C024 Amazon (Luxemburg)

Data Security
Case project
Filing DPA
Amazon (Luxemburg)
Case status
Pending (4 years and more)
Filed: (4 years 5 months ago)

noyb submitted a complaint to the supervisory authority of the state of Hessia in Germany on behalf of an Amazon seller, as the GDPR requires companies to implement “appropriate” security measures, such as encryption, to protect the confidentiality of communications. As TLS encryption is very cheap and simple to implement and the number of sellers and customers on Amazon is very high, it seems inappropriate to neither require not allow TLS for emails. Surprisingly, the Amazon servers reject TLS connections in certain cases, for example when third party sellers on Amazon communicate with customers vie email. This means that millions of emails that are sent via Amazon may be exposed.

Date Summary
Email to Bayern DPA
Information that SA will call LU SA to move the procedure forward.
Asking for update
update request with the Bayern DPA
Bayern DPA informs that Lux DPA is the LSA
DSB confirms Bayern DPA is the German LSA
Complaint filed