question

Guillaume Privat avatar image
Guillaume Privat asked

Is Alexa GDPR Compliant?

As part of our GDPR certification as a "data controller", we need to ensure all the services we uses that will handle user data ("data processors") are also GDPR compliant. Has anyone seen any documentation from Alexa certifying that Alexa is GDPR compliant. How would it work? Are there API to delete user ASR/intent history?

alexa skills kitalexa voice service
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

EmmaC@Amazon avatar image
EmmaC@Amazon answered

Thank you for your interest in Amazon Alexa. Maintaining the trust of our customers by protecting their privacy and ensuring the security of their data is a longstanding top priority for Amazon, and we are committed to complying with the GDPR requirements.

For Alexa skills, we are not processing data on your client’s behalf, and your client would not be processing data on our behalf. Amazon is an independent controller of customers’ data. As a developer of an Alexa Skill, your client would also be an independent controller of any customer data made available to your client through a customer’s interaction with its Alexa Skill.

For more information about the difference between a controller and a processor of data, please see https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor_en

For more information about how Amazon uses customer data, please see Amazon.co.uk’s Privacy Notice.

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-43f0c794-a24e-4561-8b8e-7d96c1cd5230 avatar image
newuser-43f0c794-a24e-4561-8b8e-7d96c1cd5230 answered

Here is my understanding of how Alexa works: If I create a skill and create slots where I ask the user for his name and phone number, both pieces of information will be captured by Alexa and linked to a unique user/device id. This becomes personal information that Alexa processes on my behalf. As a result, Alexa would be seen as a "data processor" and would need to comply to GDPR rules applying to Data processor. Where am I wrong in my reasoning?

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Jean Luc Nürrenberg avatar image
Jean Luc Nürrenberg answered
Your skill processes the data, not Alexa. The skills runs either on Amazons servers (Amazon Lambda) or on your own servers (self hosted). Amazon only routes the data from your skill to the device, nothing more.

Based on your example, what actually happens is:

If you create a skill and create slots for name and phone number, once a user "enters"/speaks the data, Amazon transforms the spoken data into a request for the skill and sends it to the skill. The skill does whatever you want it to do with that data (saves it in a database, linking to the device id, etc). Once your skill sends data back, the whole process starts from behind: Your skill sends a response to Amazon, which routes it to the Alexa device.

So, like Xin said, Amazon only acts as a data controller, routing the data to the specified devices. My explanation might be overly simplified, though this is what I have observed.


Hope that clears it up a little :)

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.