa "Open PDF")
+[View a markdown version of this page](aws-data-processing-addendum-dpa.md)
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Whitepapers](https://aws.amazon.com/whitepapers/)[AWS Whitepaper](welcome.html)
+[](/pdfs/whitepapers/latest/navigating-gdpr-compliance/navigating-gdpr-compliance.pdf#aws-data-processing-addendum-dpa "Open PDF")
@@ -5 +5 @@
-This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
+[Documentation](/index.html)[AWS Whitepapers](https://aws.amazon.com/whitepapers/)[AWS Whitepaper](navigating-gdpr-compliance-on-aws.html)
@@ -9 +9,17 @@ This whitepaper is for historical reference only. Some content might be outdated
-AWS offers a GDPR-compliant AWS Global Data Processing Addendum (GDPR DPA), which enables customers to comply with GDPR contractual obligations. The [AWS GDPR DPA is incorporated into the AWS Service Terms](https://aws.amazon.com/blogs//security/new-global-aws-data-processing-addendum/) and applies automatically to all customers globally who require it to comply with the GDPR whenever customers use AWS services to process personal data, regardless of which data protection laws apply to that processing.
+AWS offers a GDPR-compliant [AWS Data Processing Addendum](https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf) (AWS DPA), which enables AWS customers to comply with GDPR contractual obligations. The AWS DPA is incorporated into the [AWS Service Terms](https://aws.amazon.com/service-terms/) and applies automatically to all customers globally whenever customers use AWS services to process customer data, regardless of which data protection laws apply to that processing. 
+
+Customers can transfer their content from Europe to the US and other countries using AWS, in compliance with EU data protection laws, including the GDPR. For example, where AWS customers choose to transfer customer data outside the EU to a country not recognized by the European Commission as providing an adequate level of protection for personal data subject to the GDPR, AWS uses the Standard Contractual Clauses (SCCs) as a data transfer tool to validate such transfers (unless AWS has adopted an alternative recognized compliance standard for lawful data transfers). The SCCs are part of the AWS Service Terms, are incorporated by reference into the AWS DPA, and apply automatically in case of such a data transfer. As the regulatory and legislative landscape evolves, AWS remains committed to ensuring that customers can continue to benefit from AWS globally. 
+
+In February 2021, AWS adopted strengthened contractual commitments for protecting customer data. These commitments apply to all customer data processed by AWS, regardless of whether it is transferred outside the European Economic Area (EEA). These commitments are automatically available to all customers using AWS to process their customer data, without any additional action required, through a [Supplementary Addendum](https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf) to the AWS DPA, which is incorporated in the AWS Service Terms. 
+
+The key commitments outlined in the Supplementary Addendum include:
+
+  * Redirecting governmental requests for customer data directly to customers whenever possible.
+
+  * Promptly notifying customers if AWS is compelled to disclose customer data (unless prohibited by law), allowing customers time to seek protective measures.
+
+  * Actively challenging governmental requests that are overly broad, inappropriate, or conflict with EU or applicable EU Member State laws.
+
+  * Disclosing only the minimal amount of customer data necessary when legally compelled to do so.
+
+
@@ -11 +26,0 @@ AWS offers a GDPR-compliant AWS Global Data Processing Addendum (GDPR DPA), whic
-On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a ruling regarding the EU-US Privacy Shield and Standard Contractual Clauses (SCCs), also known as “model clauses.” The CJEU ruled that the EU-US Privacy Shield is no longer valid for the transfer of personal data from the European Union (EU) to the United States (US). However, in the same ruling, the CJEU validated that companies can continue to use SCCs as a mechanism for transferring data outside of the EU.
@@ -13 +28 @@ On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a ruli
-Following this ruling, AWS customers and partners can continue to use AWS to transfer their content from Europe to the US and other countries, in compliance with EU data protection laws – including the General Data Protection Regulation (GDPR). AWS customers can rely on the SCCs included in the AWS Data Processing Addendum (DPA) if they choose to transfer their data outside the European Union in compliance with GDPR. As the regulatory and legislative landscape evolves, we will work to ensure that our customers and partners can continue to enjoy the benefits of AWS everywhere they operate. An example of such an evolving scenario is the new adequacy decision on the new “EU-US Data Privacy Framework”, adopted by the European Commission, on 10 July 2023. For additional information, see the [EU-US Privacy Shield FAQ](https://aws.amazon.com/compliance/eu-us-privacy-shield-faq/).
+AWS outlines a structured framework to clarify the division of responsibilities in the context of international data transfers under the GDPR. This framework reflects current European regulatory expectations and highlights the shared responsibility model. Under this model, customers are responsible for assessing and implementing the technical and organizational measures needed to secure their data transfers, while AWS remains responsible for maintaining contractual and infrastructure-level safeguards.
@@ -15 +30 @@ Following this ruling, AWS customers and partners can continue to use AWS to tra
-Furthermore, AWS announced strengthened contractual commitments that go beyond what’s required by the Schrems II ruling and currently provided by other cloud providers to protect the personal data that customers entrust AWS to process (customer data). Significantly, these new commitments apply to all customer data subject to GDPR processed by AWS, whether it is transferred outside the European Economic Area (EEA) or not. These commitments are automatically available to all customers using AWS to process their customer data, with no additional action required, through a new supplementary addendum to the AWS GDPR Data Processing Addendum, which is also incorporated in the AWS Service Terms. 
+The framework includes a practical six-step process based on guidance from the European Data Protection Board (EDPB), which is the independent EU body composed of representatives from national data protection authorities and the European Data Protection Supervisor. The steps help customers: (1) map data transfers; (2) identify the legal transfer mechanism in use (such as SCCs); (3) assess the laws and practices of destination countries; (4) implement supplementary safeguards where necessary; (5) document procedural steps; and (6) reassess risk periodically.
@@ -17 +32 @@ Furthermore, AWS announced strengthened contractual commitments that go beyond w
-AWS has published an additional whitepaper, [Navigating Compliance with EU Data Transfer Requirements](https://d1.awsstatic.com/whitepapers/Security/navigating-compliance-with-eu-data-transfer-requirements.pdf), to help customers conducting both their data transfer assessments and understanding the key supplementary measures made available to protect customer data according to the recommendations released by the European Data Protection Board (EDPB). 
+AWS supports customers in this process by offering a set of technical, organizational, and contractual safeguards, such as encryption, data residency controls, and legal commitments to resist overreaching governmental requests. These safeguards help customers meet regulatory expectations and demonstrate accountability. AWS is responsible for implementing and maintaining contractual measures, while customers are responsible for configuring AWS services to reflect their compliance needs and risk posture.
@@ -25 +40 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-AWS Preparation for the GDPR
+AWS and the GDPR