EDPB - Binding Decision 1/2020 - 'Twitter': Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 1: Line 1:
Adopted 1
{{DPAdecisionBOX


Decision 01/2020 on the dispute arisen on the draft decision
|Jurisdiction=European Union
|DPA-BG-Color=
|DPAlogo=logoEDPB.png
|DPA_Abbrevation=
|DPA_With_Country=EDPB


of the Irish Supervisory Authority regarding Twitter
|Case_Number_Name=1/2021
|ECLI=


International Company under Article 65(1)(a) GDPR
|Original_Source_Name_1=EDPB website'
|Original_Source_Link_1=https://edpb.europa.eu/
|Original_Source_Language_1=English
|Original_Source_Language__Code_1=EN


Adopted on 09 November 2020
|Type=Other
|Outcome=
|Date_Decided=09.11.2020
|Date_Published=
|Year=2020
|Fine=None
|Currency=


Adopted 2
|GDPR_Article_1=Article 4(24) GDPR
|GDPR_Article_Link_1=Article 4 GDPR#24
|GDPR_Article_2=Article 5(1)(f) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1f
|GDPR_Article_3=Article 28 GDPR
|GDPR_Article_Link_3=Article 28 GDPR
|GDPR_Article_4=Article 33(1) GDPR
|GDPR_Article_Link_4=Article 33 GDPR#1
|GDPR_Article_5=Article 33(5) GDPR
|GDPR_Article_Link_5=Article 33 GDPR#5
|GDPR_Article_6=Article 60(4) GDPR
|GDPR_Article_Link_6=Article 60 GDPR#4
|GDPR_Article_7=Article 65(1)(a) GDPR
|GDPR_Article_Link_7=Article 65 GDPR#1a


Table of contents


1 Summary of the dispute.................................................................................................................. 5


2 Conditions for adopting a binding decision..................................................................................... 8
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Party_Name_5=
|Party_Link_5=


2.1 Objection(s) expressed by CSA(s) in relation to a draft decision ............................................ 8
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Not appealed
|Appeal_To_Link=


2.2 The LSA does not follow the relevant and reasoned objections to the draft decision or is of
|Initial_Contributor=n/a
|
}}


the opinion that the objections are not relevant or reasoned ........................................................... 8
== English Summary ==


2.3 Conclusion ............................................................................................................................... 9
=== Facts ===
After a data breach that occurred with Twitter, the IE SA (DPC) issued a draft decision to the other SAs. They sustained their relevant and reasoned objections under Article 60 GDPR (FR, DE, DK, IT, NL, ES, HU).


3 The Right to good administration.................................................................................................... 9
Therefore, the EDPB issued its first decision under Article 65(1)(a) GDPR and answers to all the objections of the SAs.  


4 On the qualification of controller and processor and the competence of the LSA ........................ 9
=== Dispute ===


4.1 Analysis by the LSA in the Draft Decision................................................................................ 9
* Are Twitter Inc and TIC (Twitter Ireland) controller, processor, or joint controllers ? 
* Where is the main establishment of Twitter, and therefore does the DPC have jurisdiction ? 
* When is a relevant and reasoned objection admissible under Article 4(24) GDPR ? 
* Can we hold violations of the GDPR other than Article 33(1) and (5) ?


4.2 Summary of the objections raised by the CSAs..................................................................... 10


4.3 Position of the LSA on the objections ................................................................................... 11


4.4 Analysis of the EDPB.............................................................................................................. 13
=== Holding ===
'''1. On the admissibility of an objection, the jurisdiction of the DPC, the controller-processor relationship'''


4.4.1 Assessment of whether the objections were relevant and reasoned .......................... 13
In essence, the objections raised addressed the fact that the Draft Decision does not contain enough evidence to legally and factually establish the roles of the entities concerned.


4.4.2 Conclusion ..................................................................................................................... 16
The EDPB considers that an objection concerning the role, or designation, of the parties can fall within the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24) GDPR, as this can affect the determination as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation.  


5 On the infringements of the GDPR found by the LSA ................................................................... 17
However, the EDPB considers that an objection on the competence of the supervisory authority acting as LSA should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR.


5.1 On the findings of an infringement of Article 33(1) GDPR.................................................... 17
Moreover, the EDPB considers that the aforementioned objections do not meet the requirements set out in Article 4(24) GDPR.


5.1.1 Analysis by the LSA in the Draft Decision...................................................................... 17
'''2. On the violation of Article 33(1) obligation to notify in due time'''


5.1.2 Summary of the objections raised by the CSAs............................................................. 18
According to the Draft Decision, therefore, TIC became actually aware of the Breach on 7 January 2019 but should have been aware of the Breach at the latest by 3 January 2019, since on that date Twitter, Inc. as processor first assessed the incident as being a potential data breach and the Twitter, Inc. legal team instructed that the incident be opened. The Draft Decision stated that where the processor does not follow the procedure or the procedure fails otherwise the controller cannot excuse its own delayed notification on the basis of the processor’s fault, as the performance by a controller of its obligation to notify cannot be contingent upon the compliance by its processor with its obligations under Article 33(2) GDPR. This led to the infringement of Article 33(1) GDPR even if less than 72 hours elapsed between the moment at which TIC became actually aware of the Breach (7 January 2019) and the notification (8 January 2019).


5.1.3 Position of the LSA on the objections ........................................................................... 19
The FR SA raised an objection stating that the findings do not correspond to an infringement of Article 33(1) GDPR, but rather of Article 28 or Article 32 GDPR, which set out the obligations of the controller when it decides to have recourse to a processor.


5.1.4 Analysis of the EDPB...................................................................................................... 19
The DE SA argued in its objection that the issue of the allocation of roles affects the determination of the moment of awareness of the Breach, as the knowledge of a breach must be equally attributed to both joint controllers.


5.2 On the findings of an infringement of Article 33(5) GDPR.................................................... 20
The IE SA considers that it requests consideration of alternative provisions of the GDPR and that the request by CSAs to consider alternate provisions of the GDPR, would essentially seek to re-scope the Inquiry conducted: the IE SA concluded that such an objection does not fall within the definition of “relevant and reasoned objection” for the purposes of Article 4(24) GDPR.


5.2.1 Analysis by the LSA in the Draft Decision...................................................................... 20
Again, the EDPB considered that the raised objections do not clearly demonstrate the significance of the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects.


5.2.2 Summary of the objections raised by the CSAs............................................................. 20
'''3. On the violation of Article 33(5) GDPR'''


5.2.3 Position of the LSA on the objections ........................................................................... 21
The Draft Decision of the DPC found that TIC did not comply with its obligations under Article 33(5) GDPR to document the Breach, since the documentation furnished by TIC in the course of the inquiry was not considered to contain sufficient information and was not considered to contain a record or document of, specifically, a “personal data breach”, as they amounted to “documentation of a more generalised nature.


