Amazon's International data transfer framework is confirmed EU compliant
Published 1 April 2015
Amazon Web Services (AWS) Data Processing Agreement has been approved by WP29 as sufficient to meet the requirements of Article 236 of 95/46/EC: the provision prohibiting transfers of Personal Data outside the EEA unless an adequate level of protection is in place, implemented in the UK as Principle 8 of the DPA.
In the letter issued to AWS, WP29 states, “The EU Data Protection Authorities have analysed the arrangement proposed by Amazon Web Services” and “have concluded that the revised Data Processing Addendum is in line with Standard Contractual Clause 2010/87/EU and should not be considered as ‘ad-hoc’ clauses.”
This means that AWS customers, entering into the AWS Addendum will satisfy the requirements of the 8th Principle of the DPA in the UK or its equivalent across Europe, without the need for additional authorisation from the local DPA.
The Dutch data protection authority, the CNPD, acting as the lead authority in this WP29 opinion pointed out that its confirmation was not a determination that all of Amazon's contractual arrangements are compliant with all EU data protection requirements.
To view the CNPD's announcement, please click here.
To view the letter to Amazon Web Services, please click here.