When you require users to upload files that may contain personal data, you'll want to comply with the GDPR. You have to think about data retention, encryption, logging, etc. This is where AWS S3 comes in handy because it can provide all of those.

Lifecycle rules

Imagine you're asking people to upload their resumé and you only want to keep that resume for a few months, long enough for you to process it.

With lifecycle rules you can enforce a data retention policy, ensuring that certain files will be deleted after certain periods of time. This saves you from having to deal with setting up crons to clean up files


The bucket you upload the sensitive documents to should be encrypted and not be public. Enabling S3 encryption is not that hard, depending on how you would like to encrypt. It can be done using server-side encryption, which means Amazon S3 will do everything for you. Or using client-side encryption, which means you encrypt the file before sending it to S3.

Limit access

You should limit access to the bucket, avoid making this bucket public at all costs and use Amazon S3's pre-signed URL's to generate a temporary URL to a specific file. You'll have a URL to download a file that only works for the amount of time you specified when generating it.


Amazon S3 also provides some logging features, one of those options is access logging which you can set up using a few clicks. Additionally, there is API call logging using Amazon CloudTrail.


Amazon S3 provides all the tools you need to have users upload documents that may contain personal information while still being compliant with the GDPR, without having to implement all previously mentioned things yourself, saving much of the development costs.

Side note

A handy tool to upload directly to Amazon S3 is Uppy, using this, the uploaded files will never have to be sent to your own servers!