5.2.4 Analysis of the EDPB...................................................................................................... 21
According to the IT SA, the finding in the Draft Decision that TIC provided full cooperation during the investigative phase should be reviewed as such full cooperation can only be considered to exist if adequate, exhaustive documentation is made available by the controller in a straightforward manner.


6 On potential further (or alternative) infringements of the GDPR identified by the CSAs ............ 22
The EDPB does not take a position on the merit of the substantial issues raised by this objection " because it fails to clearly demonstrate the significance of the risks posed by the Draft Decision as it does not show the implications the alleged mistake in the Draft Decision would have for the protected values".


6.1 Analysis by the LSA in the Draft Decision.............................................................................. 22
'''4. On potential alternative or further violations o the GDPR identified by the CSAs (concerned authorities)'''


6.2 Summary of the objections raised by the CSAs..................................................................... 22
In order to determine whether TIC complies with its obligations under Article 33(1) GDPR, the IE SA considered them in the context of a controller's broader obligations, including those of accountability (Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of processing of personal data (Article 32 GDPR). However, the DPC  did not consider whether or not TIC complied with any or each of these obligations other than for the purpose of assessing TIC’s compliance with its obligations under Article 33(1) and Article 33(5) GDPR.


6.2.1 Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality. 22
The DE, FR, HU, and IT SAs raised objections that TIC infringed other provisions of the GDPR in addition to, or instead of, Article 33(1) and Article 33(5) GDPR.


6.2.2 Infringement of Article 5(2) GDPR on the principle of accountability .......................... 22
The LSA (DPC) recalls that it informed TIC at the beginning of the inquiry that its purpose was to verify TIC’s compliance with Article 33(1) and Article 33(5) GDPR in respect of its notification of a Breach to the LSA 8 January 2019. Therefore, the LSA maintains that if it were to follow the CSAs’ objections and include other infringements in its final decision “on the basis of only the material contained in the Draft Decision”, this would result in jeopardising “the entirety of the Inquiry and Article 60 process by exposing it to the risk of claims of procedural unfairness.


6.2.3 Infringement of Article 24 GDPR on the responsibility of the controller...................... 23
The other provisions being addressed by the objections of the SAs are the following:


6.2.4 Infringement of Article 28 GDPR on the relationship with processors......................... 23
* '''Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality'''
** The EDPB considers the objection raised by the DE SA in relation to the potential additional infringement of Article 5(1)(f) GDPR to be relevant and reasoned for the purposes of Article 4(24) GDPR, but considers the HU SA’s objection in relation to the same topic does not meet the requirements of Article 4(24)
* '''Infringement of Article 5(2) GDPR on the principle of accountability'''
** The EDPB considered that the IT SA’s objection on Article 5(2) GDPR meets the requirements set out in Article 4(24) GDPR. The EDPB will therefore analyse the merits of the substantial issues raised by this objection
* '''Infringement of Article 24 GDPR on the responsibility of the controller'''
** The EDPB accepts that an objection may challenge the conclusion of the LSA, by considering that the LSA’s findings actually lead to the conclusion that another provision of the GDPR has been infringed in addition to or instead of the provision identified by the LSA. The EDPB considers that this is precisely the essence of the DE SA’s objection, hence not preventing it from being relevant and reasoned. Therefore, the EDPB is assessing the merit of the substantial issues raised by this objection
* '''Infringement of Article 28 GDPR on the relationship with processors.'''
** According to the EDPB, the objections of FR and IT do not clearly demonstrate the significant risks posed by the Draft Decision for the fundamental rights and freedoms of data subjects with specific regard to the failure to conclude on the infringement of this specific provision


6.2.5 Infringement of Article 32 GDPR on the security of the processing ............................. 23
* '''Infringement of Article 32 GDPR on the security of the processing'''
** According to the EDPB, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft Decision for the rights and freedoms of data subjects, in particular by highlighting that the facts amount to a “significant” and “substantial” breach of the confidentiality of personal data and that a large number of persons were concerned for a substantial period of time. However, the objections of the FR and HU DPA do not meet the requirement of Article 4(24) GDPR.  
* '''Infringement of Article 33(3) GDPR on the content of the notification of a personal data breach on security of processing'''
** According to the EDPB, the DE SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects. As a consequence, the DE SA’s objection on Article 33(3) GDPR fails to meet the requirements set out in Article 4(24) GDPR
* '''Infringement of Article 34 GDPR on the communication of a personal data breach to the data subject'''
** The HU SA considers that, if changed, the Draft Decision would lead to the conclusion of additional infringements of GDPR. However, the EDPB concludes that the HU SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects


Adopted 3
The Board analyses the objections found being relevant and reasoned - in particular the DE SA’s objections on Article 5(1)(f), Article 24 and 32 GDPR, as well the IT SA’s objection on Article 5(2) GDPR - as well as the LSA’s response to those objections and the TIC submissions. The Board considers that the available factual elements included in the Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence of further (or alternative) infringements of Article 5(1)(f), 5(2), 24 and 32 GDPR.  Even in case of an own-volition inquiry, the Guidelines on reasoned and relevant objections state that LSA “should seek consensus regarding the scope of the procedure (i.e. the aspects of data processing under scrutiny) prior to initiating the procedure formally”138, including in the context of a possible new proceeding. The EDPB also recalls the existence of a full range of the cooperation tools provided for by the GDPR (including Articles 61 and 62 GDPR), bearing in mind the goal of reaching consensus within the cooperation mechanism and the need to exchange all relevant information, with a view to ensuring protection of the fundamental rights and freedoms of data subjects. The EDPB considers that in determining the scope of the inquiry, whilst it can be limited, a LSA should frame it in such a way that it permits the CSAs to effectively fulfil their role, alongside the LSA, when determining whether there has been an infringement of the GDPR.


6.2.6 Infringement of Article 33(3) GDPR on the content of the notification of a personal
'''5. On the lack of reprimand in the draft decision'''


data breach on security of processing .......................................................................................... 24
The proposed corrective powers to be imposed were both a reprimand, pursuant to Article 58(2)(b) GDPR, and an administrative fine, pursuant to Article 58(2)(i) GDPR, the final Draft Decision consists of the imposition only of an administrative fine on TIC as the controller


6.2.7 Infringement of Article 34 GDPR on the communication of a personal data breach to
The LSA decided, having regard to the scope of the inquiry that focussed on the controller’s obligations in relation to the Breach notification, that its inquiry “did not involve a finding that the underlying ‘processing operations’ relating to the Breach infringed [...] the GDPR” . Therefore, the LSA considered that there was no reason to review its decision to not issue a reprimand in light of the DE SA’s objection.


the data subject............................................................................................................................. 24
The EDPD considered anyway that the objection by the DE SA did not meet the requirement of Article 4(24) GDPR since it does not provide motivation on how the failure to impose a reprimand in this specific case - where a fine is also imposed - may trigger risks for data subjects’ fundamental rights and freedoms.


