Thomson Reuters keeps your personal data for as long as it needs to for its stated purposes, legal obligations, or as otherwise permitted by law, rather than for a fixed maximum period.
This analysis describes what Thomson Reuters's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Open-ended retention periods mean personal data may be held for extended periods, particularly where legal or regulatory requirements create long retention obligations, reducing individuals' practical ability to have data deleted.
Interpretive note: The statement does not provide specific retention periods by data category, making it difficult to assess the practical duration of data retention for any given type of personal information.
Your personal information may be retained by Thomson Reuters indefinitely for certain purposes, such as legal compliance, even after you stop using its services or request deletion, with the duration determined by Thomson Reuters based on its assessment of applicable requirements.
How other platforms handle this
We retain personal data for as long as necessary to provide our products and services, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for different data types in the context of different pr...
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
Slack (Sees no code data): We use Slack for internal communications. We may discuss logs of data for debugging purposes from users that are not using Zero-data retention mode. Google Workspace (Sees no code data): We use Google Workspace for collaboration. We may discuss logs of data for debugging p...
Monitoring
Thomson Reuters has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements, and as required or permitted by applicable law. When determining how long to retain personal information, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure, and applicable legal requirements.— Excerpt from Thomson Reuters's Thomson Reuters Privacy
REGULATORY LANDSCAPE: Data retention engages GDPR's storage limitation principle (Article 5(1)(e)), which requires that personal data not be kept longer than necessary for the specified purpose. CCPA and CPRA require disclosure of retention periods or the criteria used to determine them. Sector-specific retention requirements (such as financial records retention under SEC rules or legal records under professional conduct rules) may extend retention obligations for certain data categories processed by Thomson Reuters. GOVERNANCE EXPOSURE: Medium. The statement does not specify retention periods by data category or processing purpose, which is a gap relative to GDPR best practice and CPRA's disclosure requirements. The reliance on open-ended criteria rather than defined schedules makes it difficult for data subjects or enterprise customers to assess whether their data will be deleted within a reasonable timeframe. JURISDICTION FLAGS: EU and EEA regulators expect specific or ascertainable retention periods documented in Records of Processing Activities. California CPRA requires disclosure of the length of time personal information will be retained or the criteria used. UK ICO guidance similarly expects defined or definable retention periods. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers' DPAs should specify retention periods and deletion timelines for data processed by Thomson Reuters on their behalf, rather than relying on the general policy language. Procurement teams should request a data retention schedule covering the specific data categories processed in their context. COMPLIANCE CONSIDERATIONS: Compliance teams should request Thomson Reuters' data retention schedule for relevant processing activities and confirm it aligns with the enterprise customer's own retention policies. Where Thomson Reuters processes data on behalf of a controller, the DPA should specify that data is deleted or returned within a defined period after termination of services.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Open-ended retention periods mean personal data may be held for extended periods, particularly where legal or regulatory requirements create long retention obligations, reducing individuals' practical ability to have data deleted.
Your personal information may be retained by Thomson Reuters indefinitely for certain purposes, such as legal compliance, even after you stop using its services or request deletion, with the duration determined by Thomson Reuters based on its assessment of applicable requirements.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Thomson Reuters.