Is Amazon GDPR compliant?

Image of Iron Brands

Publié le 15 juil. 2025 et modifié le 22 juil. 2025 par Iron Brands

Ce contenu n'est pas encore traduit en français. Vous trouverez ci-dessous la version anglaise.

TL;DR

Amazon is a global technology and e-commerce company that can be considered GDPR-compliant but it depends on how their services are used. As both a data controller [www.Amazon.com] and a data processor (e.g., through AWS), Amazon offers several built-in privacy and security features to meet GDPR standards.

  1. Developers
  2. Businesses
  3. Consumers
Logo of MichelinMichelin chose Simple AnalyticsJoin them

Understanding Amazon’s Role in GDPR

Founded in 1994 by Jeff Bezos, Amazon has evolved from an online bookstore into one of the world's most powerful tech platforms. With services ranging from e-commerce and digital streaming to cloud infrastructure, Amazon collects, stores, and processes vast amounts of data globally.

Here’s why GDPR compliance is important when using Amazon services:

Amazon is a data controller when handling customer data directly via [www.Amazon.com], Prime Video, or Alexa devices.

Amazon is a data processor when customers use AWS to process their own users’ data (e.g., SaaS companies hosting apps on AWS).

Data Processing Addendums (DPAs)

Amazon offers GDPR-compliant DPAs for both AWS and retail operations, outlining responsibilities and liabilities related to data processing.

AWS customers can review and accept the DPA directly in their AWS accounts.

Amazon retail customers can view privacy notices that explain how their personal data is used, stored, and shared.

Read AWS GDPR Center

Data Encryption & Control

Amazon implements encryption in transit and at rest, access management tools, and other security best practices across its services.

AWS offers fine-grained access controls, data residency options, and encryption key management (KMS).

[www.Amazon.com] uses HTTPS and encryption protocols to protect transactions and personal information.

International Data Transfers

Amazon uses Standard Contractual Clauses (SCCs) to facilitate data transfers outside the EU/EEA. AWS also participates in the EU-US Data Privacy Framework via its parent company.

This ensures that your data hosted or processed by Amazon services remains compliant, even when transferred outside the EU.

Individual Rights Management

Amazon supports all data subject rights under GDPR:

Right to access: Users can request a copy of their personal data.

Right to erasure: Data can be deleted upon request.

Right to rectification and restriction: Users can correct or limit processing.

For AWS, users must build processes that handle these rights in apps they host.

Amazon Privacy Help Page

How GDPR Applies to Amazon Services Let’s break down the GDPR implications by Amazon product:

Amazon Service GDPR Role Your Responsibility [www.Amazon.com] Data Controller Read Amazon's privacy policy; no action needed unless you're a seller Amazon Marketplace (Seller Central) Data Controller / Processor Ensure seller data processing meets GDPR AWS Data Processor You are the controller; you must ensure GDPR-compliant configurations Prime Video / Alexa / Kindle Data Controller End users rely on Amazon’s policy & controls Amazon Business Data Controller Ensure internal policies align with how data is used

Does Using Amazon Require a Cookie Banner? Yes, if you embed any Amazon widgets, ads, or affiliate tools on your website (e.g., Amazon Affiliate banners), you likely need a cookie consent banner under GDPR and ePrivacy Directive guidelines.

However, just using AWS as backend hosting does not require a cookie banner.

Monitoring Security & Breach Reporting Under Article 33 of GDPR, any data breach must be reported to the relevant supervisory authority and, in some cases, to the affected individuals.

Amazon maintains high security standards, with certifications like:

SOC 1, SOC 2, SOC 3

ISO 27001, 27017, 27018

PCI-DSS compliance (for e-commerce)

That said, if you host on AWS, you are responsible for breach notifications related to your data.

What Amazon’s GDPR Page Says Source: AWS GDPR Center

Amazon outlines key GDPR responsibilities, including:

Contractual commitments under the GDPR.

Security controls and infrastructure investments.

Clear instructions for customers to manage, export, and delete data.

Participation in lawful international data transfer mechanisms (SCCs and DPF).

AWS also offers a whitepaper detailing shared responsibilities.

Who Needs to Care?

Developers

Hosting apps or services on AWS? Then you control your users’ data and must ensure GDPR compliance.

Businesses

Using Amazon Seller Central, Business, or Marketplace? Make sure you follow Amazon’s guidelines and include Amazon as a data processor or sub-processor in your privacy policy.

Consumers

Amazon provides privacy controls for your account, like downloading your data, managing ad preferences, or deleting your Alexa history.

Final Thoughts Amazon, as a global tech leader, has built-in tools and policies to meet GDPR requirements. But compliance depends on how you use Amazon's services—especially if you're a developer or business leveraging AWS or Seller Central.

For consumers, Amazon’s platform offers easy-to-use privacy controls and a transparent privacy policy.

Who Are We?

We’re Simple Analytics, a privacy-first alternative to Google Analytics that’s 100% GDPR-compliant out of the box.

GA4 est complexe. Essayez Simple Analytics

GA4, c'est comme être assis dans le cockpit d'un avion sans licence de pilote

Commencer gratuitement maintenant