6.3 Position of the LSA on the objections ................................................................................... 24
'''6. On the calculation of the fine'''


6.4 Analysis of the EDPB.............................................................................................................. 25
Considering all the factors of Article 83(2) GDPR, the IE SA proposed to impose an administrative fine within the range of 150,000-300,000 USD, i.e. between 0.005% and 0.01% of the undertaking’s annual turnover or between 0.25% and 0.5% of the maximum amount of the fine which may be applied in respect of these infringements. This equates to a fine in Euro of between 135,000 and 275,000.


6.4.1 Assessment of whether the objections were relevant and reasoned .......................... 25
* '''AT SA''' considers the range of fine proposed by the IE SA neither effective, nor dissuasive, nor proportionate
* '''DE SA''' raised an objection arguing that the fine proposed by the LSA is “too low” and “does not comply with the provisions of Article 83(1) GDPR. As Twitter’s business model is based on processing data, and as Twitter generates turnover mainly through data processing, the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high that it would render the illegal data processing unprofitable. On the basis of the fine concept applicable to the DE SAs, the fine for the infringement described in the Draft Decision would range from approximately EUR 7,348,035.00 to EUR 22,044,105.00
* '''HU SA''' argued that, although “fines are justified for the committed infringements”, “the fine set out in the draft is unreasonably low, disproportionate and thus not dissuasive in view of the gravity of the committed infringement and the Controller’s worldwide market power
* '''IT SA''' asked the LSA to “review the draft decision as also related to quantification of the administrative fine, taking also account of specific aggravating elements of the case with regard to the nature of the data controller and the severity and duration of the data breach


6.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and
'''Decision of the EDPB''' on the above:


reasoned objections and conclusion............................................................................................. 31
- The EDPB agrees with the position of the IE SA’s assessment according to which the controller cannot be expected to have become aware at the moment its processor has realised that a security incident has occurred.


7 On the corrective measures decided by the LSA - in particular, the imposition of a reprimand.. 32
- The EDPB considers that a company for whom the processing of personal data is at the core of its business activities should have in place sufficient procedures for the documentation of personal data breaches, including remedial actions, which will enable it to also comply with the duty of notification under Article 33(1) GDPR. This element implies an additional element to take into consideration in the analysis of the gravity of the infringement.


7.1 Analysis by the LSA in the Draft Decision.............................................................................. 32
- While the LSA in its Draft Decision made reference to the requirement that the file must be dissuasive and proportionate, the EDPB considers that the LSA did not sufficiently substantiate how the fine proposed addresses these requirements. In particular, the EDPB notes that the LSA moves from calculating the maximum amount of the fine (set at $60 million) to stating the proposed fining range (set between $150.000,- and $300.000,-), without further explanation as to which particular elements led the LSA to identify this specific range224 . Beyond the general reference to the relevant factors of Article 83 (2) GDPR, there is not a clear motivation for the choice of the proposed percentage (between 0.25% and 0.5%) of the maximum applicable fine under Article 83(4) GDPR


7.2 Summary of the objections raised by the CSAs..................................................................... 33
- In this regards, the EDPB has elaborated above the reasons to why the LSA in its Draft Decision should have given greater weight to the element relating to the nature, scope and negligent character of the infringement and therefore consider that the proposed fine range should be adjusted accordingly


7.3 Position of the LSA on the objections ................................................................................... 33
- the EDPB considers that the fine proposed in the Draft Decision is too low and therefore does not fulfil its purpose as a corrective measure, in particular it does not meet the requirements of Article 83(1) GDPR of being effective, dissuasive and proportionate


7.4 Analysis of the EDPB.............................................................................................................. 34
- the EDPB requests the IE SA to re-assess the elements it relies upon to calculate the amount of the fixed fine225 to be imposed on TIC so as to ensure it is appropriate to the facts of the case


7.4.1 Assessment of whether the objections were relevant and reasoned .......................... 34
== Comment ==
''Share your comments here!''


7.4.2 Conclusion ..................................................................................................................... 34
== Further Resources ==
''Share blogs or news articles here!''


8 On the corrective measures - in particular, the calculation of the administrative fine................ 34
== English Machine Translation of the Decision ==
The decision below is a machine translation of the English original. Please refer to the English original for more details.


8.1 Analysis by the LSA in the Draft Decision.............................................................................. 34
<pre>


8.2 Summary of the objections raised by the CSAs..................................................................... 38
     


8.3 Position of the LSA on the objections ................................................................................... 39
 
   
      en
   
   
          Bulgarian (bg)
         
          Czech (cs)
         
          Danish (da)
         
          German (de)
         
          Estonian (et)
         
          Greek (el)
         
          Spanish (es)
         
          French (fr)
         
          Irish (ga)
         
          Croatian (hr)
         
          Italian (it)
         
          Latvian (lv)
         
          Lithuanian (lt)
         
          Hungarian (hu)
         
          Maltese (mt)
         
          Dutch (nl)
         
          Polish (pl)
         
          Portuguese (pt-pt)
         
          Romanian (ro)
         
          Slovak (sk)
         
          Slovenian (sl)
         
          Finnish (fi)
         
          Swedish (sv)
         
 
   
     


8.4 Analysis of the EDPB.............................................................................................................. 40
 
 
   
     
           
         
           
   


8.4.1 Assessment of whether the objections were relevant and reasoned .......................... 40


8.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and
 
         
           
 
 
             


reasoned objections...................................................................................................................... 42


8.4.3 Conclusion ..................................................................................................................... 45


9 Binding Decision ............................................................................................................................ 45
     


10 Final remarks................................................................................................................................. 47


Adopted 4
     
       
      EDPB adopted documents - 48th plenary
       
  22 April 2021


The European Data Protection Board
       
                      EDPB
                 
   
 


Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European


Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
 


processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
     
         
 


(General Data Protection Regulation) (hereinafter “GDPR”)1
       


, Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended


by the Decision of the EEA joint Committee No 154/2018 of 6 July 20182
   
 
         
           
 
 
             


, Having regard to Article 11 and Article 22 of its Rules of Procedure3


, Whereas:


(1) The main role of the European Data Protection Board (hereinafter the “EDPB” or the “Board”) is to
     


ensure the consistent application of the GDPR throughout the EEA. To this effect, it follows from Article


60 GDPR that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other
     
       
      EDPB adopted documents - 48th plenary
       
  22 April 2021


supervisory authorities concerned (hereinafter “CSAs”) in an endeavour to reach consensus, that the
       
                      EDPB
                 
   
 


LSA and CSAs shall exchange all relevant information with each other, and that the LSA shall, without
     


delay, communicate the relevant information on the matter to the other supervisory authorities
 
 
   
     
           
         
           
   


concerned. The LSA shall without delay submit a draft decision to the other CSAs for their opinion and


take due account of their views.
 
