TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. AWS and GDPR: A Compliance Guide for 2026
GDPR

AWS and GDPR: A Compliance Guide for 2026

Understand how AWS and GDPR intersect. Learn shared responsibility, data processing agreements, transfer mechanisms, and configuration steps.

TermsBox Team|April 4, 202612 min read

AWS and GDPR compliance is a topic every business running workloads on Amazon Web Services must understand. If your application collects personal data from individuals in the European Union and you host it on AWS, the General Data Protection Regulation creates specific obligations for both you and your cloud provider.

This article is educational content and not legal advice. Consult a qualified attorney for decisions specific to your organization. What follows is a practical guide to the intersection of AWS infrastructure and GDPR requirements, including the shared responsibility model, data processing agreements, transfer mechanisms, and configuration best practices.

How the GDPR Applies to AWS Deployments

The GDPR (Regulation (EU) 2016/679) applies to the processing of personal data of individuals in the EU, regardless of where the processing takes place. When you deploy an application on AWS that handles EU personal data, two entities are involved in compliance:

  • You (the data controller or processor): You determine why and how personal data is processed. You decide what data to collect, which AWS services to use, how to configure security, and how long to retain data.
  • AWS (the data processor): AWS processes personal data on your behalf by providing the infrastructure. AWS is responsible for the security of the cloud itself, meaning the physical data centers, networking hardware, and hypervisor layer.

This division is formalized in the AWS Shared Responsibility Model. Understanding where AWS's obligations end and yours begin is the foundation of GDPR compliance on AWS.

The Shared Responsibility Model and GDPR

AWS describes its security model as "security of the cloud" versus "security in the cloud." For GDPR purposes, this distinction determines who is accountable for different aspects of data protection.

What AWS is responsible for

  • Physical security of data centers (access controls, surveillance, environmental protections)
  • Infrastructure hardware (servers, storage devices, networking equipment)
  • Hypervisor and managed service platform security
  • Compliance certifications (ISO 27001, ISO 27018, SOC 1/2/3, C5)
  • Providing encryption capabilities and key management services
  • Maintaining its GDPR Data Processing Addendum

What you are responsible for

  • Choosing appropriate AWS regions for data residency
  • Configuring encryption at rest and in transit
  • Managing IAM policies and access controls
  • Implementing logging and monitoring for personal data access
  • Ensuring your application code handles personal data lawfully
  • Responding to data subject requests (access, deletion, portability)
  • Maintaining your own privacy policy and cookie consent mechanisms
  • Conducting Data Protection Impact Assessments where required

The critical point is that using AWS does not make your application GDPR compliant by default. AWS provides the tools, but you must configure and use them correctly.

The AWS GDPR Data Processing Addendum

Article 28 of the GDPR requires a written contract between a data controller and any data processor. AWS satisfies this requirement through its GDPR Data Processing Addendum (DPA), which is incorporated into the AWS Service Terms.

What the AWS DPA covers

The AWS DPA addresses the mandatory elements listed in Article 28(3):

  1. Processing instructions: AWS processes data only according to your instructions, as defined by your use of AWS services
  2. Confidentiality: AWS personnel with access to personal data are bound by confidentiality obligations
  3. Security measures: AWS implements technical and organizational measures appropriate to the risk, as detailed in its compliance documentation
  4. Sub-processors: AWS discloses its sub-processors and commits to imposing equivalent data protection obligations on them
  5. Assistance with data subject rights: AWS provides tools and documentation to help you respond to access, deletion, and portability requests
  6. Breach notification: AWS commits to notifying you without undue delay after becoming aware of a personal data breach
  7. Audit rights: AWS provides compliance reports and certifications (SOC, ISO) that satisfy audit requirements under the GDPR

How to accept the DPA

The AWS DPA is part of the AWS Service Terms and applies automatically when you use AWS services to process personal data of EU individuals. You do not need to sign a separate document. However, review the DPA and keep a copy in your compliance records.

You can access the current version of the AWS GDPR DPA at the AWS Compliance page. Reference it in your Record of Processing Activities (ROPA) as required by Article 30.

International Data Transfers: AWS and GDPR Requirements

Transferring personal data outside the EEA triggers Chapter V of the GDPR. Since AWS operates data centers globally and is a US-headquartered company, data transfer mechanisms are relevant even when you select an EU region.

Transfer mechanisms AWS supports

  • EU-US Data Privacy Framework (DPF): AWS is certified under the DPF, adopted by the European Commission in its adequacy decision of July 2023. This allows transfers to AWS's US operations for services covered by the certification.
  • Standard Contractual Clauses (SCCs): The AWS DPA includes the European Commission's SCCs (2021 version) as a fallback mechanism if the DPF is invalidated or does not apply to a specific transfer.
  • EU region selection: The simplest approach is to keep all data in EU regions. AWS does not move data between regions unless you explicitly configure cross-region replication or use global services.

