Serving users who are bound by professional secrecy (doctors/lawyers etc.)

Question

With our product we may process sensitive information of users, which may constitute a professional secret within the meaning of Section 203 of the German Criminal Code ("third-party secrets"). Examples of such users are doctors or lawyers, whose client data is protected by confidentiality. AWS is a sub-processor for us. We have to oblige all our sub-processors to maintain confidentiality with regard to such data. Do we need to sign additional agreements with AWS, or is the standard data processing agreement enough?

Answer

Hi,

Your question is answered in this documentation: https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html

```
AWS offers a GDPR-compliant AWS Global Data Processing Addendum (GDPR DPA), which 
enables customers to comply with GDPR contractual obligations. The AWS GDPR DPA is 
incorporated into the AWS Service Terms and applies automatically to all customers globally 
who require it to comply with the GDPR whenever customers use AWS services to process personal 
data, regardless of which data protection laws apply to that processing.

```

And also: https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/the-role-of-aws-under-the-gdpr.html

Best,

Didier

Serving users who are bound by professional secrecy (doctors/lawyers etc.)

Relevanter Inhalt