         
           
 
 
             


(2) Where any of the CSAs expressed a reasoned and relevant objection (“RRO”) on the draft decision


in accordance with Article 4(24) and Article 60(4) GDPR and the LSA does not intend to follow the RRO


or considers that the objection is not reasoned and relevant, the LSA shall submit this matter to the
     


consistency mechanism referred to in Article 63 GDPR.


(3) Pursuant to Article 65(1)(a) GDPR, the EDPB shall issue a binding decision concerning all the matters
     
       
      Italian DPA: Major Critical Issues for Vaccination Pass
       
  4 May 2021


which are the subject of the RROs, in particular whether there is an infringement of the GDPR.
       
                      Italy
                 
   
 


(4) The binding decision of the EDPB shall be adopted by a two-thirds majority of the members of the


EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) of the EDPB Rules of Procedure,
 
   
   


within one month after the Chair and the competent supervisory authority have decided that the file


is complete. The deadline may be extended by a further month, taking into account the complexity of
 
         
           
 
 
             


the subject-matter upon decision of the Chair on its own initiative or at the request of at least one


third of the members of the EDPB.


(5) In accordance with Article 65(3) GDPR, if, in spite of such an extension, the EDPB has not been able
     


to adopt a decision within the timeframe, it shall do so within two weeks following the expiration of


the extension by a simple majority of its members.
     
       
      Dutch DPA fines municipality for Wi-Fi tracking
       
  29 April 2021


1 OJ L 119, 4.5.2016, p. 1. 2 References to “Member States” made throughout this decision should be understood as references to “EEA
       
                      Netherlands
                 
   
 


Member States”. References to “EU” should be understood, where relevant, as references to “EEA”. 3 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020.


Adopted 5
 
   
   


1 SUMMARY OF THE DISPUTE


1. This document contains a binding decision adopted by the EDPB in accordance with Article 65(1)(a)
 
         
           
 
 
             


GDPR. The decision concerns the dispute arisen following a draft decision (hereinafter “Draft


Decision”) issued by the Irish supervisory authority (“Data Protection Commission”, hereinafter the “IE


SA”, also referred to in this context as the “LSA”) and the subsequent objections expressed by a
     


number of CSAs (“Österreichische Datenschutzbehörde”, hereinafter the “AT SA”; “Der Hamburgische


Beauftragte für Datenschutz und Informationsfreiheit”4
     
       
      Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA
       
  28 April 2021


, hereinafter the ”DE SA”; “Datatilsynet”,
       
                      Portugal
                 
   
 


hereinafter the “DK SA”; “Agencia Española de Protección de Datos", hereinafter the “ES SA”; “Commission Nationale de l'Informatique et des Libertés", hereinafter the “FR SA”; “Nemzeti


Adatvédelmi és Információszabadság Hatóság”, hereinafter the “HU SA”; “Garante per la protezione
 


dei dati personali", hereinafter the “IT SA”; “Autoriteit Persoonsgegevens, hereinafter the “NL SA”). The draft decision at issue relates to an “own-volition inquiry” which was commenced by the IE SA
     
         
 


following the notification of a personal data breach on 8 January 2019 (the “Breach”) by Twitter
       


International Company, a company established in Dublin, Ireland (hereinafter “TIC”)5


. 2. The data breach arose from a bug in Twitter's design, due to which, if a user on an Android device
   
 
         
           
 
 
             


changed the email address associated with their Twitter account, the protected tweets became


unprotected and therefore accessible to a wider public (and not just the user's followers), without the


user's knowledge6
     


. The bug was discovered on 26 December 2018 by the external contractor managing


the company’s “bug bounty programme”, which is a programme whereby anyone may submit a bug
     
       
      Italian DPA: Major Critical Issues for Vaccination Pass
       
  4 May 2021


report7
       
                      Italy
                 
   
 


. 3. During its investigation, Twitter discovered additional user actions that would also lead to the same
 
         
           
 
 
             


unintentional result. The bug in the code was traced back to a code change made on 4 November


20148


. 4. TIC informed the IE SA that, as far as they can identify, between 5 September 2017 and 11 January
     


2019, 88,726 EU and EEA users were affected by this bug. Twitter has confirmed that it dates the bug


to 4 November 2014, but it has also confirmed that it can only identify users affected from 5 September
     
       
      Dutch DPA fines municipality for Wi-Fi tracking
       
  29 April 2021


2017 due to a retention policy applicable to the logs9
       
                      Netherlands
                 
   
 


. As a result, TIC acknowledged the possibility that
 
         
           
 
 
             


more users were impacted by the breach10


. 5. The decision of the IE SA to commence the inquiry was taken in circumstances where TIC had, in its


breach notification form, identified the potential impact for affected individuals as being
     


“significant”


11
     
       
      Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA
       
  28 April 2021


.
       
                      Portugal
                 
   
 


4 The objection by the Hamburg SA was submitted representing also “Der Landesbeauftragte für den Datenschutz
</pre>
 
und die Informationsfreiheit Baden-Württemberg”, “Berliner Beauftragte für Datenschutz und
 
Informationsfreiheit“, “Der Landesbeauftragte für Datenschutz und Informationsfreiheit Mecklenburg- Vorpommern”, “Die Landesbeauftragte für den Datenschutz Niedersachsen”. The objection has been also
 
coordinated with other SAs in Germany. 5 Draft Decision, paragraphs 1.1-1.2. 6 Draft Decision, paragraph 1.9. 7 Draft Decision, paragraphs 2.7 and 4.7. 8 Draft Decision, paragraph 2.10. 9 Draft Decision, paragraph 2.10. 10 Draft Decision, paragraphs 1.10, 2.10, 14.2 and 14.3. 11 Draft Decision, paragraph 2.8.
 
Adopted 6
 
6. The IE SA stated in its Draft Decision that it was satisfied that the IE SA is the LSA, within the meaning
 
of the GDPR, for TIC, as controller in respect of the cross-border processing of personal data carried
 
out by TIC that was the subject of the breach12
 
. 7. The following table presents a summary timeline of the events part of the procedure leading to the
 
submission of the matter to the consistency mechanism:
 
26.12.2018 Twitter, Inc., a company incorporated in the USA receives a bug report through
 
their bug bounty programme. The report was sent by a third party contractor
 
managing the bug bounty programme (Contractor 1) to the third party
 
contractor engaged by Twitter, Inc. to search for and assess bugs (Contractor 2).
 
29.12.2018 Contractor 2 shares the result with Twitter, Inc. via a JIRA ticket.
 
02.01.2019 Twitter, Inc.'s Information Security Team reviews the JIRA ticket and decides it
 
was not a security issue but that it might be a data protection issue.
 