Practical recommendations for data residency

To minimize transfer complexity:

  • Select EU regions for all services that store or process personal data (eu-west-1 Ireland, eu-central-1 Frankfurt, eu-south-1 Milan, eu-north-1 Stockholm)
  • Use AWS Organizations Service Control Policies (SCPs) to prevent resources from being created in non-EU regions
  • Be aware that some AWS global services (IAM, Route 53, CloudFront) process data in the US by design. Evaluate whether personal data flows through these services.
  • If you use CloudFront as a CDN, access logs may contain IP addresses. Configure log delivery to an EU region S3 bucket.
  • Document your transfer impact assessment for any processing that occurs outside the EEA

Configuring AWS Services for GDPR Compliance

GDPR compliance on AWS requires deliberate configuration. The following steps cover the most common requirements.

Encryption

Article 32 of the GDPR requires appropriate security measures, and encryption is one of the most effective. AWS provides encryption options across services:

  • S3: Enable default encryption (SSE-S3 or SSE-KMS) on all buckets containing personal data
  • RDS and Aurora: Enable encryption at rest using AWS KMS. Enable SSL/TLS for connections in transit.
  • EBS volumes: Encrypt all volumes attached to EC2 instances that process personal data
  • DynamoDB: Enable encryption at rest (on by default since 2018)
  • ElastiCache: Enable in-transit and at-rest encryption for Redis and Memcached clusters

Use AWS KMS with customer-managed keys (CMKs) for the strongest control. CMKs allow you to manage key rotation, define key policies, and audit key usage through CloudTrail.

Access control and least privilege

  • Use IAM policies with least-privilege principles. No user or service should have access to personal data unless required for their function.
  • Enable multi-factor authentication (MFA) for all IAM users, especially those with access to databases or storage containing personal data.
  • Use IAM roles instead of long-lived access keys for EC2 instances and Lambda functions.
  • Implement attribute-based access control (ABAC) to tag resources containing personal data and restrict access by tag.

Logging and monitoring

The accountability principle under Article 5(2) requires demonstrable compliance. AWS logging services support this:

  • CloudTrail: Enable across all regions to log API calls. This creates an audit trail of who accessed which resources and when.
  • VPC Flow Logs: Monitor network traffic to and from instances that handle personal data.
  • S3 access logs: Track access to buckets storing personal data.
  • CloudWatch: Set alarms for unusual access patterns, such as bulk data downloads or access from unexpected IP ranges.
  • AWS Config: Track configuration changes to resources and evaluate compliance against custom rules.

Store logs in a dedicated, immutable S3 bucket with Object Lock enabled. Retain logs for a period that aligns with your ROPA and legal requirements.

Handling Data Subject Rights on AWS

Chapter III of the GDPR gives individuals rights over their personal data. Your application must implement mechanisms to fulfill these rights, and AWS provides the underlying tools.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Right of access and data portability

When a data subject requests a copy of their personal data (Article 15) or asks for it in a portable format (Article 20):

  • Query your databases (RDS, DynamoDB, Elasticsearch) for all records associated with the individual
  • Include data in S3 (uploaded files, profile images), CloudWatch Logs (if they contain user identifiers), and any caches
  • Export the data in a structured, machine-readable format such as JSON or CSV
  • AWS does not provide an automated "find all data for person X" tool. You must build this capability into your application.

Right to erasure

When a data subject requests deletion under Article 17:

  • Delete records from all databases, including replicas and read replicas
  • Remove objects from S3 buckets, including versioned objects (enable lifecycle policies to expire old versions)
  • Purge data from caches (ElastiCache, CloudFront edge caches)
  • Verify deletion in backup systems. If backups contain the data, document a retention schedule and delete when backups expire.
  • Consider using DynamoDB TTL or S3 lifecycle rules to automate deletion based on retention periods

Building a data map

Before you can respond to any data subject request, you need to know where personal data lives across your AWS environment. Create and maintain a data map that documents:

  • Which AWS services store personal data
  • What categories of data each service holds
  • Retention periods for each data store
  • Access controls and encryption status

Privacy Policies and AWS GDPR Compliance

Your privacy policy must disclose that you use AWS as a data processor and explain the implications for your users' data. Under Articles 13 and 14, this includes:

  • Naming AWS (or "cloud infrastructure providers") as a category of data processor
  • Disclosing the regions where data is stored
  • Explaining the transfer mechanism for any data processed outside the EEA
  • Referencing your DPA with AWS

Use a privacy policy generator to create a baseline document, then customize the data processor and international transfer sections to reflect your AWS configuration. If your application also uses cookies or tracking, build a compliant cookie policy that accounts for any AWS-based analytics or logging that processes personal data.

