Ireland: DPC fines Twitter €450,000 for breach notification and documentation failures
The Data Protection Commission ('DPC') announced, on 15 December 2020, its decision to fine Twitter International Company ('TIC') €450,000, after completing its investigation into a data breach, commenced in January 2019. In particular, the decision finds that TIC failed to meet its obligations under the Article 33(1) and 33(5) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), namely to notify the relevant supervisory authority of the personal data breach, as well as to document the personal data breach, respectively. In relation to TIC's compliance with Article 33(1) of the GDPR, the DPC considered the issue on whether TIC, as a data controller, was aware of the data breach, as distinct from Twitter Inc. with which it had an agreement in place to provide data processing services. Specifically, the DPC argued, among other things, that Twitter Inc.'s failure to notify TIC about the breach did not obviate TIC's legal obligation to notify in accordance with the timeframe under Article 33(1) of the GDPR, and highlighted that it is the data controller's responsibility to ensure that it has internal systems and procedures in place, including with external parties such as processors, that are configured and followed so as to facilitate prompt awareness and the timely notification of data breaches.
In relation to compliance with Article 33(5) of the GDPR, the DPC considered how TIC had documented the breach, by having regard to the requirements under Article 33(5), as well as the breach notification guidance. Specifically, the DPC highlighted, among other things, that the incident report submitted by TIC, which was identified by TIC as being the primary record in which it documented the facts, effects, and remedial action taken in respect of the breach, was deficient in terms of verifying TIC's compliance with its obligation as controller under Article 33(1) of the GDPR and the obligation on Twitter Inc. as processor under Article 33(2) of the GDPR to notify the breach.
Finally, based on the issues identified, the DPC issued a corrective measure of €450,000 meeting the requirements of effectiveness, dissuasiveness, and proportionality.
UPDATE (17 December 2020)
EDPB publishes DPC's press release
The European Data Protection Board ('EDPB') published, on 15 December 2020, the DPC's press release.
You can read the EDPB's publication here.