02.01.2019 Twitter, Inc.'s Legal Team is notified.
 
03.01.2019 Twitter, Inc.'s Legal Team decides that the issue should be treated as an incident.
 
04.01.2019 Twitter, Inc. triggers the incident response process, but due to a mistake in
 
applying the internal procedure, the Global DPO is not added as ‘watcher’ to the
 
ticket. Therefore, they are not notified. 07.01.2019 The Global DPO is notified of the Data Breach during a meeting.
 
08.01.2019 TIC notifies the Breach to the IE SA using the IE SA's cross-border breach
 
notification form. 22.01.2019 The scope and legal basis of the inquiry were set out in the notice of
 
commencement of inquiry that was sent to TIC on 22 January 2019.
 
The IE SA commences the inquiry and requests information from TIC.
 
28.05.2019 to
 
21.10.2019
 
Inquiry Report stage:  the IE SA prepares a draft inquiry report and issues it to TIC to allow TIC
 
to make submissions in relation to the draft inquiry report;  TIC provides its submissions in relation to the draft inquiry report;  the IE SA requests clarifications in relation to the submissions made by
 
TIC;  the IE SA issues its final inquiry report. 21.10.2019 The IE SA commences the decision-making stage.
 
11 and
 
28.11.2019
 
The IE SA corresponds with TIC and invites TIC to make further written
 
submissions.
 
2.12.2019 TIC makes further submissions to the IE SA in response to the IE SA’s
 
correspondence of 11 and 28 November 2019.
 
12 The IE SA has confirmed that its assessment in this regard was based both on its determination that (1) TIC, as
 
the provider of the Twitter service in the EU/EEA, is the relevant controller and (2) that TIC’s main establishment
 
in the EU is located in Dublin, Ireland, where decisions on the purposes and means of processing of personal data
 
of Twitter users in the EU/EEA are taken by TIC, in accordance with Article 4(16) GDPR. Draft Decision, paragraphs
 
2.2-2.3.
 
Adopted 7
 
14.03.2020 The IE SA issues a Preliminary Draft Decision (hereinafter “the Preliminary Draft
 
Decision”) to TIC, concluding that TIC infringed Articles 33(1) and 33(5) GDPR;
 
hence intends to issue a reprimand in accordance with Article 52(2) GDPR and
 
an administrative fine in accordance with Article 58(2)(i) and Article 83(2) GDPR.
 
27.04.2020 TIC provides submissions on the Preliminary Draft Decision to the IE SA.
 
27.04.2020 - 22.05.2020
 
The IE SA takes account of TIC’s submissions in relation to the Preliminary Draft
 
Decision and prepares its draft decision for submission to the CSAsin accordance
 
with Article 60 GDPR. 22.05.2020 - 20.06.2020
 
The IE SA shares its Draft Decision with the CSAs in accordance with Article 60(3)
 
GDPR. Several CSAs (AT SA, DE SA (represented by the DE-Hamburg SA), DK SA, ES SA, FR SA, HU SA, IT SA and NL SA) raise objections in accordance with Article
 
60(4) GDPR.
 
15.07.2020 The IE SA issues a Composite Memorandum setting out its replies to such
 
objections and shares it with the CSAs (hereinafter, “Composite
 
Memorandum”). The IE SA requests the relevant CSAs to confirm whether,
 
having considered the IE SA’s position in relation to the objections as set out in
 
the Composite Memorandum, the CSAs intend to maintain their objections.
 
27 and
 
28.07.2020
 
In light of the arguments put forward by the IE SA in the Composite
 
Memorandum, the DK SA informs the IE SA that it does not maintain its
 
objection, and the ES SA informs the IE SA that it withdraws its objection in part.
 
The other CSAs (i.e., the AT, DE, ES, FR, HU, IT and NL SAs), confirm to the IE SA
 
that they maintain their remaining objections.
 
19.08.2020 The IE SA refers the matter to the EDPB in accordance with Article 60(4) GDPR,
 
thereby initiating the dispute resolution procedure under Article 65(1)(a). 8. The IE SA triggered the dispute resolution process on the IMI on 19 August 2020. Following the
 
submission by the LSA of this matter to the EDPB in accordance with Article 60(4) GDPR, the EDPB
 
Secretariat assessed the completeness of the file on behalf of the Chair in line with Article 11(2) of the
 
EDPB Rules of Procedure. The EDPB Secretariat contacted the IE SA for the first time on 20 August
 
2020, asking for additional documents and information to be submitted in IMI and requesting the IE
 
SA to confirm the completeness of the file. The IE SA provided the documents and information and
 
confirmed the completeness of the file on 21 August 2020. A matter of particular importance that was
 
scrutinized by the EDPB Secretariat was the right to be heard, as required by Article 41(2)(a) of the
 
Charter of the Fundamental Rights. On 4 September 2020, the Secretariat contacted the IE SA with
 
additional questions in order to confirm whether TIC has been given the opportunity to exercise its'
 
right to be heard regarding all the documents that were submitted to the Board for making its decision. On 8 September 2020, the IE SA confirmed that it was the case and provided the documents to prove
 
it13
 
. 9. On 8 September 2020, the decision on the completeness of the file was taken, and it was circulated by
 
the EDPB Secretariat to all the members of the EDPB.
 
13 Amongst the documents sent by IE SA, there were emails from the Global DPO acknowledging receipt of the
 
relevant documents.
 
Adopted 8
 
10. The Chair decided, in compliance with Article 65(3) GDPR in conjunction with Article 11(4) of the EDPB
 
Rules of Procedure, to extend the default timeline for adoption of one month by a further month on
 
account of the complexity of the subject-matter.
 
2 CONDITIONS FOR ADOPTING A BINDING DECISION
 
11. The general conditions for the adoption of a binding decision by the Board are set forth in Article 60(4)
 
and Article 65(1)(a) GDPR14
 
. 2.1 Objection(s) expressed by CSA(s) in relation to a draft decision
 
12. The EDPB notes that CSAs raised objections to the Draft Decision via the information and
 
communication system mentioned in Article 17 of the EDPB Rules of Procedure, namely the Internal
 
Market Information System. The objections were raised pursuant to Article 60(4) GDPR.
 
13. More specifically, objections were raised by CSAs in relation to the following matters:  the competence of the LSA;  the qualification of the roles of TIC and Twitter, Inc., respectively;  the infringements of the GDPR identified by the LSA;  the existence of possible additional (or alternative) infringements of the GDPR;  the lack of a reprimand;  the calculation of the proposed fine.
 
