EDPB - Binding Decision 1/2020 - 'Twitter'
- 1/2021 | |
---|---|
Authority: | EDPB |
Jurisdiction: | European Union |
Relevant Law: | Article 4(24) GDPR Article 5(1)(f) GDPR Article 28 GDPR Article 33(1) GDPR Article 33(5) GDPR Article 60(4) GDPR Article 65(1)(a) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 09.11.2020 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 1/2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | English |
Original Source: | EDPB website' (in EN) |
Initial Contributor: | n/a |
English Summary
Facts
After a data breach that occurred with Twitter, the IE SA (DPC) issued a draft decision to the other SAs. They sustained their relevant and reasoned objections under Article 60 GDPR (FR, DE, DK, IT, NL, ES, HU).
Therefore, the EDPB issued its first decision under Article 65(1)(a) GDPR and answers to all the objections of the SAs.
Dispute
- Are Twitter Inc and TIC (Twitter Ireland) controller, processor, or joint controllers ?
- Where is the main establishment of Twitter, and therefore does the DPC have jurisdiction ?
- When is a relevant and reasoned objection admissible under Article 4(24) GDPR ?
- Is there any other violation of the GDPR than Article 33(1) and (5) ?
Holding
1. On the admissibility of an objection, the jurisdiction of the DPC, the controller-processor relationship
In essence, the objections raised addressed the fact that the Draft Decision does not contain enough evidence to legally and factually establish the roles of the entities concerned.
The EDPB considers that an objection concerning the role, or designation, of the parties can fall within the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24) GDPR, as this can affect the determination as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation.
However, the EDPB considers that an objection on the competence of the supervisory authority acting as LSA should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR.
Moreover, the EDPB considers that the aforementioned objections do not meet the requirements set out in Article 4(24) GDPR.
2. On the violation of Article 33(1) obligation to notify in due time
According to the Draft Decision, therefore, TIC became actually aware of the Breach on 7 January 2019 but should have been aware of the Breach at the latest by 3 January 2019, since on that date Twitter, Inc. as processor first assessed the incident as being a potential data breach and the Twitter, Inc. legal team instructed that the incident be opened. The Draft Decision stated that where the processor does not follow the procedure or the procedure fails otherwise the controller cannot excuse its own delayed notification on the basis of the processor’s fault, as the performance by a controller of its obligation to notify cannot be contingent upon the compliance by its processor with its obligations under Article 33(2) GDPR. This led to the infringement of Article 33(1) GDPR even if less than 72 hours elapsed between the moment at which TIC became actually aware of the Breach (7 January 2019) and the notification (8 January 2019).
The FR SA raised an objection stating that the findings do not correspond to an infringement of Article 33(1) GDPR, but rather of Article 28 or Article 32 GDPR, which set out the obligations of the controller when it decides to have recourse to a processor.
The DE SA argued in its objection that the issue of the allocation of roles affects the determination of the moment of awareness of the Breach, as the knowledge of a breach must be equally attributed to both joint controllers.
The IE SA considers that it requests consideration of alternative provisions of the GDPR and that the request by CSAs to consider alternate provisions of the GDPR, would essentially seek to re-scope the Inquiry conducted: the IE SA concluded that such an objection does not fall within the definition of “relevant and reasoned objection” for the purposes of Article 4(24) GDPR.
Again, the EDPB considered that the raised objections do not clearly demonstrate the significance of the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects.
3. On the violation of Article 33(5) GDPR
The Draft Decision of the DPC found that TIC did not comply with its obligations under Article 33(5) GDPR to document the Breach, since the documentation furnished by TIC in the course of the inquiry was not considered to contain sufficient information and was not considered to contain a record or document of, specifically, a “personal data breach”, as they amounted to “documentation of a more generalised nature.
According to the IT SA, the finding in the Draft Decision that TIC provided full cooperation during the investigative phase should be reviewed as such full cooperation can only be considered to exist if adequate, exhaustive documentation is made available by the controller in a straightforward manner.
The EDPB tdoes not take a position on the merit of the substantial issues raised by this objection " because it fails to clearly demonstrate the significance of the risks posed by the Draft Decision as it does not show the implications the alleged mistake in the Draft Decision would have for the protected values".
4. On potential alternative or further violations o the GDPR identified by the CSAs (concerned authorities)
In order to determine whether TIC complies with its obligations under Article 33(1) GDPR, the IE SA considered them in the context of a controller's broader obligations, including those of accountability (Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of processing of personal data (Article 32 GDPR). However, the DPC did not consider whether or not TIC complied with any or each of these obligations other than for the purpose of assessing TIC’s compliance with its obligations under Article 33(1) and Article 33(5) GDPR.
The DE, FR, HU, and IT SAs raised objections that TIC infringed other provisions of the GDPR in addition to, or instead of, Article 33(1) and Article 33(5) GDPR.
- Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality
- Infringement of Article 5(2) GDPR on the principle of accountability
- Infringement of Article 24 GDPR on the responsibility of the controller
- Infringement of Article 28 GDPR on the relationship with processors
- Infringement of Article 32 GDPR on the security of the processing
- Infringement of Article 33(3) GDPR on the content of the notification of a personal data breach on security of processing
- Infringement of Article 34 GDPR on the communication of a personal data breach to the data subject
The LSA (DPC) recalls that it informed TIC at the beginning of the inquiry that its purpose was to verify TIC’s compliance with Article 33(1) and Article 33(5) GDPR in respect of its notification of a Breach to the LSA 8 January 2019. Therefore, the LSA maintains that if it were to follow the CSAs’ objections and include other infringements in its final decision “on the basis of only the material contained in the Draft Decision”, this would result in jeopardising “the entirety of the Inquiry and Article 60 process by exposing it to the risk of claims of procedural unfairness.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
en Bulgarian (bg) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) Spanish (es) French (fr) Irish (ga) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt-pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) EDPB adopted documents - 48th plenary 22 April 2021 EDPB EDPB adopted documents - 48th plenary 22 April 2021 EDPB Italian DPA: Major Critical Issues for Vaccination Pass 4 May 2021 Italy Dutch DPA fines municipality for Wi-Fi tracking 29 April 2021 Netherlands Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA 28 April 2021 Portugal Italian DPA: Major Critical Issues for Vaccination Pass 4 May 2021 Italy Dutch DPA fines municipality for Wi-Fi tracking 29 April 2021 Netherlands Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA 28 April 2021 Portugal