Your terms of service should also reference your data processing practices, particularly if you operate a SaaS platform where customers entrust you with their users' data.

AWS Compliance Resources and Certifications

AWS maintains a comprehensive compliance program that supports GDPR obligations:

  • ISO 27001: Information security management, covering AWS's global infrastructure
  • ISO 27018: Protection of personally identifiable information in public clouds
  • SOC 1, SOC 2, SOC 3: Independent audits of AWS controls relevant to security, availability, and confidentiality
  • C5 (Cloud Computing Compliance Criteria Catalogue): German BSI standard for cloud security
  • AWS Artifact: A self-service portal where you can download AWS compliance reports and certifications. Use these to satisfy audit requirements under Article 28(3)(h) without requiring on-site audits of AWS data centers.

These certifications do not replace your own compliance work, but they provide evidence that AWS, as your processor, meets the security standards the GDPR expects. Reference them in your ROPA and Data Protection Impact Assessments.

Common AWS and GDPR Compliance Mistakes

Avoid these frequent errors when running GDPR-regulated workloads on AWS:

  • Assuming AWS handles compliance for you: The shared responsibility model means you own configuration, access control, and application-level data protection
  • Using default, unencrypted storage: New S3 buckets encrypt by default since January 2023, but older buckets or other services may not. Audit all data stores.
  • Ignoring global services: Route 53, IAM, and CloudFront process some data in US regions regardless of your region selection. Evaluate whether personal data passes through these services.
  • No data map: Without knowing where personal data resides across your AWS environment, you cannot respond to data subject requests or conduct accurate DPIAs
  • Missing CloudTrail logging: Without API audit trails, you cannot demonstrate who accessed personal data or prove compliance during an investigation
  • Over-retaining data in backups: Automated backups and snapshots can retain personal data long after it should be deleted. Implement lifecycle policies aligned with your retention schedule.

Frequently Asked Questions

Is AWS GDPR compliant?

AWS provides GDPR-compliant infrastructure and offers a Data Processing Addendum (DPA) that meets Article 28 requirements. However, GDPR compliance is a shared responsibility. AWS secures the cloud infrastructure, but you are responsible for how you configure services, manage access, and handle personal data within your AWS environment.

Do I need a Data Processing Agreement with AWS?

Yes. Article 28 of the GDPR requires a written agreement between data controllers and processors. AWS provides a DPA as part of its service terms, called the AWS GDPR Data Processing Addendum, which covers processing instructions, security obligations, sub-processor disclosures, and breach notification commitments.

Can I store EU personal data on AWS servers in the US?

You can, but you must have a valid transfer mechanism in place. AWS participates in the EU-US Data Privacy Framework, and its DPA includes Standard Contractual Clauses as a fallback. For the strongest compliance posture, choose EU-based AWS regions and restrict data residency through service configuration.

Which AWS region should I use for GDPR compliance?

Choose an EU region such as eu-west-1 (Ireland), eu-central-1 (Frankfurt), or eu-south-1 (Milan). AWS does not move your data between regions unless you configure it to do so. Using an EU region simplifies compliance by keeping personal data within the EEA.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

GDPR

Cookie Compliance: A Complete Guide for Website Owners

Learn what cookie compliance requires, which laws apply, and how to implement consent banners and cookie policies to keep your website legally compliant.

April 4, 202612 min read
GDPR

Data Protection Compliance: A Complete Guide for Businesses

Master data protection compliance with this practical guide covering GDPR, CCPA, key requirements, enforcement, and steps to build a compliance programme.

April 4, 202615 min read
GDPR

GDPR and Security: A Complete Guide for Businesses

Learn how GDPR and security requirements work together. Covers technical measures, breach notification rules, and practical steps to protect personal data.

April 4, 202612 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • How the GDPR Applies to AWS Deployments
  • The Shared Responsibility Model and GDPR
  • What AWS is responsible for
  • What you are responsible for
  • The AWS GDPR Data Processing Addendum
  • What the AWS DPA covers
  • How to accept the DPA
  • International Data Transfers: AWS and GDPR Requirements
  • Transfer mechanisms AWS supports
  • Practical recommendations for data residency
  • Configuring AWS Services for GDPR Compliance
  • Encryption
  • Access control and least privilege
  • Logging and monitoring
  • Handling Data Subject Rights on AWS
  • Right of access and data portability
  • Right to erasure
  • Building a data map
  • Privacy Policies and AWS GDPR Compliance
  • AWS Compliance Resources and Certifications
  • Common AWS and GDPR Compliance Mistakes
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.