14. Each of these objections was submitted within the deadline provided by Article 60(4) GDPR.
 
2.2 The LSA does not follow the relevant and reasoned objections to the draft
 
decision or is of the opinion that the objections are not relevant or reasoned
 
15. On 15 July 2020, IE SA provided to the CSAs a detailed analysis of the objections raised by the CSAs in
 
the Composite Memorandum, where it outlined whether it considered the objections to be “relevant
 
and reasoned” in accordance with Article 4(24) GDPR, and whether it decided to follow any of the
 
objections15
 
. 16. More specifically, the IE SA considered that only the objections raised by CSAs in relation to the
 
calculation of the fine meet the threshold put forward by Article 4(24) GDPR in so far as they relate to
 
the compliance with the GDPR of the envisaged action in relation to the controller or processor and
 
also set out the risks posed as regards the fundamental rights and freedoms of data subjects16
 
. However, the IE SA concluded that it would not follow the objections, for the reasons set out in the
 
Composite Memorandum and below.
 
17. The IE SA considered that the other objections expressed by CSAs were not “relevant and reasoned”
 
within the meaning of Article 4(24) GDPR.
 
14 According to Article 65(1)(a) of the GDPR, the Board will issue a binding decision when a supervisory authority
 
has raised a relevant and reasoned objection to a draft decision of the LSA or the LSA has rejected such an
 
objection as being not relevant or reasoned. 15 The purpose of the document, as stated by the IE SA, was to facilitate further cooperation with the CSAs in
 
relation to the Draft Decision and to comply with the requirement in Article 60(1) GDPR that the LSA shall
 
cooperate with the other CSAs in an endeavour to reach consensus. 16 Composite Memorandum, paragraph 5.59.
 
Adopted 9
 
2.3 Conclusion
 
18. The case at issue fulfils all the elements listed by Article 65(1)(a) GDPR, since several CSAs raised
 
objections to a draft decision of the LSA within the deadline provided by Article 60(4) GDPR, and the
 
LSA has not followed objections or rejected them as not relevant or reasoned.
 
19. The EDPB is therefore competent to adopt a binding decision, which shall concern all the matters which
 
are the subject of the relevant and reasoned objection(s), in particular whether there is an
 
infringement of the GDPR17
 
. 20. All results in this decision are without any prejudice to any assessment or binding decision made in
 
other cases by the EDPB, including with the same parties, depending on further and/or new findings. 3 THE RIGHT TO GOOD ADMINISTRATION
 
21. The EDPB is subject to Article 41 of the EU Charter of fundamental rights, in particular Article 41 (right
 
to good administration). This is also reflected in Article 11(1) EDPB Rules of Procedure18
 
. 22. The EDPB decision “shall be reasoned and addressed to the lead supervisory authority and all the
 
supervisory authorities concerned and binding on them” (Article 65(2) GDPR). It is not aiming to address
 
directly any third party. However, as a precautionary measure to address the possibility that TIC might
 
be affected by the EDPB decision, the EDPB assessed if TIC was offered the opportunity to exercise its
 
right to be heard in relation to the procedure led by the LSA and in particular if all the documents
 
received in this procedure and used by the EDPB to take its decision have already been shared
 
previously to TIC and if TIC has been heard on them.
 
23. Considering that TIC has been already heard by the IE SA on all the information received by the EDPB
 
and used to take its decision19 and the LSA has shared to the EDPB the written observations of TIC, in
 
line with Article 11(2) EDPB Rules of Procedure20
 
, in relation to the issues raised in this specific Draft
 
Decision, the EDPB is satisfied that the Article 41 of the EU Charter of fundamental rights has been
 
respected. 4 ON THE QUALIFICATION OF CONTROLLER AND PROCESSOR AND THE
 
COMPETENCE OF THE LSA
 
4.1 Analysis by the LSA in the Draft Decision
 
24. The Draft Decision states that “[i]n commencing the Inquiry, the appointed investigator within the [IE
 
SA] [...] was satisfied that TIC is the controller, within the meaning of Article 4(7) of the GDPR, in respect
 
of the personal data that was the subject of the Breach”, and that “[i]n this regard, TIC confirmed that
 
17 Article 65(1)(a) in fine GDPR. Some CSAs raised comments and not per se objections, which were, therefore,
 
not taken into account by the EDPB. 18 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020. 19 IE SA Preliminary Draft Decision (14 March 2020); IE SA Draft Decision (22 May 2020); Objections and
 
comments raised by CSAs (18-20 June 2020); Composite Memorandum prepared by the IE SA (15 July 2020); and
 
the remaining comments and objections from the CSAs (27-28 July 2020). 20 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020.
 
Adopted 10
 
it was the controller” in the data breach notification form and in the correspondence with the IE SA21
 
. The Draft Decision further states that "TIC also confirmed that the Breach had arisen in the context of
 
processing carried out on its behalf by Twitter Inc., its processor"
 
22 and "TIC is the data controller for
 
the personal data which is the subject of the Inquiry. TIC has an agreement in place with Twitter Inc. (its processor) to provide data processing services"
 
23
 
. 25. Additionally, the Draft Decision specifies that the IE SA was further satisfied that it was competent to
 
act as LSA in respect of cross-border processing carried out by TIC, in relation to the personal data that
 
was the subject of the Breach24
 
. 26. In this regard, the Draft Decision further states that TIC confirmed to the IE SA in notifying the Breach
 
that it was “an Irish company”, and the “provider of the Twitter services in Europe”, and that TIC’s
 
Privacy Policy (updated on Jan 2016) informed users of the Twitter service in the EU that they had the
 
right to raise concerns either with their local supervisory authority or with TIC’s LSA, the IE SA25
 
. 27. The IE SA further included in the Draft Decision an excerpt from TIC’s Annual Report and Financial
 
Statements relating to the Financial Year ended 31 December 2018 specifying that the “ultimate
 
controlling party and the largest group of undertakings for which group financial statements are drawn
 
up, and of which the company is a member, is Twitter, Inc., a company incorporated in the United States
 
of America and listed on the New York Stock Exchange”
 
26
 
. 28. The IE SA initially faced uncertainty arising from the use of the terms “we” and “our” in the data breach
 
notification form to refer interchangeably to TIC and Twitter, Inc. The IE SA sought clarifications in this
 
regard and TIC indicated that employees of TIC and Twitter, Inc. habitually use “we” and “our” loosely
 
to refer to the group by its name. In addition, TIC indicated that whilst TIC is the controller and makes
 
decisions with respect to the purposes and means of data processing, it does not operate alone: “TIC,
 
and its employees, are part of [...] the Twitter Group [....]. All employees of the Twitter Group use the
 
same computer systems, they adhere to the same general policies…and work together to ensure the
 
global round-the-clock support required to keep the Twitter platform operational”
 
27
 
. 4.2 Summary of the objections raised by the CSAs
 
29. In its objection, the ES SA states that the Draft Decision does not sufficiently justify the role of TIC as
 
controller. The ES SA stresses that an assessment on which entity really decides on the purposes and
 
means should be carried out, alongside with a critical analysis of all the facts which took place.
 
