The notice states that personal information is retained for as long as necessary to fulfill the purposes described in the notice, to comply with legal obligations such as tax and accounting requirements, or as otherwise communicated to users. No specific retention periods are specified.
This analysis describes what AWS's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a purpose-based and legally required retention framework without specifying concrete retention periods for any category of personal data. The absence of defined retention timelines may complicate data subject deletion requests and may require evaluation under GDPR's storage limitation principle, which requires that data not be kept longer than necessary.
Interpretive note: No specific retention periods are provided in the notice for any category of personal data, creating ambiguity about the operational implementation of the stated purpose-based retention standard.
Under this provision, personal information collected by AWS may be retained for an indefinite period tied to the purposes described in the notice or applicable legal obligations. Users requesting deletion of their data may receive responses indicating that certain data must be retained due to legal or operational requirements, the scope of which is not defined in the notice.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
AWS has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We keep your personal information to enable your continued use of AWS Offerings, for as long as it is required in order to fulfill the relevant purposes described in this Privacy Notice, as may be required by law such as for tax and accounting purposes, or as otherwise communicated to you.— Excerpt from AWS's AWS Privacy Notice
1. REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires that personal data be kept in a form that permits identification for no longer than necessary for the purposes for which it is processed. The absence of specific retention periods may require evaluation under this principle. CCPA does not specify mandatory retention limits but does require that retention practices be consistent with disclosed purposes. FTC guidance on data minimization is relevant. 2. GOVERNANCE EXPOSURE: Low to Medium. Purpose-based retention policies are common in the industry, but the lack of specific retention schedules may create ambiguity in responding to data subject deletion requests where portions of data are retained under legal exception grounds. 3. JURISDICTION FLAGS: GDPR's storage limitation principle creates heightened exposure for EU/EEA resident data processing. Tax and accounting retention requirements vary by jurisdiction and may require localized retention schedules. 4. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request AWS's data retention schedules for any personal data processed under service agreements to ensure alignment with their own retention policies and regulatory obligations. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should request documentation of AWS's operational retention schedules for each category of personal data described in the notice and assess whether these schedules are consistent with the stated purposes. Deletion request workflows should clearly communicate to requestors which data categories are subject to legal retention holds.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a purpose-based and legally required retention framework without specifying concrete retention periods for any category of personal data. The absence of defined retention timelines may complicate data subject deletion requests and may require evaluation under GDPR's storage limitation principle, which requires that data not be kept longer than necessary.
Under this provision, personal information collected by AWS may be retained for an indefinite period tied to the purposes described in the notice or applicable legal obligations. Users requesting deletion of their data may receive responses indicating that certain data must be retained due to legal or operational requirements, the scope of which is not defined in the notice.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS.