EDPB - Binding Decision 1/2020 - 'Twitter'
- 1/2021 | |
---|---|
Authority: | EDPB |
Jurisdiction: | European Union |
Relevant Law: | Article 4(24) GDPR Article 5(1)(f) GDPR Article 28 GDPR Article 33(1) GDPR Article 33(5) GDPR Article 60(4) GDPR Article 65(1)(a) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 09.11.2020 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 1/2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | English |
Original Source: | EDPB website' (in EN) |
Initial Contributor: | n/a |
English Summary
Facts
After a data breach that occurred with Twitter, the IE SA (DPC) issued a draft decision to the other SAs. They sustained their relevant and reasoned objections under Article 60 GDPR (FR, DE, DK, IT, NL, ES, HU).
Therefore, the EDPB issued its first decision under Article 65(1)(a) GDPR and answers to all the objections of the SAs.
Dispute
- Are Twitter Inc and TIC (Twitter Ireland) controller, processor, or joint controllers ?
- Where is the main establishment of Twitter, and therefore does the DPC have jurisdiction ?
- When is a relevant and reasoned objection admissible under Article 4(24) GDPR ?
- Can we hold violations of the GDPR other than Article 33(1) and (5) ?
Holding
1. On the admissibility of an objection, the jurisdiction of the DPC, the controller-processor relationship
In essence, the objections raised addressed the fact that the Draft Decision does not contain enough evidence to legally and factually establish the roles of the entities concerned.
The EDPB considers that an objection concerning the role, or designation, of the parties can fall within the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24) GDPR, as this can affect the determination as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation.
However, the EDPB considers that an objection on the competence of the supervisory authority acting as LSA should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR.
Moreover, the EDPB considers that the aforementioned objections do not meet the requirements set out in Article 4(24) GDPR.
2. On the violation of Article 33(1) obligation to notify in due time
According to the Draft Decision, therefore, TIC became actually aware of the Breach on 7 January 2019 but should have been aware of the Breach at the latest by 3 January 2019, since on that date Twitter, Inc. as processor first assessed the incident as being a potential data breach and the Twitter, Inc. legal team instructed that the incident be opened. The Draft Decision stated that where the processor does not follow the procedure or the procedure fails otherwise the controller cannot excuse its own delayed notification on the basis of the processor’s fault, as the performance by a controller of its obligation to notify cannot be contingent upon the compliance by its processor with its obligations under Article 33(2) GDPR. This led to the infringement of Article 33(1) GDPR even if less than 72 hours elapsed between the moment at which TIC became actually aware of the Breach (7 January 2019) and the notification (8 January 2019).
The FR SA raised an objection stating that the findings do not correspond to an infringement of Article 33(1) GDPR, but rather of Article 28 or Article 32 GDPR, which set out the obligations of the controller when it decides to have recourse to a processor.
The DE SA argued in its objection that the issue of the allocation of roles affects the determination of the moment of awareness of the Breach, as the knowledge of a breach must be equally attributed to both joint controllers.
The IE SA considers that it requests consideration of alternative provisions of the GDPR and that the request by CSAs to consider alternate provisions of the GDPR, would essentially seek to re-scope the Inquiry conducted: the IE SA concluded that such an objection does not fall within the definition of “relevant and reasoned objection” for the purposes of Article 4(24) GDPR.
Again, the EDPB considered that the raised objections do not clearly demonstrate the significance of the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects.
3. On the violation of Article 33(5) GDPR
The Draft Decision of the DPC found that TIC did not comply with its obligations under Article 33(5) GDPR to document the Breach, since the documentation furnished by TIC in the course of the inquiry was not considered to contain sufficient information and was not considered to contain a record or document of, specifically, a “personal data breach”, as they amounted to “documentation of a more generalised nature.
According to the IT SA, the finding in the Draft Decision that TIC provided full cooperation during the investigative phase should be reviewed as such full cooperation can only be considered to exist if adequate, exhaustive documentation is made available by the controller in a straightforward manner.
The EDPB does not take a position on the merit of the substantial issues raised by this objection " because it fails to clearly demonstrate the significance of the risks posed by the Draft Decision as it does not show the implications the alleged mistake in the Draft Decision would have for the protected values".
4. On potential alternative or further violations o the GDPR identified by the CSAs (concerned authorities)
In order to determine whether TIC complies with its obligations under Article 33(1) GDPR, the IE SA considered them in the context of a controller's broader obligations, including those of accountability (Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of processing of personal data (Article 32 GDPR). However, the DPC did not consider whether or not TIC complied with any or each of these obligations other than for the purpose of assessing TIC’s compliance with its obligations under Article 33(1) and Article 33(5) GDPR.
The DE, FR, HU, and IT SAs raised objections that TIC infringed other provisions of the GDPR in addition to, or instead of, Article 33(1) and Article 33(5) GDPR.
The LSA (DPC) recalls that it informed TIC at the beginning of the inquiry that its purpose was to verify TIC’s compliance with Article 33(1) and Article 33(5) GDPR in respect of its notification of a Breach to the LSA 8 January 2019. Therefore, the LSA maintains that if it were to follow the CSAs’ objections and include other infringements in its final decision “on the basis of only the material contained in the Draft Decision”, this would result in jeopardising “the entirety of the Inquiry and Article 60 process by exposing it to the risk of claims of procedural unfairness.
The other provisions being addressed by the objections of the SAs are the following:
- Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality
- The EDPB considers the objection raised by the DE SA in relation to the potential additional infringement of Article 5(1)(f) GDPR to be relevant and reasoned for the purposes of Article 4(24) GDPR, but considers the HU SA’s objection in relation to the same topic does not meet the requirements of Article 4(24)
- Infringement of Article 5(2) GDPR on the principle of accountability
- The EDPB considered that the IT SA’s objection on Article 5(2) GDPR meets the requirements set out in Article 4(24) GDPR. The EDPB will therefore analyse the merits of the substantial issues raised by this objection
- Infringement of Article 24 GDPR on the responsibility of the controller
- The EDPB accepts that an objection may challenge the conclusion of the LSA, by considering that the LSA’s findings actually lead to the conclusion that another provision of the GDPR has been infringed in addition to or instead of the provision identified by the LSA. The EDPB considers that this is precisely the essence of the DE SA’s objection, hence not preventing it from being relevant and reasoned. Therefore, the EDPB is assessing the merit of the substantial issues raised by this objection
- Infringement of Article 28 GDPR on the relationship with processors.
- According to the EDPB, the objections of FR and IT do not clearly demonstrate the significant risks posed by the Draft Decision for the fundamental rights and freedoms of data subjects with specific regard to the failure to conclude on the infringement of this specific provision
- Infringement of Article 32 GDPR on the security of the processing
- According to the EDPB, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft Decision for the rights and freedoms of data subjects, in particular by highlighting that the facts amount to a “significant” and “substantial” breach of the confidentiality of personal data and that a large number of persons were concerned for a substantial period of time. However, the objections of the FR and HU DPA do not meet the requirement of Article 4(24) GDPR.
- Infringement of Article 33(3) GDPR on the content of the notification of a personal data breach on security of processing
- According to the EDPB, the DE SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects. As a consequence, the DE SA’s objection on Article 33(3) GDPR fails to meet the requirements set out in Article 4(24) GDPR
- Infringement of Article 34 GDPR on the communication of a personal data breach to the data subject
- The HU SA considers that, if changed, the Draft Decision would lead to the conclusion of additional infringements of GDPR. However, the EDPB concludes that the HU SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects
The Board analyses the objections found being relevant and reasoned - in particular the DE SA’s objections on Article 5(1)(f), Article 24 and 32 GDPR, as well the IT SA’s objection on Article 5(2) GDPR - as well as the LSA’s response to those objections and the TIC submissions. The Board considers that the available factual elements included in the Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence of further (or alternative) infringements of Article 5(1)(f), 5(2), 24 and 32 GDPR. Even in case of an own-volition inquiry, the Guidelines on reasoned and relevant objections state that LSA “should seek consensus regarding the scope of the procedure (i.e. the aspects of data processing under scrutiny) prior to initiating the procedure formally”138, including in the context of a possible new proceeding. The EDPB also recalls the existence of a full range of the cooperation tools provided for by the GDPR (including Articles 61 and 62 GDPR), bearing in mind the goal of reaching consensus within the cooperation mechanism and the need to exchange all relevant information, with a view to ensuring protection of the fundamental rights and freedoms of data subjects. The EDPB considers that in determining the scope of the inquiry, whilst it can be limited, a LSA should frame it in such a way that it permits the CSAs to effectively fulfil their role, alongside the LSA, when determining whether there has been an infringement of the GDPR.
5. On the lack of reprimand in the draft decision
The proposed corrective powers to be imposed were both a reprimand, pursuant to Article 58(2)(b) GDPR, and an administrative fine, pursuant to Article 58(2)(i) GDPR, the final Draft Decision consists of the imposition only of an administrative fine on TIC as the controller
The LSA decided, having regard to the scope of the inquiry that focussed on the controller’s obligations in relation to the Breach notification, that its inquiry “did not involve a finding that the underlying ‘processing operations’ relating to the Breach infringed [...] the GDPR” . Therefore, the LSA considered that there was no reason to review its decision to not issue a reprimand in light of the DE SA’s objection.
The EDPD considered anyway that the objection by the DE SA did not meet the requirement of Article 4(24) GDPR since it does not provide motivation on how the failure to impose a reprimand in this specific case - where a fine is also imposed - may trigger risks for data subjects’ fundamental rights and freedoms.
6. On the calculation of the fine
Considering all the factors of Article 83(2) GDPR, the IE SA proposed to impose an administrative fine within the range of 150,000-300,000 USD, i.e. between 0.005% and 0.01% of the undertaking’s annual turnover or between 0.25% and 0.5% of the maximum amount of the fine which may be applied in respect of these infringements. This equates to a fine in Euro of between 135,000 and 275,000.
- AT SA considers the range of fine proposed by the IE SA neither effective, nor dissuasive, nor proportionate
- DE SA raised an objection arguing that the fine proposed by the LSA is “too low” and “does not comply with the provisions of Article 83(1) GDPR. As Twitter’s business model is based on processing data, and as Twitter generates turnover mainly through data processing, the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high that it would render the illegal data processing unprofitable. On the basis of the fine concept applicable to the DE SAs, the fine for the infringement described in the Draft Decision would range from approximately EUR 7,348,035.00 to EUR 22,044,105.00
- HU SA argued that, although “fines are justified for the committed infringements”, “the fine set out in the draft is unreasonably low, disproportionate and thus not dissuasive in view of the gravity of the committed infringement and the Controller’s worldwide market power
- IT SA asked the LSA to “review the draft decision as also related to quantification of the administrative fine, taking also account of specific aggravating elements of the case with regard to the nature of the data controller and the severity and duration of the data breach
Decision of the EDPB on the above:
- The EDPB agrees with the position of the IE SA’s assessment according to which the controller cannot be expected to have become aware at the moment its processor has realised that a security incident has occurred.
- The EDPB considers that a company for whom the processing of personal data is at the core of its business activities should have in place sufficient procedures for the documentation of personal data breaches, including remedial actions, which will enable it to also comply with the duty of notification under Article 33(1) GDPR. This element implies an additional element to take into consideration in the analysis of the gravity of the infringement.
- While the LSA in its Draft Decision made reference to the requirement that the file must be dissuasive and proportionate, the EDPB considers that the LSA did not sufficiently substantiate how the fine proposed addresses these requirements. In particular, the EDPB notes that the LSA moves from calculating the maximum amount of the fine (set at $60 million) to stating the proposed fining range (set between $150.000,- and $300.000,-), without further explanation as to which particular elements led the LSA to identify this specific range224 . Beyond the general reference to the relevant factors of Article 83 (2) GDPR, there is not a clear motivation for the choice of the proposed percentage (between 0.25% and 0.5%) of the maximum applicable fine under Article 83(4) GDPR
- In this regards, the EDPB has elaborated above the reasons to why the LSA in its Draft Decision should have given greater weight to the element relating to the nature, scope and negligent character of the infringement and therefore consider that the proposed fine range should be adjusted accordingly
- the EDPB considers that the fine proposed in the Draft Decision is too low and therefore does not fulfil its purpose as a corrective measure, in particular it does not meet the requirements of Article 83(1) GDPR of being effective, dissuasive and proportionate
- the EDPB requests the IE SA to re-assess the elements it relies upon to calculate the amount of the fixed fine225 to be imposed on TIC so as to ensure it is appropriate to the facts of the case
7. Sumamry of the decision
On the objections concerning the qualification of controller and processor and the competence of the LSA:
The EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objections raised, as they do not meet the requirements of Article 4(24) GDPR.
On the objections concerning the infringements of Article 33(1) and 33(5) GDPR found by the LSA:
In relation to the objection of the FR SA on the absence of an infringement of Article 33(1) GDPR, the objection of the DE SA on the determination of the dies a quo for the infringement of Article 33(1) GDPR, and the objection of the IT SA relating to the infringement of Article 33(5) GDPR, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objections raised as they do not meet the requirements of Article 4(24) GDPR.
On the objections relating to the possible further (or alternative) infringements of the GDPR identified by the CSAs:
- In relation to the objection of the DE SA on the possible infringements of Article 5(1)(f), Article 24, and Article 32 GDPR, and to the objection of the IT SA on the possible infringement of Article 5(2) GDPR, the EDPB decides that, while they meet the requirements of Article 4(24) GDPR, the IE SA is not required to amend its Draft Decision because the available factual elements included in the Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence of infringements of Articles 5(1)(f), Article 5(2), Article 24, and Article 32 GDPR.
- In relation to the objection of the DE SA relating to the possible infringement of Article 33(3) GDPR, the objection of the FR SA relating to the possible infringement of Article 28 and Article 32 GDPR, the objection of the HU SA relating to the possible infringement of Article 5(1)(f), Article 32, and Article 34 GDPR, and the objection of the IT SA relating to the possible infringement of Article 28 GDPR, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objections raised as they do not meet the requirements of Article 4(24) GDPR.
On the objection concerning the decision of the LSA to not issue a reprimand
In relation to the objection of the DE SA concerning the decision of the IE SA not to issue a reprimand, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objection raised as it does not meet the requirements of Article 4(24) GDPR.
On the objection concerning the calculation of the fine suggested by the LSA:
- In relation to the objection of the HU on the insufficiently dissuasive nature of the fine, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objection raised as it does not meet the requirements of Article 4(24) GDPR.
- In relation to the objection of the AT SA, the objection of the DE SA, and the objection of the IT SA on the insufficiently dissuasive nature of the fine, the EDPB decides that they meet the requirements of Article 4(24) GDPR and that the IE SA is required to re-assess the elements it relies upon to calculate the amount of the fixed fine to be imposed on TIC, and to amend its Draft Decision by increasing the level of the fine in order to ensure it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality established by Article 83(1) GDPR and taking into account the criteria of Article 83(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Adopted 1 Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR Adopted on 09 November 2020 Adopted 2 Table of contents 1 Summary of the dispute.................................................................................................................. 5 2 Conditions for adopting a binding decision..................................................................................... 8 2.1 Objection(s) expressed by CSA(s) in relation to a draft decision ............................................ 8 2.2 The LSA does not follow the relevant and reasoned objections to the draft decision or is of the opinion that the objections are not relevant or reasoned ........................................................... 8 2.3 Conclusion ............................................................................................................................... 9 3 The Right to good administration.................................................................................................... 9 4 On the qualification of controller and processor and the competence of the LSA ........................ 9 4.1 Analysis by the LSA in the Draft Decision................................................................................ 9 4.2 Summary of the objections raised by the CSAs..................................................................... 10 4.3 Position of the LSA on the objections ................................................................................... 11 4.4 Analysis of the EDPB.............................................................................................................. 13 4.4.1 Assessment of whether the objections were relevant and reasoned .......................... 13 4.4.2 Conclusion ..................................................................................................................... 16 5 On the infringements of the GDPR found by the LSA ................................................................... 17 5.1 On the findings of an infringement of Article 33(1) GDPR.................................................... 17 5.1.1 Analysis by the LSA in the Draft Decision...................................................................... 17 5.1.2 Summary of the objections raised by the CSAs............................................................. 18 5.1.3 Position of the LSA on the objections ........................................................................... 19 5.1.4 Analysis of the EDPB...................................................................................................... 19 5.2 On the findings of an infringement of Article 33(5) GDPR.................................................... 20 5.2.1 Analysis by the LSA in the Draft Decision...................................................................... 20 5.2.2 Summary of the objections raised by the CSAs............................................................. 20 5.2.3 Position of the LSA on the objections ........................................................................... 21 5.2.4 Analysis of the EDPB...................................................................................................... 21 6 On potential further (or alternative) infringements of the GDPR identified by the CSAs ............ 22 6.1 Analysis by the LSA in the Draft Decision.............................................................................. 22 6.2 Summary of the objections raised by the CSAs..................................................................... 22 6.2.1 Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality. 22 6.2.2 Infringement of Article 5(2) GDPR on the principle of accountability .......................... 22 6.2.3 Infringement of Article 24 GDPR on the responsibility of the controller...................... 23 6.2.4 Infringement of Article 28 GDPR on the relationship with processors......................... 23 6.2.5 Infringement of Article 32 GDPR on the security of the processing ............................. 23 Adopted 3 6.2.6 Infringement of Article 33(3) GDPR on the content of the notification of a personal data breach on security of processing .......................................................................................... 24 6.2.7 Infringement of Article 34 GDPR on the communication of a personal data breach to the data subject............................................................................................................................. 24 6.3 Position of the LSA on the objections ................................................................................... 24 6.4 Analysis of the EDPB.............................................................................................................. 25 6.4.1 Assessment of whether the objections were relevant and reasoned .......................... 25 6.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and reasoned objections and conclusion............................................................................................. 31 7 On the corrective measures decided by the LSA - in particular, the imposition of a reprimand.. 32 7.1 Analysis by the LSA in the Draft Decision.............................................................................. 32 7.2 Summary of the objections raised by the CSAs..................................................................... 33 7.3 Position of the LSA on the objections ................................................................................... 33 7.4 Analysis of the EDPB.............................................................................................................. 34 7.4.1 Assessment of whether the objections were relevant and reasoned .......................... 34 7.4.2 Conclusion ..................................................................................................................... 34 8 On the corrective measures - in particular, the calculation of the administrative fine................ 34 8.1 Analysis by the LSA in the Draft Decision.............................................................................. 34 8.2 Summary of the objections raised by the CSAs..................................................................... 38 8.3 Position of the LSA on the objections ................................................................................... 39 8.4 Analysis of the EDPB.............................................................................................................. 40 8.4.1 Assessment of whether the objections were relevant and reasoned .......................... 40 8.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and reasoned objections...................................................................................................................... 42 8.4.3 Conclusion ..................................................................................................................... 45 9 Binding Decision ............................................................................................................................ 45 10 Final remarks................................................................................................................................. 47 Adopted 4 The European Data Protection Board Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”)1 , Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 20182 , Having regard to Article 11 and Article 22 of its Rules of Procedure3 , Whereas: (1) The main role of the European Data Protection Board (hereinafter the “EDPB” or the “Board”) is to ensure the consistent application of the GDPR throughout the EEA. To this effect, it follows from Article 60 GDPR that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other supervisory authorities concerned (hereinafter “CSAs”) in an endeavour to reach consensus, that the LSA and CSAs shall exchange all relevant information with each other, and that the LSA shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. The LSA shall without delay submit a draft decision to the other CSAs for their opinion and take due account of their views. (2) Where any of the CSAs expressed a reasoned and relevant objection (“RRO”) on the draft decision in accordance with Article 4(24) and Article 60(4) GDPR and the LSA does not intend to follow the RRO or considers that the objection is not reasoned and relevant, the LSA shall submit this matter to the consistency mechanism referred to in Article 63 GDPR. (3) Pursuant to Article 65(1)(a) GDPR, the EDPB shall issue a binding decision concerning all the matters which are the subject of the RROs, in particular whether there is an infringement of the GDPR. (4) The binding decision of the EDPB shall be adopted by a two-thirds majority of the members of the EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) of the EDPB Rules of Procedure, within one month after the Chair and the competent supervisory authority have decided that the file is complete. The deadline may be extended by a further month, taking into account the complexity of the subject-matter upon decision of the Chair on its own initiative or at the request of at least one third of the members of the EDPB. (5) In accordance with Article 65(3) GDPR, if, in spite of such an extension, the EDPB has not been able to adopt a decision within the timeframe, it shall do so within two weeks following the expiration of the extension by a simple majority of its members. 1 OJ L 119, 4.5.2016, p. 1. 2 References to “Member States” made throughout this decision should be understood as references to “EEA Member States”. References to “EU” should be understood, where relevant, as references to “EEA”. 3 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020. Adopted 5 1 SUMMARY OF THE DISPUTE 1. This document contains a binding decision adopted by the EDPB in accordance with Article 65(1)(a) GDPR. The decision concerns the dispute arisen following a draft decision (hereinafter “Draft Decision”) issued by the Irish supervisory authority (“Data Protection Commission”, hereinafter the “IE SA”, also referred to in this context as the “LSA”) and the subsequent objections expressed by a number of CSAs (“Österreichische Datenschutzbehörde”, hereinafter the “AT SA”; “Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit”4 , hereinafter the ”DE SA”; “Datatilsynet”, hereinafter the “DK SA”; “Agencia Española de Protección de Datos", hereinafter the “ES SA”; “Commission Nationale de l'Informatique et des Libertés", hereinafter the “FR SA”; “Nemzeti Adatvédelmi és Információszabadság Hatóság”, hereinafter the “HU SA”; “Garante per la protezione dei dati personali", hereinafter the “IT SA”; “Autoriteit Persoonsgegevens, hereinafter the “NL SA”). The draft decision at issue relates to an “own-volition inquiry” which was commenced by the IE SA following the notification of a personal data breach on 8 January 2019 (the “Breach”) by Twitter International Company, a company established in Dublin, Ireland (hereinafter “TIC”)5 . 2. The data breach arose from a bug in Twitter's design, due to which, if a user on an Android device changed the email address associated with their Twitter account, the protected tweets became unprotected and therefore accessible to a wider public (and not just the user's followers), without the user's knowledge6 . The bug was discovered on 26 December 2018 by the external contractor managing the company’s “bug bounty programme”, which is a programme whereby anyone may submit a bug report7 . 3. During its investigation, Twitter discovered additional user actions that would also lead to the same unintentional result. The bug in the code was traced back to a code change made on 4 November 20148 . 4. TIC informed the IE SA that, as far as they can identify, between 5 September 2017 and 11 January 2019, 88,726 EU and EEA users were affected by this bug. Twitter has confirmed that it dates the bug to 4 November 2014, but it has also confirmed that it can only identify users affected from 5 September 2017 due to a retention policy applicable to the logs9 . As a result, TIC acknowledged the possibility that more users were impacted by the breach10 . 5. The decision of the IE SA to commence the inquiry was taken in circumstances where TIC had, in its breach notification form, identified the potential impact for affected individuals as being “significant” 11 . 4 The objection by the Hamburg SA was submitted representing also “Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg”, “Berliner Beauftragte für Datenschutz und Informationsfreiheit“, “Der Landesbeauftragte für Datenschutz und Informationsfreiheit Mecklenburg- Vorpommern”, “Die Landesbeauftragte für den Datenschutz Niedersachsen”. The objection has been also coordinated with other SAs in Germany. 5 Draft Decision, paragraphs 1.1-1.2. 6 Draft Decision, paragraph 1.9. 7 Draft Decision, paragraphs 2.7 and 4.7. 8 Draft Decision, paragraph 2.10. 9 Draft Decision, paragraph 2.10. 10 Draft Decision, paragraphs 1.10, 2.10, 14.2 and 14.3. 11 Draft Decision, paragraph 2.8. Adopted 6 6. The IE SA stated in its Draft Decision that it was satisfied that the IE SA is the LSA, within the meaning of the GDPR, for TIC, as controller in respect of the cross-border processing of personal data carried out by TIC that was the subject of the breach12 . 7. The following table presents a summary timeline of the events part of the procedure leading to the submission of the matter to the consistency mechanism: 26.12.2018 Twitter, Inc., a company incorporated in the USA receives a bug report through their bug bounty programme. The report was sent by a third party contractor managing the bug bounty programme (Contractor 1) to the third party contractor engaged by Twitter, Inc. to search for and assess bugs (Contractor 2). 29.12.2018 Contractor 2 shares the result with Twitter, Inc. via a JIRA ticket. 02.01.2019 Twitter, Inc.'s Information Security Team reviews the JIRA ticket and decides it was not a security issue but that it might be a data protection issue. 02.01.2019 Twitter, Inc.'s Legal Team is notified. 03.01.2019 Twitter, Inc.'s Legal Team decides that the issue should be treated as an incident. 04.01.2019 Twitter, Inc. triggers the incident response process, but due to a mistake in applying the internal procedure, the Global DPO is not added as ‘watcher’ to the ticket. Therefore, they are not notified. 07.01.2019 The Global DPO is notified of the Data Breach during a meeting. 08.01.2019 TIC notifies the Breach to the IE SA using the IE SA's cross-border breach notification form. 22.01.2019 The scope and legal basis of the inquiry were set out in the notice of commencement of inquiry that was sent to TIC on 22 January 2019. The IE SA commences the inquiry and requests information from TIC. 28.05.2019 to 21.10.2019 Inquiry Report stage: the IE SA prepares a draft inquiry report and issues it to TIC to allow TIC to make submissions in relation to the draft inquiry report; TIC provides its submissions in relation to the draft inquiry report; the IE SA requests clarifications in relation to the submissions made by TIC; the IE SA issues its final inquiry report. 21.10.2019 The IE SA commences the decision-making stage. 11 and 28.11.2019 The IE SA corresponds with TIC and invites TIC to make further written submissions. 2.12.2019 TIC makes further submissions to the IE SA in response to the IE SA’s correspondence of 11 and 28 November 2019. 12 The IE SA has confirmed that its assessment in this regard was based both on its determination that (1) TIC, as the provider of the Twitter service in the EU/EEA, is the relevant controller and (2) that TIC’s main establishment in the EU is located in Dublin, Ireland, where decisions on the purposes and means of processing of personal data of Twitter users in the EU/EEA are taken by TIC, in accordance with Article 4(16) GDPR. Draft Decision, paragraphs 2.2-2.3. Adopted 7 14.03.2020 The IE SA issues a Preliminary Draft Decision (hereinafter “the Preliminary Draft Decision”) to TIC, concluding that TIC infringed Articles 33(1) and 33(5) GDPR; hence intends to issue a reprimand in accordance with Article 52(2) GDPR and an administrative fine in accordance with Article 58(2)(i) and Article 83(2) GDPR. 27.04.2020 TIC provides submissions on the Preliminary Draft Decision to the IE SA. 27.04.2020 - 22.05.2020 The IE SA takes account of TIC’s submissions in relation to the Preliminary Draft Decision and prepares its draft decision for submission to the CSAsin accordance with Article 60 GDPR. 22.05.2020 - 20.06.2020 The IE SA shares its Draft Decision with the CSAs in accordance with Article 60(3) GDPR. Several CSAs (AT SA, DE SA (represented by the DE-Hamburg SA), DK SA, ES SA, FR SA, HU SA, IT SA and NL SA) raise objections in accordance with Article 60(4) GDPR. 15.07.2020 The IE SA issues a Composite Memorandum setting out its replies to such objections and shares it with the CSAs (hereinafter, “Composite Memorandum”). The IE SA requests the relevant CSAs to confirm whether, having considered the IE SA’s position in relation to the objections as set out in the Composite Memorandum, the CSAs intend to maintain their objections. 27 and 28.07.2020 In light of the arguments put forward by the IE SA in the Composite Memorandum, the DK SA informs the IE SA that it does not maintain its objection, and the ES SA informs the IE SA that it withdraws its objection in part. The other CSAs (i.e., the AT, DE, ES, FR, HU, IT and NL SAs), confirm to the IE SA that they maintain their remaining objections. 19.08.2020 The IE SA refers the matter to the EDPB in accordance with Article 60(4) GDPR, thereby initiating the dispute resolution procedure under Article 65(1)(a). 8. The IE SA triggered the dispute resolution process on the IMI on 19 August 2020. Following the submission by the LSA of this matter to the EDPB in accordance with Article 60(4) GDPR, the EDPB Secretariat assessed the completeness of the file on behalf of the Chair in line with Article 11(2) of the EDPB Rules of Procedure. The EDPB Secretariat contacted the IE SA for the first time on 20 August 2020, asking for additional documents and information to be submitted in IMI and requesting the IE SA to confirm the completeness of the file. The IE SA provided the documents and information and confirmed the completeness of the file on 21 August 2020. A matter of particular importance that was scrutinized by the EDPB Secretariat was the right to be heard, as required by Article 41(2)(a) of the Charter of the Fundamental Rights. On 4 September 2020, the Secretariat contacted the IE SA with additional questions in order to confirm whether TIC has been given the opportunity to exercise its' right to be heard regarding all the documents that were submitted to the Board for making its decision. On 8 September 2020, the IE SA confirmed that it was the case and provided the documents to prove it13 . 9. On 8 September 2020, the decision on the completeness of the file was taken, and it was circulated by the EDPB Secretariat to all the members of the EDPB. 13 Amongst the documents sent by IE SA, there were emails from the Global DPO acknowledging receipt of the relevant documents. Adopted 8 10. The Chair decided, in compliance with Article 65(3) GDPR in conjunction with Article 11(4) of the EDPB Rules of Procedure, to extend the default timeline for adoption of one month by a further month on account of the complexity of the subject-matter. 2 CONDITIONS FOR ADOPTING A BINDING DECISION 11. The general conditions for the adoption of a binding decision by the Board are set forth in Article 60(4) and Article 65(1)(a) GDPR14 . 2.1 Objection(s) expressed by CSA(s) in relation to a draft decision 12. The EDPB notes that CSAs raised objections to the Draft Decision via the information and communication system mentioned in Article 17 of the EDPB Rules of Procedure, namely the Internal Market Information System. The objections were raised pursuant to Article 60(4) GDPR. 13. More specifically, objections were raised by CSAs in relation to the following matters: the competence of the LSA; the qualification of the roles of TIC and Twitter, Inc., respectively; the infringements of the GDPR identified by the LSA; the existence of possible additional (or alternative) infringements of the GDPR; the lack of a reprimand; the calculation of the proposed fine. 14. Each of these objections was submitted within the deadline provided by Article 60(4) GDPR. 2.2 The LSA does not follow the relevant and reasoned objections to the draft decision or is of the opinion that the objections are not relevant or reasoned 15. On 15 July 2020, IE SA provided to the CSAs a detailed analysis of the objections raised by the CSAs in the Composite Memorandum, where it outlined whether it considered the objections to be “relevant and reasoned” in accordance with Article 4(24) GDPR, and whether it decided to follow any of the objections15 . 16. More specifically, the IE SA considered that only the objections raised by CSAs in relation to the calculation of the fine meet the threshold put forward by Article 4(24) GDPR in so far as they relate to the compliance with the GDPR of the envisaged action in relation to the controller or processor and also set out the risks posed as regards the fundamental rights and freedoms of data subjects16 . However, the IE SA concluded that it would not follow the objections, for the reasons set out in the Composite Memorandum and below. 17. The IE SA considered that the other objections expressed by CSAs were not “relevant and reasoned” within the meaning of Article 4(24) GDPR. 14 According to Article 65(1)(a) of the GDPR, the Board will issue a binding decision when a supervisory authority has raised a relevant and reasoned objection to a draft decision of the LSA or the LSA has rejected such an objection as being not relevant or reasoned. 15 The purpose of the document, as stated by the IE SA, was to facilitate further cooperation with the CSAs in relation to the Draft Decision and to comply with the requirement in Article 60(1) GDPR that the LSA shall cooperate with the other CSAs in an endeavour to reach consensus. 16 Composite Memorandum, paragraph 5.59. Adopted 9 2.3 Conclusion 18. The case at issue fulfils all the elements listed by Article 65(1)(a) GDPR, since several CSAs raised objections to a draft decision of the LSA within the deadline provided by Article 60(4) GDPR, and the LSA has not followed objections or rejected them as not relevant or reasoned. 19. The EDPB is therefore competent to adopt a binding decision, which shall concern all the matters which are the subject of the relevant and reasoned objection(s), in particular whether there is an infringement of the GDPR17 . 20. All results in this decision are without any prejudice to any assessment or binding decision made in other cases by the EDPB, including with the same parties, depending on further and/or new findings. 3 THE RIGHT TO GOOD ADMINISTRATION 21. The EDPB is subject to Article 41 of the EU Charter of fundamental rights, in particular Article 41 (right to good administration). This is also reflected in Article 11(1) EDPB Rules of Procedure18 . 22. The EDPB decision “shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them” (Article 65(2) GDPR). It is not aiming to address directly any third party. However, as a precautionary measure to address the possibility that TIC might be affected by the EDPB decision, the EDPB assessed if TIC was offered the opportunity to exercise its right to be heard in relation to the procedure led by the LSA and in particular if all the documents received in this procedure and used by the EDPB to take its decision have already been shared previously to TIC and if TIC has been heard on them. 23. Considering that TIC has been already heard by the IE SA on all the information received by the EDPB and used to take its decision19 and the LSA has shared to the EDPB the written observations of TIC, in line with Article 11(2) EDPB Rules of Procedure20 , in relation to the issues raised in this specific Draft Decision, the EDPB is satisfied that the Article 41 of the EU Charter of fundamental rights has been respected. 4 ON THE QUALIFICATION OF CONTROLLER AND PROCESSOR AND THE COMPETENCE OF THE LSA 4.1 Analysis by the LSA in the Draft Decision 24. The Draft Decision states that “[i]n commencing the Inquiry, the appointed investigator within the [IE SA] [...] was satisfied that TIC is the controller, within the meaning of Article 4(7) of the GDPR, in respect of the personal data that was the subject of the Breach”, and that “[i]n this regard, TIC confirmed that 17 Article 65(1)(a) in fine GDPR. Some CSAs raised comments and not per se objections, which were, therefore, not taken into account by the EDPB. 18 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020. 19 IE SA Preliminary Draft Decision (14 March 2020); IE SA Draft Decision (22 May 2020); Objections and comments raised by CSAs (18-20 June 2020); Composite Memorandum prepared by the IE SA (15 July 2020); and the remaining comments and objections from the CSAs (27-28 July 2020). 20 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020. Adopted 10 it was the controller” in the data breach notification form and in the correspondence with the IE SA21 . The Draft Decision further states that "TIC also confirmed that the Breach had arisen in the context of processing carried out on its behalf by Twitter Inc., its processor" 22 and "TIC is the data controller for the personal data which is the subject of the Inquiry. TIC has an agreement in place with Twitter Inc. (its processor) to provide data processing services" 23 . 25. Additionally, the Draft Decision specifies that the IE SA was further satisfied that it was competent to act as LSA in respect of cross-border processing carried out by TIC, in relation to the personal data that was the subject of the Breach24 . 26. In this regard, the Draft Decision further states that TIC confirmed to the IE SA in notifying the Breach that it was “an Irish company”, and the “provider of the Twitter services in Europe”, and that TIC’s Privacy Policy (updated on Jan 2016) informed users of the Twitter service in the EU that they had the right to raise concerns either with their local supervisory authority or with TIC’s LSA, the IE SA25 . 27. The IE SA further included in the Draft Decision an excerpt from TIC’s Annual Report and Financial Statements relating to the Financial Year ended 31 December 2018 specifying that the “ultimate controlling party and the largest group of undertakings for which group financial statements are drawn up, and of which the company is a member, is Twitter, Inc., a company incorporated in the United States of America and listed on the New York Stock Exchange” 26 . 28. The IE SA initially faced uncertainty arising from the use of the terms “we” and “our” in the data breach notification form to refer interchangeably to TIC and Twitter, Inc. The IE SA sought clarifications in this regard and TIC indicated that employees of TIC and Twitter, Inc. habitually use “we” and “our” loosely to refer to the group by its name. In addition, TIC indicated that whilst TIC is the controller and makes decisions with respect to the purposes and means of data processing, it does not operate alone: “TIC, and its employees, are part of [...] the Twitter Group [....]. All employees of the Twitter Group use the same computer systems, they adhere to the same general policies…and work together to ensure the global round-the-clock support required to keep the Twitter platform operational” 27 . 4.2 Summary of the objections raised by the CSAs 29. In its objection, the ES SA states that the Draft Decision does not sufficiently justify the role of TIC as controller. The ES SA stresses that an assessment on which entity really decides on the purposes and means should be carried out, alongside with a critical analysis of all the facts which took place. According to the ES SA, the elements underlying the Draft Decision seem to suggest a conclusion that is different from the one reached by the IE SA. In particular, the ES SA considers that the decisions on the essential purposes of the data processing are actually taken by Twitter, Inc. The ES SA supported its reasoning by listing some factors that, in its view, could suggest that TIC does not decide on the purposes and means. First, the ES SA recalled that TIC is a subsidiary of Twitter, Inc. and highlighted that it would therefore be hard to understand how TIC could “issue orders” to Twitter, Inc. relating to processing of personal data of EEA users. According to the ES SA, TIC was never in the position to independently choose Twitter, Inc. as its processor and would not be able to replace it. Additionally, 21 Draft Decision, paragraph 2.2. 22 Draft Decision, paragraph 4.2. 23 Draft Decision, paragraph 4.6. 24 Draft Decision, paragraph 2.3. 25 Draft Decision, paragraph 2.3. 26 Draft Decision, paragraph 2.4. 27 Draft Decision, paragraph 4.5. Adopted 11 the ES SA argued that Twitter, Inc. does not seem to act as processor due to the “absence of a direct channel” between the two companies in the management of data breach cases other than the sending of an email with the Global DPO in copy. Thirdly, the ES SA stated that it was not clear how TIC could have independently adopted or influenced the decisions leading to the correction of the IT bug in the system managed and controlled by Twitter, Inc., and that it was rather Twitter, Inc. who undertook decisions relating to the solution of the Breach, whose effects were not limited only to European users. 30. The NL SA also raised an objection regarding the legal qualification of TIC and Twitter, Inc. as respectively controller and processor. Specifically, the objection relatesto the way the IE SA has argued that TIC is the sole controller in this case and that Twitter, Inc. is a processor acting on their behalf. The NL SA considers that assessment of controllership is a fundamental aspect of this case and therefore any conclusion regarding the role of controller, processor or joint controllers should be supported by legal and factual evidence. In its objection, the NL SA essentially submits that the Draft Decision does not contain enough evidence to legally and factually establish the roles of the entities concerned, in particular to support the conclusion (i) that TIC is the (sole) controller and (ii) that Twitter, Inc. is merely a processor acting under instruction of TIC for the operation of the global Twitter service and/or the purposes that are relevant in this case. According to the NL SA, the LSA should verify whether the legal statements of the organisation and/or their privacy policy corresponds with their actual activities. The NL SA requested the IE SA to include more information on and/or a description of the factors that lead to the determination of roles in the Draft Decision document itself. The NL SA also mentions, as examples of factors to take into account: instructions from TIC to Twitter, Inc., or other objective evidence or practical clues from daily operations as well as examples from written records such as a data processing agreement. 31. In its objection, the DE SA argues that the relationship between Twitter, Inc. and TIC is not a controller-processor relationship, but rather a joint-controllers relationship. The objection in first instance relies on the fact that Twitter, Inc. and TIC do not operate separate data processing systems. According to the DE SA, the basic system operated by Twitter, Inc. is modified based on decisions made by TIC and that for EEA users, whereas the main processing system stays the same. The DE SA also highlighted that all the employees of the group use the same computer system and adhere to the same general policies. 32. Finally, the FR SA raised an objection regarding the competence of the IE SA, stating that it seemed that the IE SA came to the conclusion that the decision-making power on the purposes and means of the processing at stake was exercised by TIC. According to the FR SA, the Draft Decision does not clearly indicate that other elements than the company TIC’s statements were taken into account by the authority to consider that this company had a decision-making power on the processing. The FR SA also specified that the Draft Decision does not clearly indicate if the competence of the authority is based either on the fact that the company TIC should be considered as the controller, or because TIC should be regarded as the main establishment as defined by Article 4(16) GDPR. The FR SA concluded that in its current state the Draft Decision does not prevent the risk of forum shopping, which the one- stop-shop mechanism is meant to avoid. The FR SA invited the IE SA to provide more elements allowing to prove that the company TIC has a decision-making power regarding the purposes and means of the processing for the social network Twitter. 4.3 Position of the LSA on the objections 33. In its Composite Memorandum, the IE SA considered that an objection based on the role or designation of the parties as controller and processor and/or on the competence of the IE SA “neither disputes the finding of an infringement nor the envisaged action and, therefore, does not satisfy the definition at Adopted 12 Article 4(24)” and that it “does not fall within the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24)” 28. The IE SA nevertheless analysed such objections and, in doing so, set out the factors which it had considered in determining TIC’s status as controller and as main establishment. In this regard, the IE SA outlined (by way of summary29) the facts and legal analysis leading to its conclusion in respect of TIC’s status as controller, in essence: Twitter’s previous confirmation in 2015 that it proposed to make TIC in Ireland the controller for personal data of Twitter users in the EU30; TIC’s confirmation that it was controller for the personal data affected by the Breach both in notifying the Breach to the IE SA and during the course of the inquiry; TIC’s confirmation that a data processing agreement is in place between it and Twitter, Inc. as its processor, which includes the provisions required by Article 28 GDPR; the interactions between TIC and Twitter, Inc. following 7 January 2019, when TIC (through its DPO) was actually made aware of the Breach, demonstrating according to the IE SA that TIC exercised control and decision-making authority over Twitter, Inc. concerning the remediation activities and notification of the Breach and in relation to the underlying processing of personal data affected by the Breach; and the actions of Twitter, Inc. when it was notified of the incident by Contactor 2, which according to the IE SA also support the status of the relationship between the two entities as one in which TIC exercised authority and bore responsibilities as the controller. 34. The IE SA then set out, by way of summary31, the facts and legal analysis leading to its conclusion that TIC is main established in Ireland, in essence (beyond the points above): TIC’s designation and declaration of itself as main establishment; TIC’s confirmation in its Privacy Policy of its status as the relevant controller for personal data of Twitter users in the EU; TIC’s place of central administration is in Dublin, where it has approximately 170 employees; TIC’s direct employment of a global DPO for the purposes of the GDPR, the reporting line for the Global DPO within TIC and the Global DPO’s representation of TIC on a range of privacy and data processing related activities, including the ability to veto data processing; the historical and ongoing supervision of TIC by the IE SA, during which it has been apparent that TIC determines the purposes and means for which personal data are processed within the EU. The IE SA reiterated that, notwithstanding its response to the substance of the objections raised on the matters of competence and/or the designation of the parties, it did not consider that the objections in relation to these issues satisfied the definition of being a “relevant and reasoned objection” under Article 4(24) GDPR. The IE SA stated that, in light of both its assessment that these matters did not 28 Composite Memorandum, paragraph 5.39. 29 Composite Memorandum, paragraph 5.35. 30 In this regard, the Composite Memorandum explains that TIC informed the IE SA on 8 April 2015 that it proposed to make TIC in Ireland the controller for the personal data of its users outside of the USA and that TIC notified this fact to other EU supervisory authorities in May 2015 (paragraph 5.15). 31 Composite Memorandum, paragraph 5.36. Adopted 13 satisfy the definition under Article 4(24) GDPR, and in light of its demonstration that it had adequately addressed the questions of main establishment, its competence, and the controller, processor designation in its Draft Decision, it did not intend to follow the objections on these matters32 . 4.4 Analysis of the EDPB 4.4.1 Assessment of whether the objections were relevant and reasoned 35. The EDPB will begin its analysis of the objections raised by assessing whether the aforementioned objections are to be considered as a “relevant and reasoned objection” within the meaning of Article 4(24) GDPR. 36. Article 4(24) of the GDPR defines “relevant and reasoned objection” as an “objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union” 33 . 37. As clarified in the Guidelines on the concept of a relevant and reasoned objection, an objection needs to be both “relevant” and “reasoned”. In order for the objection to be “relevant”, there must be a direct connection between the objection and the draft decision and it needs to concern either whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR34 . 38. According to the same Guidelines, an objection is “reasoned” when it is coherent, clear, precise and detailed in providing clarifications and arguments as to why an amendment of the decision is proposed and how the change would lead to a different conclusion35 and when it clearly demonstrates the significance of the risks posed by the draft decision for fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the European Union. The CSA should thus “show the implications the draft decision would have for the protected values”, by “advancing sufficient arguments to show that such risks are substantial and plausible” 36. The evaluation of the risks posed to the rights and freedoms of data subjects37 can rely, inter alia, on the appropriateness, necessity, and proportionality of the measures envisaged38 and on the possible reduction of future infringements of the GDPR39 . 32 Composite Memorandum, paragraph 5.40. 33 GDPR, Article 4(24). 34 See also the EDPB Guidelines 9/2020 on the concept of relevant and reasoned objection, version for public consultation (hereinafter, “Guidelines on RRO”), paragraph 12, currently subject to public consultation, https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-092020-relevant-and- reasoned-objection_en. The Guidelines were adopted on 8 October 2020, after the commencement of the inquiry by the IE SA relating to this particular case. 35 Guidelines on RRO, paragraph 17 and 20. 36 Guidelines on RRO, paragraph 37. 37 The “data subjects” whose rights and freedoms may be impacted may be both those whose personal data are being processed by the controller/processor and those whose personal data may be processed in the future. Guidelines on RRO, paragraph 43. 38 Guidelines on RRO, paragraph 42. 39 Guidelines on RRO, paragraph 43. Adopted 14 39. In terms of content, the objection can, as a first alternative, concern the existence of an infringement of the GDPR. In this case, it should explain why the CSA disagrees as to whether the activities carried out by the controller or processor led to the infringement of a given provision of the GDPR, and to which infringement(s) specifically40. This objection may also include a disagreement as to the conclusions to be drawn from the findings of the investigation (e.g. by stating that the findings amount to an infringement other than / in addition to those already analysed)41 or could go as far as identifying gaps in the draft decision justifying the need for further investigation by the LSA42 . However, this is less likely to happen when the obligation for the LSA to cooperate with the CSAs and exchange all relevant information has been duly complied with in the time preceding the issuance of the draft decision43 . Alternatively, the content of the objection can refer to the compliance of the action in relation to the controller or processor (corrective measure or other) envisaged in the draft decision with the GDPR, by explaining why the action foreseen is not in line with the GDPR44 . 40. The EDPB considers it possible for an objection concerning the existence of an infringement of the GDPR to concern the absence or insufficiency of assessment or reasoning (with the consequence that the conclusion in the draft decision is not adequately supported by the assessment carried out and the evidence presented, as required in Article 58 GDPR), as long as the whole threshold set forth by Article 4(24) GDPR is met and provided there is a link between the allegedly insufficient analysis and whether there is an infringement of the GDPR or whether envisaged action complies with the GDPR45 . 41. The EDPB considers that an objection concerning the role, or designation, of the parties can fall within the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24) GDPR, as this can affect the determination as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation. However, the EDPB considers that an objection on the competence of the supervisory authority acting as LSA should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR46 . a) Assessment of the objection raised by the NL SA 42. The objection raised by the NL SA in first instance relates to an “absence or insufficiency of assessment or reasoning” 47 leading to the conclusions drawn by the IE SA as to the legal qualification of TIC and Twitter, Inc. As the NL SA points out, the assessment of controllership is indeed a fundamental aspect of the case. A different conclusion as to the legal qualification of TIC and Twitter, Inc. would affect the 40 Guidelines on RRO, paragraph 25. 41 Guidelines on RRO, paragraph 27. 42 Guidelines on RRO, paragraph 28 (which also specifies that “In this regard, a distinction must be made between, on one hand, own-volition inquiries and, on the other hand, investigations triggered by complaints or by reports on potential infringements shared by concerned supervisory authorities”). 43 Guidelines on RRO, paragraph 27. 44 Guidelines on RRO, paragraph 33. This means that the objection may, inter alia, challenge the elements relied upon to calculate the amount of the fine (Guidelines on RRO, paragraph 34). 45 Guidelines on RRO, paragraph 29. 46 The procedure pursuant to Article 65(1)(b) GDPR is applicable in this case and can be launched at any stage, Guidelines on RRO, paragraph 31. 47 Guidelines on RRO, paragraph 29. A relevant and reasoned objection concerning whether there is an infringement of the GDPR can concern “insufficient factual information or description of the case at stake”, a “disagreement as to the conclusions to be drawn from the findings of the investigation” (Guidelines on RRO, paragraph 27) or refer to an “absence or insufficiency of assessment or reasoning (with the consequence that the conclusion in the draft decision is not adequately supported by the assessment carried out and the evidence presented, as required in Article 58 GDPR)” (Guidelines on RRO, paragraph 29). Adopted 15 conclusions of the supervisory authority, both in relation to the determination of an infringement of Article 33 GDPR, as well as the decision on the corrective measures resulting from the investigation. 43. The EDPB recalls that each legally binding measure adopted by a supervisory authority must give the reasons for the measure48 . The determination as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, hinges on the correct identification of the roles of parties who shall be the subject of the measure. Therefore, a draft decision must contain sufficient legal and factual elements to support the proposed decision49 . As a result, the EDPB considers that the objection raised by the NL SA concerns both “whether there is an infringement of the GDPR” and “whether or not the envisaged action complies with the GDPR”. 44. While the EDPB considers that the objection of the NL SA is therefore relevant and includes legal arguments supporting its position, it does not put forward arguments how such consequences would pose significant risks for the rights and freedoms of data subjects and/or the free flow of data50 . The EDPB recalls that the obligation to clearly demonstrate the significance of the risk posed by the draft decision - established by the GDPR - lies with the CSA51 . While the possibility for CSAs to provide such demonstration may also depend on the degree of detail of the draft decision itself and on the previous exchanges of information52, such a circumstance, where applicable, cannot completely absolve the CSA from the obligation to clearly set out why it considers that the draft decision, if left unchanged, results in significant risks for the rights and freedoms of individuals. 45. The EDPB finds that the objection raised by the NL SA does not clearly demonstrate the risks for the rights and freedoms of individuals as such. On this basis, the EDPB considers that the objection raised by the NL SA does not meet the requirements of Article 4(24) GDPR. b) Assessment of the objection raised by the ES SA 46. The objection raised by the ES SA also challenges the sufficiency of the assessment or reasoning in relation to the conclusions drawn by the IE SA as to the legal qualification of TIC and Twitter, Inc. respectively. The objection also makes clear that the correct qualification of the TIC and Twitter, Inc. is key for determining their respective responsibilities, as well as for the competence of the IE SA. As a result, the EDPB also considers that the objection raised by the ES SA concerns both “whether there is an infringement of the GDPR” and “whether or not the envisaged action complies with the GDPR”. The objection of the ES SA also sets out why it considers that a change to the Draft Decision is necessary and how the change would lead to a different conclusion. 47. While the EDPB considers that the objection of the ES SA is therefore relevant and includes legal arguments supporting its position, it does not clearly articulate why the decision, if left unchanged in this respect, would pose significant risks for the rights and freedoms of data subjects and, where applicable, the free flow of personal data. On this basis, the EDPB considers that the objection raised by the ES SA does not meet the requirements set out in Article 4(24) GDPR. 48 Recital (129) GDPR. 49 Such information is also necessary to ensure the effectiveness of the cooperation and consistency mechanism, so as to allow CSAs to make an informed decision on whether or not to agree or express a relevant and reasoned objection. 50 Guidelines on RRO, paragraph 19. 51 Guidelines on RRO, paragraph 36 and Article 4(24) GDPR. 52 Guidelines on RRO, paragraph 36. Adopted 16 c) Assessment of the objection raised by the DE SA 48. While the objections expressed by the NL and ES SA primarily relate to an “absence of reasoning” justifying the conclusion that TIC acts as (sole) controller, the DE SA disagrees as to the conclusions to be drawn from the findings of the investigation53. In particular, the DE SA considers that the factual elements included in the file are sufficient to justify the conclusion that Twitter, Inc. does not qualify as a processor, but rather as a joint controller, together with TIC. 49. In its objection, the DE SA also sets out why the qualification of the parties is relevant to the determination of “whether there is in infringement”. In particular, the DE SA argues that the legal assessment of the relationship between Twitter, Inc. and TIC affects the determination of the moment of becoming aware of the Breach. According to the DE SA, knowledge must be equally attributed to both (joint) controllers in light of Article 26(1) GDPR. Taking this into account, the DE SA argues that the relevant date when TIC as joint controller obtained knowledge (or rather should have obtained knowledge) needs to be reconsidered by the IE SA. 50. The EDPB considers that the objection raised by the DE SE clearly sets out why changing the Draft Decision is considered necessary and how the objection, if followed, would lead to a different conclusion. That being said, the EDPB does not find that the objection raised by the DE SA includes a clear statement regarding the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects in relation to the qualification of the parties as such. On this basis, the EDPB considers that the objection raised by the DE SA does not meet the requirements set out in Article 4(24) GDPR. d) Assessment of the objection raised by the FR SA 51. The FR SA in essence also considers that the Draft Decision suffers from “an absence or insufficiency of assessment or reasoning”, in that it does not clearly indicate that other elements than TIC’s own statements were taken into account by the IE SA to consider that TIC exercised decision-making power over the processing. Similar to the NL SA and ES SA, the FR SA also stresses the importance that the decision of the LSA is sufficiently reasoned. Different from the NL SA and ES SA, however, the FR SA focuses in its objection primarily on the importance of including such reasoning in establishing the competence of an authority of the LSA, in particular with a view of preventing forum shopping. 52. The EDPB recalls that a disagreement on the competence of the supervisory authority acting as LSA to issue a decision in the specific case should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR54 . The EDPB considers that the objection raised by the FR SA does not advance sufficient arguments to clearly demonstrate the significance of the risk for the rights and freedoms of data subjects posed by the Draft Decision. As a result, the EDPB considers that the objection raised by the FR SA does not amount to a relevant and reasoned objection within the meaning of Article 4(24) GDPR. 4.4.2 Conclusion 53. The EDPB considers that the aforementioned objections satisfy several of the criteria of Article 4(24) GDPR. Differently to the conclusion made by the IE SA, the EDPB considers that each of those objections satisfied the condition of referring alternatively to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this 53 Guidelines on RRO, paragraph 27. 54 Guidelines on RRO, paragraph 31. The Guidelines go on to state that unlike the objection pursuant to Article 60(4) GDPR, the procedure pursuant to Article 65(1)(b) GDPR is applicable at any stage. Adopted 17 Regulation. In addition, the EDPB considers that an objection based on the role, or designation, of the parties can in principle fall within the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24) GDPR. 54. However, as stated above, the aforementioned objections do not meet the threshold of providing a clear demonstration as to the significance of the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the European Union. 55. In addition, as regards the aforementioned objection raised by the FR SA, in addition to not advancing sufficient arguments to clearly demonstrate the significance of the risk for the rights and freedoms of data subjects posed by the Draft Decision, the objection concerns a disagreement on the competence of the supervisory authority acting as LSA. The EDPB recalls that such disagreement should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR55 . 56. As a result, the EDPB considers that the aforementioned objections do not meet the requirements set out in Article 4(24) GDPR. 57. As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 5 ON THE INFRINGEMENTS OF THE GDPR FOUND BY THE LSA 5.1 On the findings of an infringement of Article 33(1) GDPR 5.1.1 Analysis by the LSA in the Draft Decision 58. The IE SA concluded that TIC did not meet its obligations as a controller under Article 33(1) GDPR, which "cannot be viewed in isolation and must be understood within the context of the broader obligations on controllers under the GDPR, in particular, the obligation of accountability under Article 5(2), the relationship between controllers and processors (Article 28), and the obligation to implement appropriate (and effective) technical and organisational measures" 56 . 59. With regard to the moment at which the controller became aware of the Breach, the Draft Decision concluded that in case the Breach is suffered by the processor, the controller becomes aware when it is notified of the Breach by the processor57, but the controller must ensure that it has sufficient measures in place to facilitate this awareness58. Because TIC as controller was responsible for 55 Guidelines on RRO, paragraph 31. 56 Draft Decision, paragraph 6.20. See also Draft Decision, paragraphs 6.5, 6.7, and 6.13. The Draft Decision (paragraph 7.129 (i)) also states that the “requirement under Article 33(1) [...] is predicated upon the controller ensuring that it has internal systems and procedures (and where applicable, systems and procedures in place with any external parties including processors) that are configured, and followed, so as to facilitate prompt awareness, and timely notification, of breaches”. 57 Draft Decision, paragraph 7.129 (iii). 58 Draft Decision, paragraph 7.98. Adopted 18 overseeing the processing operations carried out by its processor Twitter, Inc.59, the Draft Decision stated that where the processor does not follow the procedure or the procedure fails otherwise the controller cannot excuse its own delayed notification on the basis of the processor’s fault60, as the performance by a controller of its obligation to notify cannot be contingent upon the compliance by its processor with its obligations under Article 33(2) GDPR61. The IE SA found that in these circumstances the controller must be considered as having constructive awareness of the personal Breach through its processor62, and that such an interpretation reflects the responsibility and accountability of the controller in the GDPR63 . 60. According to the Draft Decision, therefore, TIC became actually aware of the Breach on 7 January 201964 but should have been aware of the Breach at the latest by 3 January 2019, since on that date Twitter, Inc. as processor first assessed the incident as being a potential data breach and the Twitter, Inc. legal team instructed that the incident be opened65. The Draft Decision also stated that even in the particular circumstances of this situation (where earlier delays had also arisen66, any arrangements in place with Twitter, Inc. should have enabled this67. Instead, due to the “ineffectiveness of the process” in the “particular circumstances” of the case at stake and/or “a failure by [the processor’s] staff to follow its incident management process” there was a delay leading to the controller being notified only on 7 January 201968. This led to the infringement of Article 33(1) GDPR even if less than 72 hours elapsed between the moment at which TIC became actually aware of the Breach (7 January 2019) and the notification (8 January 2019). 5.1.2 Summary of the objections raised by the CSAs 61. The FR SA raised an objection stating that the findings do not correspond to an infringement of Article 33(1) GDPR, but rather of Article 28 or Article 32 GDPR, which set out the obligations of the controller when it decides to have recourse to a processor. This argument relies on the fact that the finding of the infringement of Article 33(1) is mainly based on the failures in the application of the procedure 59 Draft Decision, paragraph 7.129 (iv). 60 Draft Decision, paragraph 7.129 (iv). 61 Draft Decision, paragraph 7.129 (x). 62 Draft Decision, paragraph 7.129 (v). 63 Draft Decision, paragraph 7.98. According to the Draft Decision, an alternative interpretation leading to consider that a controller is only “aware” when informed by its processor, leaves a significant lacuna in the protection provided by the GDPR, as it could result in the controller avoiding responsibilities even in case of major delays if it showed it satisfied its obligations in choosing a processor and having proper systems in place, but such systems were disregarded by the processor (Draft Decision, paragraph 7.99). The IE SA further outlined in the Draft Decision that “the alternative application of Article 33(1), and that which was suggested by TIC, whereby the performance by a controller of its obligation to notify is, essentially, contingent upon the compliance by its processor with its obligations under Article 33(2), would undermine the effectiveness of the Article 33 obligations on a controller [and that] [s]uch an approach would be at odds with the overall purpose of the GDPR and the intention of the EU legislator”. 64 Draft Decision, paragraph 7.129 (vi). 65 Draft Decision, paragraph 7.129 (vi). 66 In identifying the 3 January 2019 as the date on which TIC ought to have been aware of the breach, the IE SA also took into account that an earlier delay had arisen during the period from when the incident was first notified by the External Contractor (Contractor 2) to Twitter, Inc. on 29 December 2018 to when Twitter, Inc. commenced its review of same, on 2 January 2019. TIC confirmed, during the course of the inquiry, that this was “due to the winter holiday schedule”. 67Draft Decision, paragraph 7.129 (ix). 68 Draft Decision, paragraph 7.129 (vi). Adopted 19 established between TIC and its processor in case of a data breach, whereas Article 33(1) GDPR refers only to the obligation of the controller to notify data breaches to the competent authority. 62. The objections of the DE SA, instead, focused on the reasoning leading to the conclusion that Article 33(1) GDPR was infringed, without challenging such conclusion per se, and referred more specifically to the determination of the dies a quo of the 72-hour deadline. 63. The DE SA argued in its objection that the issue of the allocation of roles affects the determination of the moment of awareness of the Breach, as the knowledge of a breach must be equally attributed to both joint controllers. According to the DE SA, this may lead to considering 26 December 2018 as the date when TIC as joint controller got knowledge/should have got knowledge of the Breach. 5.1.3 Position of the LSA on the objections 64. With regard to the objection raised by the FR SA, the IE SA considers that it requests consideration of alternative provisions of the GDPR and that the request by CSAs to consider alternate provisions of the GDPR, would essentially seek to re-scope the Inquiry conducted69: the IE SA concluded that such an objection does not fall within the definition of “relevant and reasoned objection” for the purposes of Article 4(24) GDPR70. The IE SA also stressed its view that an infringement of Article 33(1) GDPR has occurred and did not propose to consider infringements of any other provisions of the GDPR as an alternative to Article 33(1)71 , underlining that expanding the range of the infringements to other GDPR obligations at the request of CSAs would “jeopardise the entirety of the Inquiry and Article 60 process by exposing it to the risk of claims of procedural unfairness” 72 . The IE SA also pointed out that it is examining TIC’s compliance with its broader obligations under the GDPR in the context of another ongoing inquiry73 . 65. Concerning the objection raised by the DE SA, with specific regard to the determination of the moment of awareness of the breach, the IE SA submitted that even if a relationship of joint controllership did exist (a view that, as outlined above in Section 4.3, the IE SA did not share) it would not necessarily mean that awareness of the Breach could be equally attributed to both joint controllers74 . 5.1.4 Analysis of the EDPB 5.1.4.1 Assessment of whether the objections were relevant and reasoned 66. As recalled above (see Section 4.4.1), it is necessary to assess whether the objections raised by the CSAs meet the threshold set by Article 4(24) GDPR. 67. Although the objection of the FR SA is relevant, since it outlines a disagreement on whether an particular infringement of the GDPR has taken place in the specific case, and it includes legal arguments supporting the objection, it fails to meet the Article 4(24) GDPR standard because it does not include justifications concerning the consequences of issuing a decision without the changes proposed in the objection, and how such consequences would pose significant risks to the rights and freedoms of data 69 Composite Memorandum, paragraph 5.45. 70 Composite Memorandum, paragraph 5.45. 71 Composite Memorandum, paragraph 5.47. 72 Composite Memorandum, paragraph 5.44(c). 73 Composite Memorandum, paragraph 5.44(d). 74 Composite Memorandum, paragraph 5.34 (also referring to the CJEU judgment in Wirtschaftsakademie, C- 210/16, paragraph 43). Adopted 20 subjects75 . Thus, the objection cannot be said to “clearly demonstrate” the significance of the risks posed by the issuance of the Draft Decision (if it were to be issued as final) since it does not provide sufficient arguments as to why such rights and freedoms of data subjects with specific regard to the finding of an infringement of Article 33(1) (instead of Article 32 / 28) GDPR are substantial and plausible76. Therefore, the EDPB concludes the objection of the FR SA is not relevant and reasoned due to the lack of a clear demonstration of the risks as specifically required by the Article 4(24) GDPR. 68. Additionally, with regard to the DE SA’s objection specifically in relation to the determination of the dies a quo for the infringement of Article 33(1) GDPR as depending on the qualification of the parties, the EDPB would like to recall the analysis performed above in Section 4.4 and finds that the objection does not show the implications the Draft Decision with its current content - specifically concerning the reasoning underlying the finding of a Breach of Article 33(1) GDPR - would have for the protected values77 (rights and freedoms of data subjects or, where applicable, free flow of personal data). 5.1.4.2 Conclusion 69. The EDPB considers that the aforementioned objections satisfied the condition of referring alternatively as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, but they do not clearly demonstrate the significance of the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the European Union. 70. Therefore, the FR and DE SA’s objections do not to meet the requirements in Article 4(24) GDPR78 . 5.2 On the findings of an infringement of Article 33(5) GDPR 5.2.1 Analysis by the LSA in the Draft Decision 71. In the Draft Decision, the IE SA found that TIC did not comply with its obligations under Article 33(5) GDPR to document the Breach, since the documentation furnished by TIC in the course of the inquiry was not considered to contain sufficient information and was not considered to contain a record or document of, specifically, a “personal data breach”, as they amounted to “documentation of a more generalised nature”79 . 72. On a different note, the IE SA acknowledged that TIC fully cooperated during the inquiry (although this was not considered as a mitigating factor)80 . 5.2.2 Summary of the objections raised by the CSAs 73. The EDPB takes the opportunity to highlight, for the sake of clarity, that none of the objections raised challenged the conclusion that TIC infringed Article 33(5) GDPR. 75 Guidelines on RRO, paragraph 19. 76 Guidelines on RRO, paragraph 37. 77 Guidelines on RRO, paragraph 37. 78 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 79 Draft Decision, paragraph 10.46. 80 Draft Decision, paragraph 14.50. Adopted 21 74. However, the IT SA raised an objection arguing that the finding related to the violation of Article 33(5) GDPR does not appear consistent with the reasoning and elaborations put forward by the LSA as the inadequacy of the documentation that was produced during such an extensive investigation, as based upon multiple interactions between the LSA and the controller, allegedly points to the controller’s poor cooperation with the DPA. According to the IT SA, the finding in the Draft Decision that TIC provided full cooperation during the investigative phase should be reviewed as such full cooperation can only be considered to exist if adequate, exhaustive documentation is made available by the controller in a straightforward manner. 5.2.3 Position of the LSA on the objections 75. The IE SA is of the opinion that the obligation under Article 33(5) GDPR applies independently of the obligation under Article 31 GDPR to co-operate with the supervisory authority and of how TIC behaved towards, and interacted with, the LSA at the time that the latter initiated its regulatory activities regarding TIC’s Breach81. The IE SA argued the deficiencies on how TIC documented the Breach do not necessarily correlate with a lack of cooperation on TIC’s part82. In addition, the IE SA highlighted that TIC cooperated with the IE SA during the inquiry by responding to all requests for information and by providing all the requested documents, without seeking to disrupt or obstruct the inquiry in any way83 . In any case, the IE SA did not consider TIC’s cooperation as a mitigating factor84 . For the above- mentioned reasons, the IE SA considered that it was “questionable” as to whether the objection raised by the IT SA is reasoned and relevant, since while it relates to an infringement of the GDPR it does not demonstrate how the IE SA’s position on TIC’s degree of cooperation results in risks posed by the draft decision regarding fundamental rights and freedoms of data subjects85 . The IE SA concluded it would not follow said objection86 . 5.2.4 Analysis of the EDPB 5.2.4.1 Assessment of whether the objections were relevant and reasoned 76. The IT SA in its objection does not dispute that an infringement of Article 33(5) GDPR has occurred. A relevant and reasoned objection may question the reasoning underlying the conclusions reached by the LSA in the draft decision only insofar as such reasoning has a link with such conclusions, the objection is adequately reasoned. In this case, the objection does not clearly argue how following it could entail a change in the Draft Decision. Additionally, the objection does not meet the criteria outlined in Article 4(24) GDPR because it fails to clearly demonstrate the significance of the risks posed by the Draft Decision as it does not show the implications the alleged mistake in the Draft Decision would have for the protected values. 5.2.4.2 Conclusion 77. As the IT SA’s objection does not meet the requirements of the Article 4(24) GDPR, the Board does not take a position on the merit of the substantial issues raised by this objection. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make 81 Composite Memorandum, paragraph 5.87. 82 Composite Memorandum, paragraph 5.87. 83 Composite Memorandum, paragraph 5.87. 84 Composite Memorandum, paragraph 5.87. 85 Composite Memorandum, paragraph 5.88. 86 Composite Memorandum, paragraph 5.88. Adopted 22 in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 6 ON POTENTIAL FURTHER (OR ALTERNATIVE) INFRINGEMENTS OF THE GDPR IDENTIFIED BY THE CSAS 6.1 Analysis by the LSA in the Draft Decision 78. Based on the information provided by TIC when it notified the Breach to the IE SA, the IE SA noticed that it appeared from the breach notification form that a period of in excess of 72 hours had elapsed from when TIC (as controller) became aware of the Breach87. For this reason, the IE SA decided to commence, on its own volition, an inquiry to examine whether TIC had complied with its obligations under Article 33(1) and Article 33(5) GDPR88 . 79. In order to determine whether TIC complies with its obligations under Article 33(1) GDPR, the IE SA considered them in the context of a controller's broader obligations, including those of accountability (Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of processing of personal data (Article 32 GDPR)89. However, if the IE SA considered the factors and factual matters that led to TIC's delay in being made aware of the Breach by its processor and ultimately in notifying the Breach, the IE SA did not consider whether or not TIC complied with any or each of these obligations other than for the purpose of assessing TIC’s compliance with its obligations under Article 33(1) and Article 33(5) GDPR90 . 6.2 Summary of the objections raised by the CSAs 80. The DE, FR, HU, and IT SAs raised objections that TIC infringed other provisions of the GDPR in addition to, or instead of, Article 33(1) and Article 33(5) GDPR. 6.2.1 Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality 81. The DE SA raised an objection stating that the "underlying bug" in TIC's application that resulted in the Breach notified to the IE SA should have been considered by the IE SA in its Draft Decision, so as to determine whether this bug actually constituted a significant violation of the confidentiality of personal data, ultimately infringing Article 5(1)(f) GDPR, in addition to Article 33(1) and Article 33(5) GDPR. 82. The HU SA raised an objection stating that given the “bug” in TIC’s application over the years and its serious nature affecting data security, the IE SA should investigate whether TIC also infringed Article 5(1)(f) GDPR on the principle of integrity and confidentiality. 6.2.2 Infringement of Article 5(2) GDPR on the principle of accountability 83. The IT SA raised an objection stating that the infringement of Article 33(1) GDPR highlights a much more severe violation of the accountability principle (under Article 5(2) GDPR), since the lack of 87 Draft Decision, paragraph 2.11. 88 Draft Decision, paragraph 2.11. 89 Draft Decision, paragraphs 6.13-6.20, 7.111-7.112, 7.122-7.124. 90 Draft Decision, paragraphs 6.13, 7.111, 7.122-7.124. Adopted 23 corporate policies to handle security incidents or the failure to comply with them shows that the measures implemented by the controller are inadequate to ensure compliance and to document it. The IT SA argued that these procedural shortcomings are highlighted by the Draft Decision, but the Draft Decision fails to make this the subject of a specific analysis. As this may affect the handling of future data breaches, too, the findings on whether TIC complied with Article 5(2) GDPR should also be part of the IE SA's final decision according to the IT SA. The IT SA also considered that the infringement of Article 5(2) GDPR is confirmed by the controller's inability to state the exact number and nature of the personal data affected, or the total number of data subjects involved. 6.2.3 Infringement of Article 24 GDPR on the responsibility of the controller 84. The DE SA raised an objection stating that the Draft Decision is not clear on why the IE SA did not assess if the significant violation of the confidentiality of personal data caused by an "underlying bug" is due to an infringement of the requirements of Article 24 GDPR. 6.2.4 Infringement of Article 28 GDPR on the relationship with processors 85. The FR SA expressed an objection stating that TIC did not respect the obligation of the controller to verify the validity of the procedures set up by its processor. Therefore, the FR SA considers that there is no infringement of Article 33(1) GDPR, but of Article 28 GDPR instead (or Article 32 GDPR -see below Section 6.2.5). The FR SA argued that if TIC's processor is its parent company, “it was all the more easy for TIC to verify the validity of the procedures set out by the parent company and to demand a correction if necessary”. 86. The IT SA expressed an objection stating that TIC’s failure to involve the Global DPO in the Detection and Response Team of the processor (Twitter, Inc.), in spite of the fact that this practice was envisaged in TIC's internal policies, shows that the safeguards provided by the processor in terms of implementing the appropriate organisational measures under Article 28(1) GDPR are not extensive enough. In addition, the IT SA argued in its objections that the processor infringed its obligation to assist the controller, according to Article 28(3)(f) GDPR. 6.2.5 Infringement of Article 32 GDPR on the security of the processing 87. The DE SA raised objections stating that the IE SA should have examined if all appropriate technical and organisational measures (according to Article 32 GDPR) were complied with in this case, and whether infringements in this area should have been made the subject of these proceedings. The DE SA also argues that the Draft Decision is not clear on why the IE SA did not assess if the significant violation of the confidentiality of personal data caused by an "underlying bug" is due to an infringement of the requirements of Article 32 GDPR. 88. The FR SA expressed an objection concerning the legal characterisation of the facts carried out by the IE SA and stated that the TIC’s failure to respect the obligation of the controller to verify the validity of the procedures set up by its processor corresponds to an infringement of Article 32 GDPR (or Article 28 GDPR - see above Section 6.2.4), rather than of Article 33(1) GDPR. The FR SA argued that if TIC's processor is its parent company, “it was all the more easy for TIC to verify the validity of the procedures set out by its parent company and to demand a correction if necessary”. 89. The HU SA raised objections stating that given the “bug” in TIC’s application over the years and its serious nature affecting data security, the IE SA should investigate whether TIC infringed also Article 32 GDPR on TIC’s obligations of security of the processing. Adopted 24 6.2.6 Infringement of Article 33(3) GDPR on the content of the notification of a personal data breach on security of processing 90. The DE SA expressed objections stating that the IE SA’s examination is lacking, with regard to the scope of the information to be provided in the case of a notification, which is stipulated as binding in Article 33(3) GDPR. Based on TIC’s comments on the Breach they provided pursuant to Article 33(5) GDPR and on the description of the investigation of the facts of the case, TIC obviously did not fully comply with its documentation obligation when it first reported the Breach on 8 January 2019. The DE SA considered that there are therefore numerous indications that the result could also be an infringement of Article 33(3) GDPR. 6.2.7 Infringement of Article 34 GDPR on the communication of a personal data breach to the data subject 91. The HU SA raised objections stating that given the “bug” in TIC’s application over the years and its serious nature affecting data security, the IE SA had to investigate whether TIC infringed also Article 34 GDPR on TIC’s obligations of informing the data subjects about the Breach. 6.3 Position of the LSA on the objections 92. The LSA provided its response in respect of the objections concerning potential further (or alternative) infringements of the GDPR collectively in its Composite Memorandum shared with the CSAs. The LSA explained that it “exercised its discretion [...] to confine the scope of the Inquiry to the consideration of two discrete issues, being whether TIC had complied with its obligations as a controller under Article 33(1) in respect of the notification of the Breach, and whether it had complied with its obligations under Article 33(5) to document the Breach” 91. The LSA relied on Section 110(1) of the Irish Data Protection Act 2018, which provides that the IE SA may “cause such inquiry as it thinks fit to be conducted” 92. The purpose of the inquiry as described by the IE SA was thus “solely to examine the circumstances surrounding TIC’s apparent delayed notification of the Breach [...] and its documenting of the Breach”, an issue considered by the IE SA as “of considerable importance given that, with close to 200,000 breaches notified in two years across the EU, there is a need for clarity on what is required under the breach notification and documentation requirements of the GDPR” 93 . 93. Within its Composite Memorandum94, the IE SA maintains that objections raised in the context of Article 60(4) GDPR cannot have the effect of challenging the scope of an inquiry. In the case at hand, the LSA recalls that it informed TIC at the beginning of the inquiry that its purpose was to verify TIC’s compliance with Article 33(1) and Article 33(5) GDPR in respect of its notification of a Breach to the LSA 8 January 2019. The whole inquiry process was therefore conducted within that scope, as well as the drafting of the Draft Decision, and TIC was afforded its right to be heard in that regard at each step of the procedure. Therefore, the LSA maintains that if it were to follow the CSAs’ objections and include other infringements in its final decision “on the basis of only the material contained in the Draft Decision”, this would result in jeopardising “the entirety of the Inquiry and Article 60 process by exposing it to the risk of claims of procedural unfairness” 95 . 91 Composite Memorandum, paragraph 1.7. 92 Composite Memorandum, paragraph 1.5. 93 Composite Memorandum, paragraph 1.9. 94 Composite Memorandum, paragraph 5.44. 95 Composite Memorandum, paragraph 5.44(c). Adopted 25 94. Furthermore, the LSA explains that it has another ongoing inquiry in relation to other data breaches notified to the LSA by TIC prior to the notification that concerns the case at hand. In that other inquiry, initiated before the one at hand, the LSA highlights that the scope of investigation concerns possible non-compliance with “inter alia, Articles 5, 24, 25, 28, 29 and 32” GDPR96. The LSA considers that this parallel inquiry is indeed assessing TIC’s compliance with its broader obligations under GDPR to determine if compliance insufficiencies caused the data breaches. Consequently, the LSA is of the position that the CSAs will have the possibility to consider such possible infringements in the context of that other inquiry, as they will be consulted on its Draft Decision, in accordance with Article 60(4) GDPR97 . 95. TIC submitted that, since the Draft Decision states that “a detailed examination of the technical and organisational measures is beyond the scope of the inquiry” 98, it “would not be reasonable or appropriate, and would offend well-established principles of natural justice, if the Decision were to make findings or impose sanctions on TIC in respect of obligations and principles which did not form part of the DPC’s investigation, since TIC has not had an opportunity to address any concerns which the DPC or CSAs may have about TIC’s processes in these areas” 99 . 6.4 Analysis of the EDPB 6.4.1 Assessment of whether the objections were relevant and reasoned 6.4.1.1 Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality 96. The EDPB notes that the DE SA’s objection on Article 5(1)(f) GDPR is referring to whether there is an infringement of the GDPR by expressing a disagreement as to the conclusions to be drawn from the findings of the investigation. The objection also put forward arguments to support the conclusion that compliance with Article 5(1)(f) GDPR should be assessed. The DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft Decision for the rights and freedoms of data subjects, in particular by highlighting that the facts amount to a “significant” and “substantial” breach of the confidentiality of personal data and that a large number of persons were concerned for a substantial period of time. Furthermore the DE SA also argued that there were indications to consider the existence “systemic error”, which would have required a deeper scrutiny beyond the single specific bug involved. 97. The HU SA’s objection can also be considered as relevant as it concerns whether there is an infringement of the GDPR. Additionally it (only) briefly makes reference to factual arguments supporting the need to assess this additional provision (the duration of the bug and its serious nature affecting data security), but does not “clearly demonstrate” the significance of the risks posed by the Draft Decision for risks to the rights and freedoms of individuals as it does not put forward arguments 96 Composite Memorandum, paragraph 1.10. 97 Composite Memorandum, paragraph 5.44(d). 98 Draft Decision, paragraph 7.19. 99 “Representations in response to objections and comments from CSAs” submitted by TIC (14 August 2020), paragraph 4.1. The EDPB wishes to highlight that the objections raised by the CSAs were brought to TIC’s attention by the IE SA, and TIC issued the aforementioned representations on the objections, which were taken into account by the IE SA prior to the initiation of the Article 65 procedure and are part of the file under consideration of the EDPB in the context of this procedure. See also footnote 19. Adopted 26 or justifications concerning the consequences of issuing a decision without the changes proposed in the objection100 . 98. As a consequence the EDPB considers the objection raised by the DE SA in relation to the potential additional infringement of Article 5(1)(f) GDPR to be relevant and reasoned for the purposes of Article 4(24) GDPR, but considers the HU SA’s objection in relation to the same topic does not meet the requirements of Article 4(24)101 . 99. The EDPB will assess the merits of the substantial issues raised by the DE SA objection in relation to the potential additional infringement of Article 5(1)(f) GDPR (see section 6.4.2 below). 6.4.1.2 Infringement of Article 5(2) GDPR on the principle of accountability 100. The objection raised by the IT SA is to be considered “relevant” since if followed, it would lead to a different conclusion as to whether there is an infringement of the GDPR 102. More specifically, it includes a “disagreement as to the conclusions to be drawn from the findings of the investigation”, since it states that the “findings amount to the infringement of a provision of the GDPR [...] in addition to [...] those already analysed by the draft decision” 103 . 101. Additionally, the objection is “reasoned” as it includes clarifications as to why the amendment of the decision is proposed104: the proposed change relies on the “lack of formalised corporate policies to handle security incidents [...] or the failure to comply with said policies”, on the fact that such “procedural shortcomings are highlighted by the [IE SA] repeatedly” in the Draft Decision, and on the controller’s inability to state the exact number and nature of the personal data / data subjects affected. 102. The IT SA clearly demonstrated the significance of the risks posed by the Draft Decision for fundamental rights and freedoms of data subjects, by showing the “implications the draft decision would have for the protected values”105 and more specifically the “impact on the rights and freedoms of data subjects whose personal data might be processed in the future”106: the objection did so by arguing that the aspects mentioned are “structural in nature as regards the controller’s organization” and “bound to produce effects not simply on the case at issue, but also on the handling of any personal data breach that may occur in the future”. 103. As a consequence, the IT SA’s objection on Article 5(2) GDPR meets the requirements set out in Article 4(24) GDPR. The EDPB will therefore analyse the merits of the substantial issues raised by this objection107 . 100 Guidelines on RRO, paragraph 19. 101 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by the HU SA’s objection. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 102 Guidelines on RRO, paragraph 13. 103 Guidelines on RRO, paragraph 27. 104 Guidelines on RRO, paragraph 17. 105 Guidelines on RRO, paragraph 37. 106 Guidelines on RRO, paragraph 43. 107 See section 6.4.2 below. Adopted 27 6.4.1.3 Infringement of Article 24 GDPR on the responsibility of the controller 104. The DE SA’s objection specifically refers to Chapter 5 "Issues for determination" of the Draft Decision108, and objects to the Draft Decision as to whether Article 24 GDPR was also infringed by TIC109. It relies on the facts110 set out in the Draft Decision that “if a Twitter user with a protected account, using Twitter for Android, changed their email address the bug would result in their account being unprotected” 111 . and their protected tweets were made publicly available via the service. More precisely, the DE SA is questioning why the IE SA did not examine, in the Draft Decision, the causes of the Breach, in particular in light of Article 24 GDPR, and why the IE SA did not explain in the Draft Decision why it did not perform such examination. 105. The DE SA argues that given that the Breach notification revealed “deficiencies in compliance with the GDPR, ... [a] company that is not capable by own means and resources, by inspections of internal or external security teams to find a bug of that prominence and scope should be subject to a deeper scrutiny regarding its security and data processing setup, beyond the single specific bug involved". 106. According to the DE SA, a higher scrutiny into TIC's data processing setup "could result, as the case may be, in an order to the controller to bring processing operations into compliance with the provisions of the GDPR. The case at hand fails to reflect this task. This makes it all the more urgent to examine the corrective powers under Article 58(2) GDPR in this context". 107. Therefore, the DE SA pointed out what it considered as an absence of assessment, with the consequences that the conclusions drawn from the findings of the investigation by the LSA could be different112 . 108. The DE SA’s objection that “According to Art. 83 (1) GDPR, fines must be “effective, proportionate and dissuasive in each individual case. A sanction is effective and dissuasive if, on the one hand, it is suitable as a general preventive measure to deter the general public from committing infringements and to affirm the general public’s confidence in the validity of Union law, but, on the other hand, it is also suitable as a preventive measure to deter the offender from committing further infringements”. Consequently, the DE SA demonstrates how not changing the Draft Decision to include an assessment of compliance with Article 24 GDPR would pose significant risks for the fundamental rights and freedoms of data subjects113 . 109. In its Guidelines on RRO, the EDPB accepts that an objection may challenge the conclusion of the LSA, by considering that the LSA’s findings actually lead to the conclusion that another provision of the GDPR has been infringed in addition to or instead of the provision identified by the LSA114. The EDPB considers that this is precisely the essence of the DE SA’s objection, hence not preventing it from being relevant and reasoned. 110. Additionally, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft Decision for the rights and freedoms of data subjects, including by highlighting that a large number of persons were concerned for an equally substantial period of time, reflecting a systemic error that calls 108 Guidelines on RRO, paragraph 20. 109 Guidelines on RRO, paragraph 12. 110 Guidelines on RRO, paragraph 14. 111 Draft Decision, paragraph 2.7. 112 Guidelines on RRO, paragraph 29. 113 Guidelines on RRO, paragraph 19. 114 Guidelines on RRO, paragraph 27. Adopted 28 for deeper scrutiny, looking beyond the single specific bug involved. As a consequence, the DE SA’s objection on Article 24 GDPR meets the threshold set out in Article 4(24) GDPR. 111. In light of the assessment above, the EDPB considers that the DE SA’s objection relating to a possible infringement of Article 24 GDPR is relevant and reasoned in accordance with Article 4(24) GDPR. As a consequence, the EDPB is assessing the merit of the substantial issues raised by this objection (see section 6.4.2 below). 6.4.1.4 Infringement of Article 28 GDPR on the relationship with processors 112. The FR SA’s objection specifically refers to paragraphs 7.129 iii), iv) and v) of the Draft Decision 115, and objects to the Draft Decision as to whether Article 28 GDPR was infringed by TIC instead of Article 33(1) GDPR116. It relies on the facts117 set out in the Draft Decision and on the findings by the LSA that “TIC did not respect the obligation of the controller to verify the validity of the procedures set up by its processor”. 113. According to the FR SA, since Article 28(3)(h) GDPR sets forth the controller’s duties when it uses a processor, the findings should have led the LSA to the conclusion that Article 28(3)(h) GDPR was infringed, instead of Article 33(1) GDPR. Ultimately, it means, for the FR SA, that the sanction issued in fine should address different infringements. 114. In its Guidelines on RRO, the EDPB accepts that an objection may challenge the conclusion of the LSA, by considering that the LSA’s findings actually lead to the conclusion that another provision of the GDPR has been infringed in addition to or instead of the provision identified by the LSA118. The EDPB considers that this is precisely the essence of the FR SA’s objection, hence not preventing it from being relevant. The objection also adequately puts forward arguments supporting the conclusion proposed. At the same time, the EDPB notes that the FR SA’s objection does not clearly demonstrate the significant risks posed by the Draft Decision for the fundamental rights and freedoms of data subjects with specific regard to the failure to conclude on the infringement of this specific provision119 . In light of this assessment, the EDPB considers that the FR SA’s objection relating to a possible infringement of Article 28 GDPR instead of Article 33(1) GDPR is not relevant and reasoned in accordance with Article 4(24) GDPR120 . 115. The IT SA’s objects to the Draft Decision as to whether Article 28 GDPR, inter alia, was infringed by TIC in addition to Article 33(1) GDPR121 . 116. The IT SA relies on the facts set out in the Draft Decision and on the findings by the LSA that whilst the involvement of the Global DPO in the Detection and Response Team of its processor, Twitter, Inc., is envisaged in TIC’s internal policies, in practice, the Global DPO was not involved. The IT SA also notes that Twitter, Inc., as the processor, failed to assist TIC. 115 Guidelines on RRO, paragraph 20. 116 Guidelines on RRO, paragraph 12. 117 Guidelines on RRO, paragraph 14. 118 Objection Guidelines on RRO, paragraph 27. 119 Guidelines on RRO, paragraph 29. 120 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 121 Guidelines on RRO, paragraph 12. Adopted 29 117. According to the IT SA, with Article 28(1) GDPR requiring controllers to only use processors providing sufficient guarantees to implement appropriate technical and organisational measures, and Article 28(3)(f) GDPR requiring the contract between the controller and the processor to stipulate that the processor assist “the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of the processing and the information available to the processor”; the findings should have led the LSA to the conclusion that Article 28(1) and Article 28(3)(f) GDPR were also infringed. 118. The EDPB considers that the IT objection in relation to Article 28(1) and Article 28(3)(f) GDPR it is to be considered “relevant” since if followed, it would lead to a different conclusion as to whether there is an infringement of the GDPR122. More specifically, it includes a “disagreement as to the conclusions to be drawn from the findings of the investigation”, since it states that the “findings amount to the infringement of a provision of the GDPR [...] in addition to [...] those already analysed by the draft decision”123 . 119. Additionally, according to the EDPB, the objection is “reasoned” as it includes clarifications as to why the amendment of the decision is proposed124: the proposed change relies on the fact that the controller did not comply with its internal policies according to which TIC’s DPO should be involved. Besides, the objection raises the point that the processor failed to comply with its contractual obligation to assist the controller, in accordance with Article 28(3)(f) GDPR. 120. However, the EDPB notes that the IT SA’s objection relating to Article 28(1) and Article 28(3)(f) GDPR does not clearly demonstrate significant risks posed by the Draft Decision for the fundamental rights and freedoms of data subjects125 . As a consequence this objection raised by the IT SA does not meet the requirements set out in Article 4(24) GDPR126 . 6.4.1.5 Infringement of Article 32 GDPR on the security of the processing 121. The DE SA’s objection, if followed, would entail a change leading to a different conclusion as to whether there is an infringement of the GDPR, since it identified a “disagreement as to the conclusions to be drawn from the findings of the investigation” 127 by pointing out that the findings may indicate an infringement also of Article 32 GDPR. Thus, the EDPB therefore considers that there is a link between the content of the objection and the potential different conclusion128. In addition, this objection is related to specific legal and factual content of the Draft Decision129 . 122. Additionally, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft Decision for the rights and freedoms of data subjects, in particular by highlighting that the facts amount to a “significant” and “substantial” breach of the confidentiality of personal data and that a large number of persons were concerned for a substantial period of time. Furthermore the DE SA also argued 122 Guidelines on RRO, paragraph 13. 123 Guidelines on RRO, paragraph 27. 124 Guidelines on RRO, paragraph 17. 125 Guidelines on RRO, paragraph 29. 126 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 127 Guidelines on RRO, paragraph 28. 128 Guidelines on RRO, paragraph 13. 129 Guidelines on RRO, paragraph 14. Adopted 30 that there were indications to consider the existence of a “systemic error”, which would have required a deeper scrutiny beyond the single specific bug involved. 123. In light of the assessment above, the EDPB considers that the DE SA’s objection relating to a possible infringement of Article 32 GDPR is relevant and reasoned in accordance with Article 4(24) GDPR. As a consequence, the EDPB is assessing the merit of the substantial issues raised by this objection (see point 6.4.2 below). 124. As regards the FR SA’s objection, the EDPB considers it as meeting the criterion of “relevant” because if the LSA would have followed it, there would be a different conclusion as to whether there is an infringement of the GDPR130 . The FR SA’s objection is based on the reasoning provided by the IE SA in its Draft Decision and this reasoning is linked with conclusion as to whether an infringement of the GDPR has been correctly identified131 . The EDPB recalls that the CSA has to present the facts allegedly leading to a different conclusion132 and notes that in the case at stake the objection analyses the facts that would lead to the violation of Article 32(1)(d) GDPR, instead of violation of Article 33(1) GDPR, and does so in a coherent, clear and precise way, by clearly indicating which parts of the decision of the IE SA it disagrees with. The FR SA’s objection is clearly relevant by outlining a disagreement on whether an infringement of the GDPR has taken place. However, the FR SA’s objection only succinctly explains the reasons for its proposed change and does not clearly demonstrate the significance of the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects in relation to the failure to find an infringement of Article 32 GDPR. As a consequence this objection raised by the FR SA does not meet the requirements set out in Article 4(24) GDPR133 . 125. The HU SA’s objection also referred to whether there is an infringement of the GDPR, arguing that the possible infringement of the principle of integrity and confidentiality should also be investigated. The HU SA’s objection is clearly relevant by outlining that an additional provision of the GDPR (i.e. Article 32 GDPR) should have been investigated. However, the HU SA does not explain how the Draft Decision would pose such risks, nor does it fully explain why specific aspects of the decision are deficient in its point of view134. The HU SA’s objection fails to meet the criterion of providing sound reasoning for its objection, by referring to legal or factual arguments. On the contrary, it just recommends that the IE SA would also need to investigate the controller’s compliance with Article 32 GDPR. As a consequence this objection raised by the HU SA does not meet the requirements set by Article 4(24) GDPR135 . 6.4.1.6 Infringement of Article 33(3) GDPR on the content of the notification of a personal data breach on security of processing 126. The DE SA considers that the Draft Decision indicates that Article 33(3) GDPR could be infringed in addition to other provisions of GDPR. In that sense, it is about “whether there is an infringement” of 130 Guidelines on RRO, paragraph 13. 131 Guidelines on RRO, paragraph 16. 132 Guidelines on RRO, paragraph 18. 133 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 134 Guidelines on RRO, paragraph 18. 135 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. Adopted 31 the GDPR, and that it has not been examined and addressed by the Draft Decision. Hence, the DE SA considers that, if changed, the Draft Decision would lead to the conclusion of additional infringements of GDPR. 127. However, the DE SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects. As a consequence, the DE SA’s objection on Article 33(3) GDPR fails to meet the requirements set out in Article 4(24) GDPR136 . 6.4.1.7 Infringement of Article 34 GDPR on the communication of a personal data breach to the data subject 128. The HU SA considers that the Draft Decision indicates that Article 34 GDPR could be infringed in addition to other provisions of GDPR, especially in light of the fact that the bug lasted over the years, and given the serious nature affecting the controller’s security. In that sense, it is about “whether there is an infringement” of the GDPR, and that it has not been examined and addressed by the Draft Decision. Hence, the HU SA considers that, if changed, the Draft Decision would lead to the conclusion of additional infringements of GDPR. 129. However, the HU SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects. As a consequence, the HU SA’s objection on Article 34 GDPR do not meet the requirements set out in Article 4(24) GDPR137 . 6.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and reasoned objections and conclusion 130. The Board now analyses the objections found being relevant and reasoned - in particular the DE SA’s objections on Article 5(1)(f), Article 24 and 32 GDPR, as well the IT SA’s objection on Article 5(2) GDPR - as well as the LSA’s response to those objections and the TIC submissions. 131. In accordance with Article 65(1)(a) GDPR, in the context of a dispute resolution procedure the EDPB shall take a binding decision concerning all the matters which are the subject of the relevant and reasoned objections, in particular whether there is an infringement of the GDPR. The EDPB can (and must) make a binding decision which shall whenever possible, taking into account the elements of the file and the respondent’s right to be heard, provide a final conclusion on the application of the GDPR in relation to the case at hand. The LSA will then be obliged to implement the changes in its final decision. 132. The Board considers that the available factual elements included in the Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence of further (or alternative) infringements of Article 5(1)(f), 5(2), 24 and 32 GDPR. 133. The Board considers that, as a general matter, the limited scope of the inquiry by the IE SA - focused since the outset only on whether there were infringements by TIC of Article 33(1) and 33(5) GDPR - 136 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 137 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. Adopted 32 directly affects the remit of the investigation and further fact finding, as well as the ability for CSAs to put forward sufficient elements for the EDPB to sustain the objections. 134. The EDPB recalls the duty for the LSA to “endeavour to reach consensus” with the CSAs (Article 60(1) GDPR) and to provide, without delay, the CSAs with “the relevant information” on the matter (Article 60(3) GDPR). Even in case of an own-volition inquiry, the Guidelines on reasoned and relevant objectionsstate that LSA “should seek consensus regarding the scope of the procedure (i.e. the aspects of data processing under scrutiny) prior to initiating the procedure formally”138, including in the context of a possible new proceeding. 135. Whilst the EDPB considers that SAs enjoy certain degree of discretion to decide how to frame the scope of their inquiries, the EDPB recalls that one of the main objectives of the GDPR is to ensure consistency throughout the European Union, and the cooperation between the LSA and CSAs is one of the means to achieve this. The EDPB also recalls the existence of a full range of the cooperation tools provided for by the GDPR (including Articles 61 and 62 GDPR), bearing in mind the goal of reaching consensus within the cooperation mechanism and the need to exchange all relevant information, with a view to ensuring protection of the fundamental rights and freedoms of data subjects. 136. The EDPB considers that in determining the scope of the inquiry, whilst it can be limited, a LSA should frame it in such a way that it permits the CSAs to effectively fulfil their role, alongside the LSA, when determining whether there has been an infringement of the GDPR. 7 ON THE CORRECTIVE MEASURES DECIDED BY THE LSA - IN PARTICULAR, THE IMPOSITION OF A REPRIMAND 7.1 Analysis by the LSA in the Draft Decision 137. The Draft Decision explains that, while in the Preliminary Draft Decision the proposed corrective powers to be imposed were both a reprimand, pursuant to Article 58(2)(b) GDPR, and an administrative fine, pursuant to Article 58(2)(i) GDPR, the final Draft Decision consists of the imposition only of an administrative fine on TIC as the controller139 . 138. In its submissions in relation to the Preliminary Draft Decision, TIC objected to the decision to issue a reprimand, contending that the infringements of Article 33(1) and Article 33(5) GDPR do not comprise “processing operations”, while Article 58(2)(b) GDPR provides supervisory authorities with the power to issue reprimands where processing operations have infringed provisions of the GDPR140. TIC’s argument mainly relied on the fact that neither the delay in notifying the SA nor the failure to keep appropriate records amounts to a processing operation in itself141 . 139. In its Draft Decision, the IE SA explained its decision not to issue a reprimand by recalling the argument put forward by TIC in its submissions in relation to the Preliminary Draft Decision, contending that the infringements of Article 33(1) and Article 33(5) GDPR do not comprise “processing operations”, while Article 58(2)(b) GDPR provides supervisory authorities with the power to issue reprimands where processing operations have infringed provisions of the GDPR142 . The IE SA considered that the term 138 Guidelines on RRO, paragraph 28. 139 Draft Decision, paragraph 12.1. 140 TIC’s submissions in relation to the Preliminary Draft Decision, paragraph 11.1. 141 Draft Decision, paragraph 12.4. 142 TIC’s submissions in relation to the Preliminary Draft Decision, paragraph 11.1. Adopted 33 ‘processing operation(s)’ appears 50 times in the GDPR and seems to be used to denote the treatment or use of, in other words things that are done to, personal data controlled by a controller, but that at the same time the definition of “processing” provided by the GDPR is very broad, which makes it arguable that given that a breach is something affecting or done to, personal data, it follows that the notification obligation (insofar as it inherently must entail an examination of what has happened to personal data or how it has been affected) is intrinsically connected to one or more processing operations143 . The IE SA did not consider it necessary to definitely conclude on the meaning and effect of the term “processing operations” in the Draft Decision, but “on balance” considered that TIC’s legal argument was “a stateable one”, deciding not to proceed with the issuing of a reprimand to TIC144 . 7.2 Summary of the objections raised by the CSAs 140. The DE SA raised an objection concerning the fact that while in the Preliminary Draft Decision both a reprimand and a fine were envisaged, only a fine was included in the Draft Decision. The DE SA disagreed with the reasoning put forward by the IE SA concerning the decision to not impose a reprimand. According to the DE SA, the legal reasoning accepted by the LSA as “stateable” is not convincing as the legal interpretation requires not only an examination of the wording of the provision, but also of its meaning and purpose, the history of its development and its systematic integration into the entire regulatory complex. 7.3 Position of the LSA on the objections 141. In its Composite Memorandum, the IE SA considered that whereas the DE SA’s objection does relate to “whether envisaged action in relation to a controller or processor complies with [the GDPR]”, it does not demonstrate how not issuing a reprimand to TIC could lead to significant risks for data subjects145 on the decision to not issue a reprimand was not relevant and reasoned in accordance with Article 4(24) GDPR. 142. Nonetheless addressing the merits of the substantial issue(s) raised by the objections, the LSA explained that it considered the term “processing operations” in accordance with its meaning and application throughout the whole GDPR, noticing that this term is only used for SAs’ powers under Article 58 GDPR. Following TIC’s submissions in its response to the CSAs’ objections on that point, the LSA decided, having regard to the scope of the inquiry that focussed on the controller’s obligations in relation to the Breach notification, that its inquiry “did not involve a finding that the underlying ‘processing operations’ relating to the Breach infringed [...] the GDPR” 146. Therefore, the LSA considered that there was no reason to review its decision to not issue a reprimand in light of the DE SA’s objection. 143. The LSA noted that its position in the Draft Decision to not issue a reprimand is only applicable to the specific circumstances of this case; hence is without any prejudice for future decisions on reprimands that could be made by the LSA or any other CSA147 . 143 Draft Decision, paragraph 12.5. 144 Draft Decision, paragraph 12.5. The other separate arguments made by TIC concerning reasons why the imposition of a reprimand was not considered appropriate (TIC’s submissions in relation to the Preliminary Draft Decision, paragraphs 11.2-11.4) were not considered separately, in light of the aforementioned decision (Draft Decision, paragraph 12.6). 145 Composite Memorandum, paragraph 5.79. 146 Composite Memorandum, paragraph 5.78. 147 Composite Memorandum, paragraph 5.78. Adopted 34 7.4 Analysis of the EDPB 7.4.1 Assessment of whether the objections were relevant and reasoned 144. The DE SA objection refers to the compliance of the envisaged action with the GDPR, as it indicates what corrective action would, in its view, be appropriate for the LSA to include in the final decision: it is therefore a relevant objection, which adequately shows the different conclusion proposed. Furthermore, it includes legal reasoning supporting its view and proposes an alternative legal interpretation. Nevertheless, the objection does not clearly demonstrate the significance of the risk posed by the Draft Decision for rights and freedoms of data subjects and/or the free flow of personal data. In particular, it does not provide motivation on how the failure to impose a reprimand in this specific case - where a fine is also imposed - may trigger risks for data subjects’ fundamental rights and freedoms. 7.4.2 Conclusion 145. The EDPB considers that this objection does not meet the requirements of Article 4(24) GDPR. 146. The EDPB notes the LSA position that its position to not issue a reprimand is only applicable to the specific circumstances of this case; hence is without any prejudice for future decisions on reprimands that could be made by the LSA or any other CSA148 . 147. As previously indicated, the decision of the EDPB not to assess the merits of the substance of the objection raised is without prejudice to future EDPB decisions on the same or on similar issues. 8 ON THE CORRECTIVE MEASURES - IN PARTICULAR, THE CALCULATION OF THE ADMINISTRATIVE FINE 8.1 Analysis by the LSA in the Draft Decision 148. The Draft Decision explains how the IE SA considered the criteria in Article 83(2) GDPR in deciding whether to impose an administrative fine and how to determine its amount149 . 149. As regards the calculation of the fine, the Draft Decision analysed, first, the nature, gravity and duration of the infringement, as per Article 83(2)(a) GDPR150 . The Draft Decision took into account the “nature, scope or purpose of the processing” by referring to the nature of the processing operations carried on by Twitter (a “microblogging” and social media platform on which users have the opportunity to document their thoughts in “tweets”), to the nature of the processing that gave rise to the Breach (arising from a bug leading to previously ‘protected’ tweets becoming ‘unprotected’ and publicly accessible - in cases where Android users changed the email address), and to the scope of the processing (the bug affected at least 88,726 EU/EEA users, as additional people were affected between 148 Composite Memorandum, paragraph 5.78. 149 Draft Decision, paragraphs 14.1-14.62. 150 Article 83(2)(a) GDPR refers to “the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them”. Adopted 35 the date of the bug on 4 November 2014 and its full remediation on 14 January 2019 but it was not possible for them to be all identified)151 . 150. The Draft Decision also took into account the number of data subjects affected and the level of damage suffered by them152 by concluding that the number of data subjects who could have been potentially affected by the delayed notification and the potential for damage to data subjects arising from the consequent delayed assessment by the SA were relevant factors to take into consideration153 . It was recalled that the impact on individual users and the possibility of damage arising therefrom will impact on the level and nature of the personal data made public and that there was at least a potential for damage to data subjects linked to the delaying of remedial actions154. The position of the IE SA in the Preliminary Draft was that “whilst TIC had not confirmed the precise nature of the data made public in the Breach, it was reasonable to deduce that, given the scale of the affected users and the nature of the service offered by TIC, some of the personal data released in relation to, at least, some of the users will have included sensitive categories of data and other particularly private material” 155 . This position was further nuanced in the Draft Decision in light of TIC’s submissions, as the IE SA decided that “less weight should be attributed to this factor”, on the basis of the fact that “while it cannot be definitively said that no users affected by the Breach were affected by the delayed notification, there was no direct evidence of damage to them arising from the delayed notification” 156 . 151. With respect to the nature of the infringement, the Draft Decision highlighted that the infringements of Articles 33(1) and 33(5) GDPR do not relate to the substantive matter of the Breach157 . The IE SA also considered that the nature of the obligations under Articles 33(1) and 33(5) GDPR are such that compliance is central to the overall functioning of the supervision and enforcement regime performed by supervisory authorities in relation to both the specific issue of personal data breaches but also the identification and assessment of wider issues of non-compliance by controllers and that non- compliance with such obligations has serious consequences in that it risks undermining the effective exercise by SAs of their functions under the GDPR158 . 152. With regard to the gravity of the infringement of Article 33(1) GDPR, the Draft Decision took account of how it interfered with the overall purpose of notifying a personal data breach to the supervisory authority, of the fact that no material damage to data subjects was shown, of the fact that the remedial measures by TIC were limited to forward looking action to close down the bug (and did not amount to a backward looking analysis to identify the risks to data subjects arising from the Breach) and TIC’s apparent failure to carry out any formal risk assessment159 . The Draft Decision did not consider TIC’s contention that the Breach was due to an isolated failure (which led to the delay in notifying the DPO) to be of sufficient weight as to lessen the gravity of the infringement (but did take into account of such isolated nature of the incident, departing from the provisional view in the Preliminary Draft that the 151 Draft Decision, paragraph 14.2. 152 Draft Decision, paragraphs 14.3-14.5. 153 Draft Decision, paragraph 14.5. 154 Draft Decision, paragraph 14.5 (the Draft Decision notes that “Clearly, the impact on individual users, and the possibility of damage arising therefrom, will depend on the level of personal data made public and, also, the nature of that personal data”). 155 Draft Decision, paragraph 14.5. 156 Draft Decision, paragraph 14.5. 157 Draft Decision, paragraph 14.6. 158 Draft Decision, paragraph 14.11. 159 Draft Decision, paragraphs 14.16-14.18. Adopted 36 Breach was indicative of a broader, more systemic issue)160 . Concerning the gravity of the infringement of Article 33(5) GDPR, the Draft Decision highlighted that proper documentation of breaches is required in order to enable a supervisory authority to verify the controller’s compliance with Article 33 GDPR161 and that the IE SA was required to raise multiple queries in order to gain clarity concerning the facts surrounding the notification of the Breach162 , but acknowledged that the deficiencies in the documentation arose from a good faith misunderstanding of the requirements (which are, however, clear from the wording of the provision)163. The Draft Decision concluded that each infringement was at the “low to moderate end of the scale of gravity” 164 . 153. With regard to the duration of the infringement of Article 33(1) GDPR, the Draft Decision considered that it was a period of two days and evaluated it in light of the overall timeframe generally permitted for breach notifications (72 hours), noting that it was not a trivial or inconsequential one165 . Concerning the duration of the infringement of Article 33(5) GDPR, the Draft Decision concluded that it was ongoing166 . 154. In relation to Article 83(2)(b) GDPR (the intentional or negligent character of the infringement), the IE SA concluded in its Draft Decision that there was a negligent character to TIC’s infringement of Article 33(1) GDPR167, outlining that the delay in the notification of the Global DPO occurred because part of the internal protocol of the Twitter Group was not completed as prescribed and the protocol was not as clear as it could have been168. This led to the conclusion that the delay arose as a result of a negligence on the part of the controller, but TIC’s submission that the delayed notification was not indicative of a broader systemic issue and amounted to an isolated occurrence was accepted169. The IE SA did not identify any evidence of intentional conduct with regard to the infringement of Article 33(1) GDPR170 . The Draft Decision also identified that there was a negligent character to TIC’s infringement of Article 33(5) GDPR171, since there was no knowledge and wilfulness to cause the infringement (which would have amounted to intent) but the documentation was not sufficient to enable compliance with Article 33 to be verified172 . 155. As regards Article 83(2)(c) GDPR, i.e. action taken by the controller to mitigate the damage suffered by data subjects, the Draft Decision considered that remedial measures were taken to avoid repetition of the issue and to rectify the bug, which were considered as the sole mitigating factor in assessing the amount of the fine to be imposed173 . 156. The Draft Decision considered Article 83(2)(d) GDPR, i.e. the degree of responsibility for the controller or processor, by noting the existing and subsequently enhanced technical and organisational measures 160 Draft Decision, paragraph 14.19. 161 Draft Decision, paragraph 14.20. 162 Draft Decision, paragraph 14.21. 163 Draft Decision, paragraph 14.24. 164 Draft Decision, paragraph 14.24. 165 Draft Decision, paragraph 14.26 (it commenced on the expiration of the 72 hours from 3 January 2019 (i.e. on 6 January 2019) and ended at the time of TIC’s notification of the Breach on 8 January 2019). 166 Draft Decision, paragraph 14.29. 167 Draft Decision, paragraph 14.34. 168 Draft Decision, paragraphs 14.33-14.34. 169 Draft Decision, paragraph 14.34. 170 Draft Decision, paragraph 14.35. 171 Draft Decision, paragraph 14.38. 172 Draft Decision, paragraphs 14.36, 14.38. 173 Draft Decision, paragraphs 14.39-14.42. Adopted 37 implemented by TIC as controller, including the amendment of the internal protocol of the Twitter Group (which the IE SA found was not as clear as it could have been) and the staff training measures taken afterwards by Twitter, Inc.(additional training was provided internally highlighting the importance of mentioning the DPO team - and therefore TIC as controller - in the internal ticket system), as well as the existence of internal structures and safeguards concerning responsibility for information security issues and the existence of a recurring external third party expert audit of Twitter, Inc.’s Information Security Programme174 . Although the issues that arose were not found to be indicative of a broader systemic issue175 and TIC demonstrated a generally responsible and accountable approach towards data security176 , it was considered that there was a moderate to high level of responsibility demonstrated by the controller as a lack of clarity in the protocol was shown also by its subsequent amendment177 . 157. The degree of cooperation with the supervisory authority was evaluated, in line with Article 83(2)(f) GDPR, and was found to not amount to a mitigating factor178. The IE SA acknowledged that TIC cooperated fully but noted that this was a statutory obligation and TIC did not go beyond such duty179 . 158. In relation to Article 83(2)(g) GDPR concerning the categories of personal data affected, the Draft Decision concluded that any category of personal data could have been affected by the delayed notification and that it cannot be definitively said that there was no damage to data subjects or no affected categories of personal data180 . 159. The manner in which infringement became known to the IE SA was considered to be a relevant factor in the determination of the amount of the fine (in line with Article 83(2)(h) GDPR), since while TIC was forthcoming in furnishing all available documentation the records did not allow the IE SA to verify compliance with Article 33 GDPR and the information originally provided in the notification made to the IE SA was of an imprecise nature181 . 160. The criteria in Article 83(2)(e), (i) and (j) GDPR were found to be not applicable, and no further elements were identified in relation to Article 83(2)(k) GDPR182 . 161. The IE SA underlined in its Draft Decision that in the absence of specific EU-level guidelines on the calculation of fines, it was not bound to apply any particular methodology or use a fixed financial starting point183 and that the expression “due regard” provides SAs with a broad discretion as to how to weigh the factors in Article 83(2) GDPR184 . 162. As regards the identification of the relevant undertaking to calculate the fining cap established by Article 83(4) GDPR, the IE SA underlined that the fact that TIC enjoys autonomy in its control over data processing does not mean that it ceases to be part of a single economic entity with its parent company 174 Draft Decision, paragraphs 14.43-14.47. 175 Draft Decision, paragraphs 14.45. 176 Draft Decision, paragraph 14.47. 177 Draft Decision, paragraph 14.47. 178 Draft Decision, paragraph 14.50. 179 Draft Decision, paragraph 14.49. 180 Draft Decision, paragraph 14.54. 181 Draft Decision, paragraph 14.58. 182 Draft Decision, paragraphs 14.48, 14.59, 14.60, 14.61. 183 Draft Decision, paragraph 15.2. 184 Draft Decision, paragraph 15.1. Adopted 38 and noted that, in addition to the ownership of TIC by Twitter, Inc., the General Counsel of Twitter, Inc. appears to be one of the three directors of TIC185 . 163. For this reasons, the cap for the value of any fine imposed was calculated by the LSA with reference to Twitter, Inc.’s turnover186 . As the annual turnover of Twitter, Inc., in 2018, amounted to 3 billion USD, the cap was considered to be 60 million USD (2% of 3 billion USD)187 . 164. In applying the principles of effectiveness, proportionality and dissuasiveness (Article 83(1) GDPR), the Draft Decision considered that a fine cannot be effective if it does not have significance relative to the revenue of the controller, that the infringement needs to not be considered in the abstract, regardless of the impact on the controller, and that future infringements need to be deterred188 . 165. The IE SA proposed to impose an administrative fine within the range of 150,000-300,000 USD, i.e. between 0.005% and 0.01% of the undertaking’s annual turnover or between 0.25% and 0.5% of the maximum amount of the fine which may be applied in respect of these infringements. This equates to a fine in Euro of between 135,000 and 275,000189 . 8.2 Summary of the objections raised by the CSAs 166. The AT SA raised an objection concerning the amount of the proposed fine and the fact that the LSA proposed a range of amounts instead of a fixed sum. With regard to Article 83(2)(a) GDPR, the AT SA highlighted that at least 88,726 people (but probably more) were affected by the Breach and “it is very likely that sensitive data were disclosed to the broader public”. 167. The objection raised by the AT SA expressed a disagreement as to how the time at which the controller should be deemed to be aware of a data breach was analysed in the Draft Decision. More specifically, the AT SA argued in its objection that TIC should have made a data breach notification within 72 hours after the processor received the bug report and thus became aware of the Breach. The AT SA highlighted that TIC is responsible for overseeing the processing operations carried out by its processor, and that a controller should not seek to hide the failure of its processor with whom it has a contractual relationship and which was selected by the controller itself. This contributes to the assessment of the infringement of Article 33(1) GDPR by the AT SA as “grave”. 168. With regard to the “intentional or negligent character of the infringement” (Article 83(2)(b) GDPR), the AT SA argued that the behaviour of TIC should be labelled as “intentional”, on the basis of the criteria of knowledge and wilfulness established in the Guidelines on the application and setting of administrative fines (“WP253”) of the Article 29 Working Party, endorsed by the EDPB190. As to the criterion referring to actions taken to mitigate the damage suffered by data subjects (Article 83(2)(c) GDPR), the AT SA highlighted that “initially it was not TIC’s intention to notify users who were affected by the breach” and “the steps taken by Twitter Inc. to rectify the bug are the sole mitigating factor”. 185 Draft Decision, paragraph 15.13. 186 Draft Decision, paragraph 15.14. 187 Draft Decision, paragraph 15.19. 188 Draft Decision, paragraph 15.18. 189 Draft Decision, paragraph 15.20 (The higher end of the range proposed in the Draft Decision is lower than in the Preliminary Draft Decision, in order to reflect changes in the views in relation to gravity, the degree of responsibility of the controller and whether the infringements were systemic). In paragraph 15.21, the Draft Decision underlined that in order to protect TIC’s procedural rights a range of a fine was proposed as opposed to a fixed figure, and acknowledged the possibility that CSAs would comment on where in that range the penalty should lie. 190 https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237. Adopted 39 Finally, AT SA considers the range of fine proposed by the IE SA neither effective, nor proportionate, nor dissuasive having regard to the criteria listed in Article 83(2)(a) – (k) GDPR. As a conclusion, the AT SA proposed the imposition of a higher administrative fine, which could meet the requirement of effectiveness, proportionality and dissuasiveness (namely “a minimum amount of 1 % of the undertaking’s annual turnover”). 169. The DE SA raised an objection arguing that the fine proposed by the LSA is “too low” and “does not comply with the provisions of Article 83(1) GDPR”. More specifically, the DE SA argued that the fine is not dissuasive. The objection recalled that a sanction can be deemed effective and dissuasive if it is suitable both as a general preventive measure - to deter the general public from committing infringements and to affirm the general public's confidence in the validity of Union law - and as a special preventive measure - to deter the offender from committing further infringements. The DE SA goes on to argue that the financial capacity of an undertaking (in terms of turnover) can provide an important indication of the amounts required to achieve dissuasiveness: this may entail taking into account the part of the turnover generated by the products in respect of which the infringement has been committed, which may provide an indication of the scale of the infringements. The DE SA also argues that the dissuasive effect of high fines can only be achieved if the amounts imposed cannot be easily paid because of large assets or high income, highlighting that the fine must have a dissuasive effect, particularly in relation to specific data processing. As a consequence, the threatened fine must be high enough to make data processing uneconomic and objectively inefficient. As Twitter’s business model is based on processing data, and as Twitter generates turnover mainly through data processing, the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high that it would render the illegal data processing unprofitable. On the basis of the fine concept applicable to the DE SAs, the fine for the infringement described in the Draft Decision would range from approximately EUR 7,348,035.00 to EUR 22,044,105.00. 170. The HU SA argued that, although “fines are justified for the committed infringements”, “the fine set out in the draft is unreasonably low, disproportionate and thus not dissuasive in view of the gravity of the committed infringement and the Controller’s worldwide market power”. 171. The IT SA asked the LSA to “review the draft decision as also related to quantification of the administrative fine, taking also account of specific aggravating elements of the case with regard to the nature of the data controller and the severity and duration of the data breach”. 8.3 Position of the LSA on the objections 172. The IE SA assessed that the objections raised by the AT SA, DE SA and HU SA in relation to the administrative fine to be ‘relevant and reasoned’ within the meaning of Article 4(24) GDPR. At the same time, the IE SA did not follow these objections for the reasons set out in the Composite Memorandum191 . 173. In particular, as regards to the AT and DE SA's objections, the IE SA considers that its assessment and application of the factors at Articles 83(2)(a) and (b) GDPR, as elaborated in its Draft Decision, is appropriate. Regarding the AT SA's objection, the IE SA argues that TIC's infringement of Article 33(1) and Article 33(5) GDPR was the result of TIC's negligence rather than an intentional omission192 . Therefore, the IE SA believes that the fine as proposed by the AT SA is not proportionate193. In addition, 191 Composite Memorandum, paragraphs 5.60-5.72. 192 Composite Memorandum, paragraph 5.62. 193 Composite Memorandum, paragraph 5.63. Adopted 40 the IE SA argues that the concern of the AT SA regarding the fining range proposed in the Draft Decision, as opposed to a fixed sum, was not well elaborated and clarified by this CSA194 . With regard to the DE SA's objection, the IE SA took note of the objection of the DE SA regarding the need for the fine to meet the requirement of dissuasiveness, but is of the opinion that the level of the fine proposed by the DE SA is not proportionate in this case195 . For the above-mentioned reasons, the IE SA considers these objections are reasoned and relevant, but proposes not to follow them196 . 174. The IE SA has taken due account of the AT SA’s view in relation to the timing of TIC’s awareness and notification of the Breach but concluded that notwithstanding TIC’s actual ‘awareness’ of the Breach on 7 January 2019, TIC ought to have been aware of the Breach at the latest by 3 January 2019197 . In identifying 3 January 2019 as the date on which TIC ought to have been aware of the breach, the IE SA took into account that an earlier delay had arisen during the period from when the incident was first notified by a contractor to Twitter, Inc. to when Twitter, Inc. commenced its review198 . Further, the IE SA clarifies that it is not suggesting that, "as a matter of generality, data controllers ought to automatically be considered to have awareness of data breaches at the same time at which their processor becomes aware of the breach" 199 . Also, the IE SA states that "it will usually be the case that a processor which experiences a breach will be aware of the incident at an earlier point in time than its controller, and that, provided the process agreed between the controller and the processor is effective and / or is followed, the controller will be made ‘aware’ of the breach [...] in a manner that enables it to comply with its obligation to notify same" 200 . 8.4 Analysis of the EDPB 8.4.1 Assessment of whether the objections were relevant and reasoned 175. Concerning the possibility for relevant and reasoned objections on whether envisaged action in relation to the controller or processor complies with the GDPR201 to challenge the amount of proposed fines, the EDPB recently clarified that “it is possible that the objection challenges the elements relied upon to calculate the amount of the fine” 202. This can amount to an example of objection concerning whether the envisaged action in relation to the controller or processor complies with the GDPR. 176. In the case at stake, the AT SA’s objection challenges the elements relied upon by the IE SA in calculating the amount of the fine and thus concerns the compliance of the proposed action vis-a-vis the controller with the GDPR. The AT SA clarified the connection between its objection and the Draft Decision and demonstrated how the proposed changes would lead to a different conclusion. Additionally, it provided arguments on why the amendment of the decision is proposed, by providing an alternative interpretation of three of the criteria listed by Article 83 GDPR and by making reference to factual and legal arguments. The AT SA clearly demonstrates the significance of the risks posed by the Draft Decision, first of all, by arguing that the proposed fine is not adequately effective and dissuasive and by recalling that to this end it needs to be likely to deter the general public from committing a similar infringement and confirm the public’s confidence in the application of Union law, 194 Composite Memorandum, paragraph 5.64. 195 Composite Memorandum, paragraph 5.68. 196 Composite Memorandum, paragraphs 5.65, 5.68. 197 Composite Memorandum, paragraph 5.48. 198 Composite Memorandum, paragraph 5.50. 199 Composite Memorandum, paragraph 5.50. 200 Composite Memorandum, paragraph 5.50. 201 GDPR, Article 4(24). 202 Guidelines on RRO, paragraph 34. Adopted 41 as well as to deter the controller from committing further infringements. Additionally, in the assessment of the gravity of the infringement the objection also refers to the extent to which data subjects (in a number likely to be higher than the one identified) were affected by the Breach (e.g. by having their previously protected tweets, likely to include sensitive data, exposed to the wider public). The alleged intentionality of the infringement, according to the AT SA, implies a far greater impact on the ability to know right from wrong than a negligent infringement. In light of the assessment above, the EDPB considers that the AT SA’s objection is relevant and reasoned in accordance with Article 4(24) GDPR. As a consequence, the EDPB will assess the merit of the substantial issues raised by this objection (see section 8.4.2 below). 177. The DE SA’s objection is also to be considered relevant as it concerns the compliance of the envisaged action with the GDPR, by challenging the elements relied upon to calculate the amount of the fine. More specifically, it argues that the fine imposed by the IE SA is not dissuasive and thus the calculation performed does not comply with Article 83(1) GDPR. The DE SA clarified that a sanction is to be considered effective and dissuasive, when it serves as a general preventive measure to deter general public from committing infringements as well as to affirm its trust to the validity of the Union law, but also when it deters the offender from committing additional infringements. In addition, the DE SA clearly demonstrates the significance of the risks that the Draft Decision poses to the rights and freedoms of the data subjects as the failure to impose a dissuasive and effective sanction may not be able to deter the controller from committing further infringements. 178. Another argument provided by the DE SA to demonstrate the significance of the risks is that the failure to appropriately handle the Breach suggests a “systemic error”, which would have required submitting the controller to a deeper scrutiny, beyond the single specific incident. The DE SA also recalled that a large number of persons was concerned and the period of time was equally substantial and concluded that the corrective powers imposed on the basis of Article 58(2) GDPR need to be examined in light of these elements. To conclude, the EDPB considers that the DE SA’s objection is reasoned and relevant within the definition of Article 4(24) GDPR. As a consequence, the EDPB will assess the merit of the substantial issues raised by this objection (see section 8.4.2 below). 179. The HU SA’s objection is relevant as it also concerns the compliance of the envisaged action with the GDPR, by stating that the proposed fine is “unreasonably low, disproportionate and thus not dissuasive”. However, while the objection refers to “the “bug” in the controller’s application over the years” and to “its serious nature affecting data security”, as well as to the “gravity of the committed infringement” and to the “controller’s worldwide market power”, it does not clearly demonstrate the significance of the risks for rights and freedoms of data subjects posed by the amount of the fine as proposed by the IE SA. As a consequence, the EDPB considers this objection does not meet the requirements of Article 4(24) GDPR203 . 180. Last, the relevance of the objection raised by the IT SA is also shown by its reference to whether the proposed action complies with the GDPR, as it argues that the IE SA should review the Draft Decision in relation to the quantification of the administrative fine. By referring to the “foregoing objections” and thus to the fact that the aspects mentioned are “structural in nature as regards the controller's organisation” and “bound to produce effects not simply on the case at issue, but also on any data 203 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. Adopted 42 breach that may occur in the future”, the IT SA’s objection clearly demonstrates the significance of the risks for the rights and freedoms of data subjects with respect to the quantification of the fine. 181. Therefore, EDPB considers that the IT SA’s objection is reasoned and relevant meeting the requirements of Article 4(24) GDPR. As a consequence, the EDPB will assess the merit of the substantial issues raised by this objection. 8.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and reasoned objections 182. The EDPB considers that the objections found to be relevant and reasoned in this subsection204 require the assessment of whether the Draft Decision proposes a fine in line with the criteria established by Article 83 GDPR and the Article 29 Working Party Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (“WP253”) (endorsed by the EDPB)205 . 183. Indeed, the consistency mechanism may also be used to promote a consistent application of administrative fines206: where a relevant and reasoned objection challenges the elements relied upon by the LSA to calculate the amount of the fine, the EDPB can instruct the LSA to engage in a new calculation of the proposed fine by eliminating the shortcomings in the establishment of causal links between the facts at issue and the way the proposed fine was calculated on the basis of the criteria in Article 83 GDPR and of the common standards established by the EDPB207 . A fine should be effective, proportionate or dissuasive, as required by Article 83(1) GDPR, taking account of the facts of the case208 . In addition, when deciding on the amount of the fine the LSA shall take into consideration the criteria listed in Article 83(2) GDPR. 184. As regards the nature, gravity and duration of the infringement found in Articles 33(1) and 33(5) GDPR, Article 83(2)(a) GDPR requires to take into consideration inter alia the nature, scope and purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them. 185. The EDPB agrees with the IE SA that the infringement to consider is not the Breach as such but the compliance with Articles 33(1) and 33(5) GDPR to notify that breach to the competent SA and to document that breach. 186. The EDPB notes that the IE SA takes into account the nature of the processing as well as the number of data subjects affected. As regards the nature of the processing, the IE SA describes as a “microblogging” and social media platform on which users have the opportunity to document their thoughts in “tweets”. The EDPB considers that when assessing the nature of the processing, one must also take into consideration the fact the “processing concerned” involved communications by data subjects who deliberately chose to restrict the audience of those communications. The EDPB takes note that the IE SA Draft Decision considered that: “the impact on individual users, and the possibility of damage arising therefrom, will depend on the level of personal data made public and, also, the nature of that personal data. In this regard, I indicated in the Preliminary Draft that whilst TIC had not 204 These objections are those of the AT SA, DE SA, and IT SA. 205 Article 29 Working Party Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, WP253 adopted on 3 October 2017 (endorsed by the EDPB on 25 May 2020). 206 GDPR, Recital 150. 207 Guidelines on RRO, paragraph 34. 208 EDPB Guidelines on administrative fines, p. 7. Adopted 43 confirmed the precise nature of the data made public in the Breach, it was reasonable to deduce that, given the scale of the affected users and the nature of the service offered by TIC, some of the personal data released in relation to, at least, some of the users will have included sensitive categories of data and other particularly private material” 209 . However, the IE SA, based on TIC submissions, gave less weight to this factor than it did in the Preliminary Draft, as there was no direct evidence of damage210 . The EDPB considers, however, that the IE SA should still have given significant weight to the fact that the “processing concerned” involves communications by data subjects who deliberately chose to restrict the audience of those communications, when evaluating the nature of the processing concerned. In particular, the IE SA should have given significant weight to this fact given that it was recalled by the IE SA in the Draft Decision, where the IE SA considered that "the large scale of the affected user segment gives rise to the possibility of a much broader spectrum of damage arising from the Breach, particularly given the nature of the service being offered by TIC" and "the likelihood that many users will have relied on the function of keeping “tweets” private to share information or views (in the comfort of what they believe to be a private and controlled environment) that they would not ordinarily release into the public domain" 211 . 187. Moreover, when it comes to the scope of the processing concerned as such, the IE SA appears to substitute the scope of the processing with the number of the data subjects affected. The EDPB considers that the nature and the scope of the “processing” to take into consideration in the determination of the fine is not the processing operation consisting in the (accidental) disclosure (personal data breach), or the cause thereof, but rather the scope of the underlying processing carried out by TIC, as described in the previous paragraph. 188. According to the AT SA, the timing when the controller became aware of the breach impacts on the gravity of the infringement of Article 33(1) GDPR. The objection raised by the AT SA expressed a disagreement as to how the time at which the controller should be deemed to be aware of a data breach should be determined or assessed. More specifically, the AT SA argued in its objection that TIC should have made a data breach notification within 72 hours after the processor became aware of the bug. This contributes to the assessment of the infringement of Article 33(1) GDPR by the AT SA as “grave”. 189. In this respect, the EDPB recalls that the Guidelines on personal data breach notification under Regulation 2016/679 (“WP250”)212, which were endorsed by the EDPB, state that the "focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data" 213 . 190. According to the Guidelines on personal data breach notification, a controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised214 . Since the controller uses the processor to achieve its purposes, in principle, the controller should be considered as “aware” once 209 Draft Decision, paragraph 14.51. 210 See paragraph 150 above. 211 Draft Decision, paragraph 14.51. 212 Article 29 Working Party Guidelines on personal data breach notification under Regulation 2016/679, WP250 rev.01, endorsed by the EDPB (hereinafter, “Guidelines on personal data breach notification”). 213Guidelines on personal data breach notification, p. 5. 214 Guidelines on personal data breach notification, p.10-11. Adopted 44 the processor has informed it of the breach215 . However, the GDPR puts an obligation on the controller to ensure that they will be “aware” of any breaches in a timely manner so that they can take appropriate action"216 and explain that "the controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation the controller may not be regarded as being “aware”" 217 . However, the Guidelines clarify that this initial investigation should begin as soon as possible and that a more detailed investigation can then follow218 . 191. The Guidelinesthus make it clear that the controller, and by extension, the processor, are to act swiftly. "In most cases these preliminary actions should be completed soon after the initial alert (i.e. when the controller or processor suspects there has been a security incident which may involve personal data) – it should take longer than this only in exceptional cases"219 . 192. Having regard to the above, the EDPB agrees with the position of the IE SA’s assessment according to which the controller cannot be expected to have become aware at the moment its processor has realised that a security incident has occurred. As provided in the WP29 Guidelines on data breach notifications, which were endorsed by the EDPB, there needs to be a degree of certainty that a personal data breach has occurred before awareness can be stipulated. It is not clear from the facts at issue as reflected in the Draft Decision that this was the case before the 3 January 2019. In this case, AT SA did not prove that TIC reached the necessary degree of certainty as to the fact that a data breach had occurred earlier than when the IE SA found TIC to be “aware” of the breach. As a consequence, the EDPB considers that the assessment of the gravity of the infringement does not need to be adjusted in light of a different determination of when the controller became aware of the data breach. 193. Moreover, as regards the gravity of the infringement, the EDPB agrees with IE SA that the compliance with Articles 33(1) and 33(5) GDPR are central to the overall functioning of the supervision and enforcement regime. 194. As regards the objection raised by the AT SA regarding the intentional nature of the infringement, the EDPB considers that the objection did not sufficiently demonstrate that from the moment the controller gained knowledge it intentionally disregarded its duty of care. 195. However, as regards the negligent nature of the infringement, the EDPB considers that a company for whom the processing of personal data is at the core of its business activities should have in place sufficient procedures for the documentation of personal data breaches, including remedial actions, which will enable it to also comply with the duty of notification under Article 33(1) GDPR. This element implies an additional element to take into consideration in the analysis of the gravity of the infringement. 196. The EDPB recalls that the CJEU has consistently held that a dissuasive penalty is one that has a genuine deterrent effect220. In that respect, a distinction can be made between general deterrence (discouraging others from committing the same infringement in the future) and specific deterrence 215 Guidelines on personal data breach notification, p. 13. 216 Guidelines on personal data breach notification, p.11. 217 Guidelines on personal data breach notification, p.11 (emphasis added). 218 Guidelines on personal data breach notification, p.11. 219 Guidelines on personal data breach notification, p.12 (emphasis added). 220 See Opinion of Advocate General Geelhoed of 29 April 2004 in Judgment of 12 July 2005, Commission / France, C-304/02, EU:C:2005:444, par. 39. Adopted 45 (discouraging the addressee of the fine from committing the same infringement again)221. Moreover, the severity of penalties must be commensurate with the seriousness of the infringements for which they are imposed222. It follows that fines must not be disproportionate to the aims pursued, that is to say, to compliance with the data protection rules and that the amount of the fine imposed on an undertaking must be proportionate to the infringement viewed as a whole, account being taken in particular of the gravity of the infringement 223 . 197. While the LSA in its Draft Decision made reference to the requirement that the file must be dissuasive and proportionate, the EDPB considers that the LSA did not sufficiently substantiate how the fine proposed addresses these requirements. In particular, the EDPB notes that the LSA moves from calculating the maximum amount of the fine (set at $60 million) to stating the proposed fining range (set between $150.000,- and $300.000,-), without further explanation as to which particular elements led the LSA to identify this specific range224 . Beyond the general reference to the relevant factors of Article 83 (2) GDPR, there is not a clear motivation for the choice of the proposed percentage (between 0.25% and 0.5%) of the maximum applicable fine under Article 83(4) GDPR. 198. In this regards, the EDPB has elaborated above the reasons to why the LSA in its Draft Decision should have given greater weight to the element relating to the nature, scope and negligent character of the infringement and therefore consider that the proposed fine range should be adjusted accordingly. 8.4.3 Conclusion 199. Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and therefore does not fulfil its purpose as a corrective measure, in particular it does not meet the requirements of Article 83(1) GDPR of being effective, dissuasive and proportionate. 200. Thus, the EDPB requests the IE SA to re-assess the elements it relies upon to calculate the amount of the fixed fine225 to be imposed on TIC so as to ensure it is appropriate to the facts of the case. 201. The EDPB notes that the analysis of the objections is limited to the substance of the objections to be considered as relevant and reasoned. The scope of the EDPB’s analysis concerning the calculation of the fine is therefore limited to an analysis of the method of the calculation of the fines as such. It does not constitute an implicit or explicit validation by the EDPB, of the analysis carried out by the LSA regarding the infringement of Article 33(1) or Article 33(5) GDPR or the legal qualification of the Twitter Inc. and TIC respectively. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 9 BINDING DECISION 202. In light of the above and in accordance with the task of the EDPB under Article 70(1)(t) GDPR to issue binding decisions pursuant to Article 65 GDPR, the Board issues the following binding decision in accordance with Article 65(1)(a) GDPR: 221 See inter alia Judgment of 13 June 2013, Versalis Spa / Commission, C-511/11, ECLI:EU:C:2013:386, para. 94. 222 CJEU Judgment of 25 April 2013, Asociaţia Accept, C-81/12. 223 Marine - Harvest EU General Court T-704/14, 26 October 2017. 224 Draft Decision 15.19 and 15.20. 225 This should preferably already be provided in the Art 60 GDPR draft decision. Adopted 46 203.On the objections concerning the qualification of controller and processor and the competence of the LSA: The EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objections raised, as they do not meet the requirements of Article 4(24) GDPR. 204.On the objections concerning the infringements of Article 33(1) and 33(5) GDPR found by the LSA: In relation to the objection of the FR SA on the absence of an infringement of Article 33(1) GDPR, the objection of the DE SA on the determination of the dies a quo for the infringement of Article 33(1) GDPR, and the objection of the IT SA relating to the infringement of Article 33(5) GDPR, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objections raised as they do not meet the requirements of Article 4(24) GDPR. 205.On the objections relating to the possible further (or alternative) infringements of the GDPR identified by the CSAs: In relation to the objection of the DE SA on the possible infringements of Article 5(1)(f), Article 24, and Article 32 GDPR, and to the objection of the IT SA on the possible infringement of Article 5(2) GDPR, the EDPB decides that, while they meet the requirements of Article 4(24) GDPR, the IE SA is not required to amend its Draft Decision because the available factual elements included in the Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence of infringements of Articles 5(1)(f), Article 5(2), Article 24, and Article 32 GDPR. In relation to the objection of the DE SA relating to the possible infringement of Article 33(3) GDPR, the objection of the FR SA relating to the possible infringement of Article 28 and Article 32 GDPR, the objection of the HU SA relating to the possible infringement of Article 5(1)(f), Article 32, and Article 34 GDPR, and the objection of the IT SA relating to the possible infringement of Article 28 GDPR, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objections raised as they do not meet the requirements of Article 4(24) GDPR. 206.On the objection concerning the decision of the LSA to not issue a reprimand: In relation to the objection of the DE SA concerning the decision of the IE SA not to issue a reprimand, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objection raised as it does not meet the requirements of Article 4(24) GDPR. 207.On the objection concerning the calculation of the fine suggested by the LSA: In relation to the objection of the HU on the insufficiently dissuasive nature of the fine, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objection raised as it does not meet the requirements of Article 4(24) GDPR. In relation to the objection of the AT SA, the objection of the DE SA, and the objection of the IT SA on the insufficiently dissuasive nature of the fine, the EDPB decides that they meet the requirements of Article 4(24) GDPR and that the IE SA is required to re-assess the elements it relies upon to calculate the amount of the fixed fine to be imposed on TIC, and to amend its Draft Decision by increasing the level of the fine in order to ensure it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality established by Article 83(1) GDPR and taking into account the criteria of Article 83(2) GDPR. Adopted 47 10 FINAL REMARKS 208. This binding decision is addressed to the IE SA and the CSAs. The IE SA shall adopt its final decision on the basis of this binding decision pursuant to Article 65(6) GDPR. 209. Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 210. According to Article 65(6) GDPR, the IE SA shall communicate its final decision to the Chair within one month after receiving the binding decision. 211.Once such communication is done by the IE SA, the binding decision will be made public pursuant to Article 65(5) GDPR. 212. Pursuant to Article 70(1)(y) GDPR, the IE SA’s final decision communicated to the EDPB will be included in the register of decisions which have been subject to the consistency mechanism. For the European Data Protection Board The Chair (Andrea Jelinek)