According to the ES SA, the elements underlying the Draft Decision seem to suggest a conclusion that
 
is different from the one reached by the IE SA. In particular, the ES SA considers that the decisions on
 
the essential purposes of the data processing are actually taken by Twitter, Inc. The ES SA supported
 
its reasoning by listing some factors that, in its view, could suggest that TIC does not decide on the
 
purposes and means. First, the ES SA recalled that TIC is a subsidiary of Twitter, Inc. and highlighted
 
that it would therefore be hard to understand how TIC could “issue orders” to Twitter, Inc. relating to
 
processing of personal data of EEA users. According to the ES SA, TIC was never in the position to
 
independently choose Twitter, Inc. as its processor and would not be able to replace it. Additionally,
 
21 Draft Decision, paragraph 2.2. 22 Draft Decision, paragraph 4.2. 23 Draft Decision, paragraph 4.6. 24 Draft Decision, paragraph 2.3. 25 Draft Decision, paragraph 2.3. 26 Draft Decision, paragraph 2.4. 27 Draft Decision, paragraph 4.5.
 
Adopted 11
 
the ES SA argued that Twitter, Inc. does not seem to act as processor due to the “absence of a direct
 
channel” between the two companies in the management of data breach cases other than the sending
 
of an email with the Global DPO in copy. Thirdly, the ES SA stated that it was not clear how TIC could
 
have independently adopted or influenced the decisions leading to the correction of the IT bug in the
 
system managed and controlled by Twitter, Inc., and that it was rather Twitter, Inc. who undertook
 
decisions relating to the solution of the Breach, whose effects were not limited only to European users.
 
30. The NL SA also raised an objection regarding the legal qualification of TIC and Twitter, Inc. as
 
respectively controller and processor. Specifically, the objection relatesto the way the IE SA has argued
 
that TIC is the sole controller in this case and that Twitter, Inc. is a processor acting on their behalf. The
 
NL SA considers that assessment of controllership is a fundamental aspect of this case and therefore
 
any conclusion regarding the role of controller, processor or joint controllers should be supported by
 
legal and factual evidence. In its objection, the NL SA essentially submits that the Draft Decision does
 
not contain enough evidence to legally and factually establish the roles of the entities concerned, in
 
particular to support the conclusion (i) that TIC is the (sole) controller and (ii) that Twitter, Inc. is merely
 
a processor acting under instruction of TIC for the operation of the global Twitter service and/or the
 
purposes that are relevant in this case. According to the NL SA, the LSA should verify whether the legal
 
statements of the organisation and/or their privacy policy corresponds with their actual activities.
 
The NL SA requested the IE SA to include more information on and/or a description of the factors that
 
lead to the determination of roles in the Draft Decision document itself. The NL SA also mentions, as
 
examples of factors to take into account: instructions from TIC to Twitter, Inc., or other objective
 
evidence or practical clues from daily operations as well as examples from written records such as a
 
data processing agreement. 31. In its objection, the DE SA argues that the relationship between Twitter, Inc. and TIC is not a
 
controller-processor relationship, but rather a joint-controllers relationship. The objection in first
 
instance relies on the fact that Twitter, Inc. and TIC do not operate separate data processing systems. According to the DE SA, the basic system operated by Twitter, Inc. is modified based on decisions made
 
by TIC and that for EEA users, whereas the main processing system stays the same. The DE SA also
 
highlighted that all the employees of the group use the same computer system and adhere to the same
 
general policies.
 
32. Finally, the FR SA raised an objection regarding the competence of the IE SA, stating that it seemed
 
that the IE SA came to the conclusion that the decision-making power on the purposes and means of
 
the processing at stake was exercised by TIC. According to the FR SA, the Draft Decision does not
 
clearly indicate that other elements than the company TIC’s statements were taken into account by
 
the authority to consider that this company had a decision-making power on the processing. The FR
 
SA also specified that the Draft Decision does not clearly indicate if the competence of the authority is
 
based either on the fact that the company TIC should be considered as the controller, or because TIC
 
should be regarded as the main establishment as defined by Article 4(16) GDPR. The FR SA concluded
 
that in its current state the Draft Decision does not prevent the risk of forum shopping, which the one- stop-shop mechanism is meant to avoid. The FR SA invited the IE SA to provide more elements allowing
 
to prove that the company TIC has a decision-making power regarding the purposes and means of the
 
processing for the social network Twitter.
 
4.3 Position of the LSA on the objections
 
33. In its Composite Memorandum, the IE SA considered that an objection based on the role or designation
 
of the parties as controller and processor and/or on the competence of the IE SA “neither disputes the
 
finding of an infringement nor the envisaged action and, therefore, does not satisfy the definition at
 
Adopted 12
 
Article 4(24)” and that it “does not fall within the meaning of the definition of ‘relevant and reasoned’
 
objection under Article 4(24)”
 
28. The IE SA nevertheless analysed such objections and, in doing so, set
 
out the factors which it had considered in determining TIC’s status as controller and as main
 
establishment. In this regard, the IE SA outlined (by way of summary29) the facts and legal analysis
 
leading to its conclusion in respect of TIC’s status as controller, in essence:  Twitter’s previous confirmation in 2015 that it proposed to make TIC in Ireland the controller for
 
personal data of Twitter users in the EU30;  TIC’s confirmation that it was controller for the personal data affected by the Breach both in
 
notifying the Breach to the IE SA and during the course of the inquiry;  TIC’s confirmation that a data processing agreement is in place between it and Twitter, Inc. as its
 
processor, which includes the provisions required by Article 28 GDPR;  the interactions between TIC and Twitter, Inc. following 7 January 2019, when TIC (through its
 
DPO) was actually made aware of the Breach, demonstrating according to the IE SA that TIC
 
exercised control and decision-making authority over Twitter, Inc. concerning the remediation
 
activities and notification of the Breach and in relation to the underlying processing of personal
 
data affected by the Breach; and
 
 the actions of Twitter, Inc. when it was notified of the incident by Contactor 2, which according to
 
the IE SA also support the status of the relationship between the two entities as one in which TIC
 
exercised authority and bore responsibilities as the controller.
 
