AWS whitepapers documentation change
Summary
Updated GDPR compliance documentation to clarify AWS roles as processor/controller, added metadata processing section, and updated references to AWS DPA and Privacy Notice
Security assessment
This change enhances GDPR compliance documentation by clarifying data processing roles and responsibilities. It provides clearer guidance on when AWS acts as processor vs controller, which helps customers understand their security and compliance obligations. The change includes security-related content about data protection measures under GDPR but doesn't address any specific security vulnerability or incident.
Diff
diff --git a/whitepapers/latest/navigating-gdpr-compliance/the-role-of-aws-under-the-gdpr.md b/whitepapers/latest/navigating-gdpr-compliance/the-role-of-aws-under-the-gdpr.md index 39540521d..11b0c2ca4 100644 --- a//whitepapers/latest/navigating-gdpr-compliance/the-role-of-aws-under-the-gdpr.md +++ b//whitepapers/latest/navigating-gdpr-compliance/the-role-of-aws-under-the-gdpr.md @@ -1 +1 @@ -[](/pdfs/whitepapers/latest/navigating-gdpr-compliance/navigating-gdpr-compliance.pdf#the-role-of-aws-under-the-gdpr "Open PDF") +[View a markdown version of this page](the-role-of-aws-under-the-gdpr.md) @@ -3 +3 @@ -[Documentation](/index.html)[AWS Whitepapers](https://aws.amazon.com/whitepapers/)[AWS Whitepaper](welcome.html) +[](/pdfs/whitepapers/latest/navigating-gdpr-compliance/navigating-gdpr-compliance.pdf#the-role-of-aws-under-the-gdpr "Open PDF") @@ -5 +5 @@ -AWS as a Data ProcessorAWS as a Data Controller +[Documentation](/index.html)[AWS Whitepapers](https://aws.amazon.com/whitepapers/)[AWS Whitepaper](navigating-gdpr-compliance-on-aws.html) @@ -7 +7 @@ AWS as a Data ProcessorAWS as a Data Controller -This whitepaper is for historical reference only. Some content might be outdated and some links might not be available. +AWS as a ProcessorAWS as a ControllerAWS metadata processing @@ -11,9 +11 @@ This whitepaper is for historical reference only. Some content might be outdated -Under the GDPR, AWS acts as both a data processor and a data controller. - -Under Article 32, controllers and processors are required to “…implement appropriate technical and organizational measures” that consider “the state of the art and the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. The GDPR provides specific suggestions for what types of security actions may be required, including: - - * The [pseudonymization](https://en.wikipedia.org/wiki/Pseudonymization) and encryption of personal data. - - * The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. - - * The ability to restore the availability and access to personal data in a timely manner, in the event of a physical or technical incident. +Under the GDPR, AWS may act as either a processor or a controller, depending on the service and how it is used. A controller is the entity that decides why and how personal data is processed. A processor handles personal data only on the controller's behalf and only for the purposes the controller defines. This distinction matters because it determines whether AWS or the customer is responsible for decisions about how personal data is handled and which party is accountable for meeting specific GDPR obligations. @@ -21 +13 @@ Under Article 32, controllers and processors are required to “…implement app - * A process to regularly test, assess, and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing. +The AWS DPA applies specifically to customer data uploaded and managed by the customer through AWS services. @@ -22,0 +15 @@ Under Article 32, controllers and processors are required to “…implement app +## AWS as a Processor @@ -23,0 +17 @@ Under Article 32, controllers and processors are required to “…implement app +When AWS customers use AWS services to process customer data in their content, AWS acts as a processor. Customers typically remain as controller and determine the purposes and means of processing. For example, customers can use the controls available in AWS services, including security configuration controls, to process customer data. The [AWS DPA](https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf) incorporates AWS's commitments as processor or sub-processor. @@ -24,0 +19 @@ Under Article 32, controllers and processors are required to “…implement app +## AWS as a Controller @@ -26 +21 @@ Under Article 32, controllers and processors are required to “…implement app -## AWS as a Data Processor +When AWS collects customer data and determines the purposes and means of processing (e.g., for account registration, administration or customer support), it acts as a controller. The [AWS Privacy Notice](https://aws.amazon.com/privacy/) describes how AWS collects, uses and discloses customer data where it acts as controller. @@ -28 +23 @@ Under Article 32, controllers and processors are required to “…implement app -When customers and AWS Partner Network (APN) Partners use AWS Services to process personal data in their content, AWS acts as a data processor. Customers and APN Partners can use the controls available in AWS services, including security configuration controls, to process personal data. Under these circumstances, the customer or APN Partners may act as a data controller or a data processor, and AWS acts as a data processor or sub-processor. The GDPR-compliant AWS DPA incorporates the commitments of AWS as a data processor. +## AWS metadata processing @@ -30 +25 @@ When customers and AWS Partner Network (APN) Partners use AWS Services to proces -## AWS as a Data Controller +AWS acts as a controller for operational metadata it generates or collects to operate services, manage accounts, bill customers and maintain security (such as account IDs, billing information, and security logs). AWS processes such metadata as described in the [AWS Privacy Notice](https://aws.amazon.com/privacy/). @@ -32 +27 @@ When customers and AWS Partner Network (APN) Partners use AWS Services to proces -When AWS collects personal data and determines the purposes and means of processing that personal data, it acts as a data controller. For example, when AWS processes account information for account registration, administration, services access, or contact information for the AWS account to provide assistance through customer support activities, it acts as a data controller. +For metadata customers generate or configure through AWS services (customer-created metadata), AWS does not act as processor, since AWS retains control over processing locations and determines other related processing aspects for this metadata.