Data Subject Rights (EU and California)

What it is

If you are in the EU, UK, or California, you have legal rights to see what data AWS holds about you, correct mistakes, request deletion, and in California, opt out of your data being sold or shared for advertising purposes.

Why it matters (compliance & governance perspective)

These rights are legally enforceable under GDPR and CCPA, meaning AWS is required to respond to valid requests within defined timeframes, giving you meaningful control over your personal information if you choose to exercise these rights.

Consumer impact (what this means for users)

EU and California residents can formally request that AWS disclose, correct, or delete their personal information, and California residents can opt out of data sharing for behavioral advertising purposes, providing concrete mechanisms to exercise privacy rights.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: GDPR Articles 15 through 22 grant EU and EEA data subjects rights of access, rectification, erasure, restriction, portability, and objection, with defined response timeframes. CCPA and CPRA grant California residents rights of access, deletion, correction, portability, and opt-out from sale or sharing, enforced by the California Privacy Protection Agency and the California Attorney General. The UK GDPR mirrors EU rights for UK data subjects. AWS as a data controller for marketing and website data is directly obligated to respond to these requests. GOVERNANCE EXPOSURE: Medium. AWS's obligations as a data controller for its own marketing and website operations are distinct from its role as a data processor for customer workloads. Enterprise customers whose employees or end users submit rights requests directly to AWS may find those requests redirected, as AWS's processing of customer-uploaded data is governed by separate DPA terms. This distinction should be clearly understood in vendor contracts. JURISDICTION FLAGS: EU and EEA residents have the most comprehensive enforceable rights framework. California residents have CCPA and CPRA rights. UK residents have UK GDPR rights. Other jurisdictions such as Brazil under LGPD and Canada under PIPEDA may have analogous rights that are not explicitly addressed in this policy, creating potential gaps for global users. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should confirm that their AWS DPA addresses data subject rights requests for customer-processed data, including response timeframes and assistance obligations, and that internal processes are in place to route and fulfill requests within statutory deadlines. COMPLIANCE CONSIDERATIONS: Legal teams should verify that AWS's data subject request intake process is functional and responsive, document the response timelines committed to in the policy, and ensure internal data mapping is sufficient to fulfill access and portability requests within GDPR's 30-day and CCPA's 45-day response windows.

Applicable agencies

Provision details

Other risks in this policy

• Personal Information Collection medium
• Third-Party Data Sharing medium
• International Data Transfers medium
• Cookies and Tracking Technologies medium
• Corporate Transaction Disclosure low
• Marketing Communications low