AWS Cloud Services and Data Protection – What Website Operators Need to Know

When a website operator uses Amazon Web Services (AWS) for the storage and processing of data, AWS acts as a processor and processes data for the purpose of providing cloud infrastructure services on the basis of performance of a contract and legitimate interests. AWS is one of the world's largest cloud infrastructure providers and offers hosting, storage, databases and many other services. This guide is aimed at website operators and explains what information about AWS legally belongs in their own privacy policy.

A. Purpose and Function of AWS Cloud Services

Amazon Web Services (AWS) is a comprehensive cloud computing platform that enables website operators to host their applications, databases and storage in the cloud instead of on local servers. AWS offers services such as:

• Compute: EC2 (virtual machines), Lambda (serverless computing)
• Storage: S3 (object storage), EBS (block storage)
• Databases: RDS (relational), DynamoDB (NoSQL)
• Network: CloudFront (CDN), Route 53 (DNS)
• Security: KMS (encryption), IAM (access control)

When a website operator uses AWS, it stores its website data, applications and user data in AWS data centres. AWS processes this data in accordance with the website operator's instructions and acts as a processor.

Integration takes place via contracts between the website operator and AWS. The website operator configures which services it wants to use, and AWS provides the infrastructure and security measures.

B. Mandatory Disclosures in the Privacy Policy regarding AWS Cloud Services

Pursuant to Art. 13(1)(c) GDPR, a website operator must disclose the purposes of processing. Art. 13(1)(d) requires the legal bases, Art. 13(1)(e) the recipients or categories of recipients. Art. 13(1)(f) requires that third-country transfers (e.g. to the USA) be disclosed and justified.

Note: AWS is a universal cloud provider that includes many services. A topic-oriented approach is required here: under "Hosting and Cloud Infrastructure" or "Storage of Personal Data", it should be explained that AWS is used and which data is processed there. A recipient appendix to the privacy policy creates clarity.

C. Provider of AWS Cloud Services

Legal name (EU): Amazon Web Services EMEA SARL
Address: 38 Avenue John F. Kennedy, L-1855 Luxembourg
Country of registered office: Luxembourg (European Economic Area)
Legal name (worldwide): Amazon Web Services Inc.
Country of registered office (worldwide): USA (Seattle, Washington)
Role: Processor (Data Processor)

DPA status: Amazon Web Services EMEA SARL is not DPF-certified. However, AWS provides a comprehensive AWS Data Processing Addendum (AWS DPA) based on Standard Contractual Clauses (SCCs) for third-country transfers. The DPA documents AWS as a processor and regulates the processing of personal data in accordance with the GDPR.

Privacy policy: https://aws.amazon.com/de/privacy/

GDPR Center: https://aws.amazon.com/compliance/eu-data-protection/

Data Processing Addendum (DPA): AWS provides a standardised DPA that website operators must conclude. The DPA regulates the processing of personal data as a processor, sub-processors, third-country transfers, data security and data subject rights.

D. Data Processing by AWS Cloud Services – Sequence

E. Data Collected when Using AWS Cloud Services

AWS processes the data that the website operator itself uploads or transfers. Depending on the service used, this can be very different:

This data can be classified into the following standardised data categories:

• Web server log data: IP addresses, request metadata, error logs, access logs
• Application data: Website content, source code, configuration data, API keys (should be encrypted)
• User data: Customer data, authentication data, contact information, depending on what the operator stores
• Transaction data: Payment data, order data, booking data (should be encrypted)
• Technical metadata: File sizes, modification date, access control, encryption status
• Backup and recovery data: Redundant copies for failover

The exact composition depends on which services the website operator uses and which data it uploads. AWS primarily processes data on the operator's instructions, not independently.

This information is based on provider information and publicly accessible sources (AWS documents its data processing in extensive compliance documentation).

F. Purposes of Use when Using AWS Cloud Services

AWS is generally used for the following purposes:

• Provision of functionality: Hosting the website, running applications, storing data
• Availability and failover: Redundancy, backups, disaster recovery
• Security and abuse protection: Security monitoring, attack detection, encryption
• Performance optimisation: Load balancing, caching, performance monitoring
• Compliance: Compliance reporting, audit logs, data protection documentation

G. Legal Bases for AWS Cloud Services

AWS Cloud Services are an infrastructure service. The following legal bases are relevant for the data processing:

1. Performance of a contract (Art. 6(1)(b) GDPR): The use of AWS is typically required to operate the website or digital services. The processing is therefore necessary for the performance of the contract with visitors/customers.

2. Legitimate interests (Art. 6(1)(f) GDPR): Insofar as AWS is used for security, availability and performance optimisation, the legitimate interests of the website operator can be invoked.

Note: A case-by-case review is necessary. AWS use generally does not require explicit consent, but is justified through performance of a contract or legitimate interests.

H. Special Features and Notes on AWS Cloud Services

• DPF status and SCCs: AWS EMEA SARL is not DPF-certified. AWS relies on Standard Contractual Clauses (SCCs) for third-country transfers. The AWS DPA documents this. The website operator should ensure that an up-to-date DPA is in place.
• Third-country transfers: AWS data may be processed in USA regions if the website operator configures this. The operator should choose EU regions for sensitive data (e.g. Frankfurt).
• Sub-processors: AWS uses sub-processors (e.g. for backup, logging, security). A list is available in AWS documentation.
• Data security: AWS implements extensive security measures (ISO 27001, SOC 2, encryption, etc.) and documents these in compliance reports.
• Customer control: The website operator retains full control over the data and can retrieve, modify or delete it at any time.
• Schrems II compliance: AWS provides tools and documentation for compliance with the Schrems II ruling (e.g. encryption, contractual safeguards, supplementary measures).

I. FAQ on AWS Cloud Services

J. Conclusion and Recommendations on AWS Cloud Services

AWS Cloud Services are essential infrastructure tools for websites and digital applications. From a data protection perspective, AWS is to be treated as a processor, since AWS processes the data in accordance with the website operator's instructions and has no independent purpose.

A complete Data Processing Addendum (DPA) between the website operator and AWS EMEA SARL is required. The DPA regulates the processing of personal data, sub-processors, third-country transfers and security measures.

A topic-oriented approach in the privacy policy that explains under "Hosting and Cloud Infrastructure" that AWS is used for hosting is sufficient. A recipient appendix to the privacy policy further increases clarity.

Website operators should ensure when configuring AWS that EU regions are chosen for sensitive data and that encrypted connections and access control are implemented.