The EU-U.S. Data Privacy Framework

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). The DPF replaces the EU-U.S. Privacy Shield as a legal mechanism for the transfer of personal data from the EU to organizations in the U.S. participating or certified to the DPF. AWS welcomes the adoption of the adequacy decision for the DPF as a commitment of mutual trust between the U.S. and the EU. The DPF restores legal certainty for transatlantic transfers of personal data under the GDPR and advances strong privacy safeguards. The DPF provides more simplicity and confidence to public and private organizations transferring data from the EU to the U.S.

With the adoption of the adequacy decision, EU organizations are able to transfer personal data to organizations in the U.S. participating in the DPF, without having to put in place additional data protection safeguards.

Yes, AWS has certified to the EU-U.S. Data Privacy Framework (DPF) and adheres to the DPF Principles. You can view the AWS DPF certification here. Please note that to locate the certification, search for “Amazon” in the search bar. AWS is one of the covered entities under the Amazon.com, Inc. certification.

No. The EU-U.S. Privacy Shield is no longer a valid legal mechanism for the transfer of personal data from the EU to the U.S. The EU-U.S. Privacy Shield has been replaced by the EU-U.S. Data Privacy Framework.

In October 2023, the UK issued an adequacy decision on the EU-U.S. Data Privacy Framework (DPF) which established a UK Extension to the DPF. The UK Extension automatically applies to organizations certified under the DPF and means organizations subject to UK GDPR are able to transfer personal data to organizations in the U.S. participating in the DPF, without having to put in place additional data protection safeguards.

On August 14, 2024, the Swiss Federal Council recognized that transfers of personal data to U.S. companies certified under the Swiss-U.S. Data Privacy Framework (DPF) provide an adequate level of data protection, enabling the transfer of personal data to U.S. companies certified to the Swiss-U.S. DPF without additional guarantees (e.g. Standard Contractual Clauses). On September 15, 2024, an amendment to the Federal Act on Data Protection 2020 came into effect, allowing for such transfers.

AWS has certified to the Swiss-U.S. DPF.

More details on the obligations for U.S. organizations under the EU-U.S. Data Privacy Framework can be found on the European Commission site and the Data Privacy Framework Program site.

Customers wishing to contact AWS with any inquiries or complaints about our handling of their personal data under the EU-U.S. Data Privacy Framework can contact U.S. at dataprivacyframework@amazon.com.