2. We agree it is not GDPR compliant to transmit IP address data to the US. This is why we salt and hash all PII data so no IP address data is sent to the US. Please see our data policy.
Can you share more detail on this? On this page[1], I see this:
hash(pepper(salt(ip address + user agent data))) = anonymized hashed data
Both the ipv4 space and typical user agent possibilities are pretty small, so it feels like you could easily de-anonymize it when you want to. That is, assuming the "salt" and "pepper" are stored somewhere. I assume you do store them, otherwise it's not helpful to identify repeat visits.
IANAL but as I understand it there is, currently, no way to legally use a service for personal data handling that falls under the US CLOUD act.
In theory Amazon could license their brand and software to an independent (!) European company to offer a EU-AWS.
Basically if an American judge/agency can order Amazon to hand over European private data and they have the ability to comply without involving a European court the service is not GDPR compliment.
Now in practice this isn't how things are done but to the best of my knowledge the law hasn't changed (yet) and national dpas are starting to tighten the screws (slowly).
If I recall correctly there are EU-US talks to create Privacy Shield #3.
2. Your subprocessor uses AWS. No way to stay compliant if you transmit visitor IP to US cloud (even if they use European servers).
3. Sadly, wrong. You should immediately consult privacy professional. DPO is necessary. There are 3 tests.
https://ico.org.uk/for-organisations/does-my-organisation-ne...
Answer to question 2 is yes btw.
You are not compliant without DPO and because you are using AWS, even if indirectly.