34. The IE SA then set out, by way of summary31, the facts and legal analysis leading to its conclusion that
 
TIC is main established in Ireland, in essence (beyond the points above):  TIC’s designation and declaration of itself as main establishment;  TIC’s confirmation in its Privacy Policy of its status as the relevant controller for personal data of
 
Twitter users in the EU;  TIC’s place of central administration is in Dublin, where it has approximately 170 employees;  TIC’s direct employment of a global DPO for the purposes of the GDPR, the reporting line for the
 
Global DPO within TIC and the Global DPO’s representation of TIC on a range of privacy and data
 
processing related activities, including the ability to veto data processing;  the historical and ongoing supervision of TIC by the IE SA, during which it has been apparent that
 
TIC determines the purposes and means for which personal data are processed within the EU. The IE SA reiterated that, notwithstanding its response to the substance of the objections raised on
 
the matters of competence and/or the designation of the parties, it did not consider that the objections
 
in relation to these issues satisfied the definition of being a “relevant and reasoned objection” under
 
Article 4(24) GDPR. The IE SA stated that, in light of both its assessment that these matters did not
 
28 Composite Memorandum, paragraph 5.39. 29 Composite Memorandum, paragraph 5.35. 30 In this regard, the Composite Memorandum explains that TIC informed the IE SA on 8 April 2015 that it
 
proposed to make TIC in Ireland the controller for the personal data of its users outside of the USA and that TIC
 
notified this fact to other EU supervisory authorities in May 2015 (paragraph 5.15). 31 Composite Memorandum, paragraph 5.36.
 
Adopted 13
 
satisfy the definition under Article 4(24) GDPR, and in light of its demonstration that it had adequately
 
addressed the questions of main establishment, its competence, and the controller, processor
 
designation in its Draft Decision, it did not intend to follow the objections on these matters32
 
. 4.4 Analysis of the EDPB
 
4.4.1 Assessment of whether the objections were relevant and reasoned
 
35. The EDPB will begin its analysis of the objections raised by assessing whether the aforementioned
 
objections are to be considered as a “relevant and reasoned objection” within the meaning of Article
 
4(24) GDPR. 36. Article 4(24) of the GDPR defines “relevant and reasoned objection” as an “objection to a draft decision
 
as to whether there is an infringement of this Regulation, or whether envisaged action in relation to
 
the controller or processor complies with this Regulation, which clearly demonstrates the significance
 
of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects
 
and, where applicable, the free flow of personal data within the Union”
 
33
 
. 37. As clarified in the Guidelines on the concept of a relevant and reasoned objection, an objection needs
 
to be both “relevant” and “reasoned”. In order for the objection to be “relevant”, there must be a
 
direct connection between the objection and the draft decision and it needs to concern either whether
 
there is an infringement of the GDPR or whether the envisaged action in relation to the controller or
 
processor complies with the GDPR34
 
. 38. According to the same Guidelines, an objection is “reasoned” when it is coherent, clear, precise and
 
detailed in providing clarifications and arguments as to why an amendment of the decision is proposed
 
and how the change would lead to a different conclusion35 and when it clearly demonstrates the
 
significance of the risks posed by the draft decision for fundamental rights and freedoms of data
 
subjects and, where applicable, the free flow of personal data within the European Union. The CSA
 
should thus “show the implications the draft decision would have for the protected values”, by
 
“advancing sufficient arguments to show that such risks are substantial and plausible”
 
36. The
 
evaluation of the risks posed to the rights and freedoms of data subjects37 can rely, inter alia, on the
 
appropriateness, necessity, and proportionality of the measures envisaged38 and on the possible
 
reduction of future infringements of the GDPR39
 
.
 
32 Composite Memorandum, paragraph 5.40. 33 GDPR, Article 4(24). 34 See also the EDPB Guidelines 9/2020 on the concept of relevant and reasoned objection, version for public
 
consultation (hereinafter, “Guidelines on RRO”), paragraph 12, currently subject to public consultation,
 
<nowiki>https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-092020-relevant-and-</nowiki> reasoned-objection_en. The Guidelines were adopted on 8 October 2020, after the commencement of the
 
inquiry by the IE SA relating to this particular case. 35 Guidelines on RRO, paragraph 17 and 20. 36 Guidelines on RRO, paragraph 37. 37 The “data subjects” whose rights and freedoms may be impacted may be both those whose personal data are
 
being processed by the controller/processor and those whose personal data may be processed in the future.
 
Guidelines on RRO, paragraph 43. 38 Guidelines on RRO, paragraph 42. 39 Guidelines on RRO, paragraph 43.
 
Adopted 14
 
39. In terms of content, the objection can, as a first alternative, concern the existence of an infringement
 
of the GDPR. In this case, it should explain why the CSA disagrees as to whether the activities carried
 
out by the controller or processor led to the infringement of a given provision of the GDPR, and to
 
which infringement(s) specifically40. This objection may also include a disagreement as to the
 
conclusions to be drawn from the findings of the investigation (e.g. by stating that the findings amount
 
to an infringement other than / in addition to those already analysed)41 or could go as far as identifying
 
gaps in the draft decision justifying the need for further investigation by the LSA42
 
. However, this is less
 
likely to happen when the obligation for the LSA to cooperate with the CSAs and exchange all relevant
 
information has been duly complied with in the time preceding the issuance of the draft decision43
 
. Alternatively, the content of the objection can refer to the compliance of the action in relation to the
 
controller or processor (corrective measure or other) envisaged in the draft decision with the GDPR,
 
by explaining why the action foreseen is not in line with the GDPR44
 
. 40. The EDPB considers it possible for an objection concerning the existence of an infringement of the
 
GDPR to concern the absence or insufficiency of assessment or reasoning (with the consequence that
 
the conclusion in the draft decision is not adequately supported by the assessment carried out and the
 
evidence presented, as required in Article 58 GDPR), as long as the whole threshold set forth by Article
 
4(24) GDPR is met and provided there is a link between the allegedly insufficient analysis and whether
 
there is an infringement of the GDPR or whether envisaged action complies with the GDPR45
 
. 41. The EDPB considers that an objection concerning the role, or designation, of the parties can fall within
 
the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24) GDPR, as this
 
can affect the determination as to whether there is an infringement of this Regulation, or whether
 
envisaged action in relation to the controller or processor complies with this Regulation. However, the
 
EDPB considers that an objection on the competence of the supervisory authority acting as LSA should
 
not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of
 
Article 4(24) GDPR46
 
. a) Assessment of the objection raised by the NL SA
 
42. The objection raised by the NL SA in first instance relates to an “absence or insufficiency of assessment
 
or reasoning”
 
47 leading to the conclusions drawn by the IE SA as to the legal qualification of TIC and
 
Twitter, Inc. As the NL SA points out, the assessment of controllership is indeed a fundamental aspect
 
of the case. A different conclusion as to the legal qualification of TIC and Twitter, Inc. would affect the
 
40 Guidelines on RRO, paragraph 25. 41 Guidelines on RRO, paragraph 27. 42 Guidelines on RRO, paragraph 28 (which also specifies that “In this regard, a distinction must be made between,
 
on one hand, own-volition inquiries and, on the other hand, investigations triggered by complaints or by reports
 
on potential infringements shared by concerned supervisory authorities”). 43 Guidelines on RRO, paragraph 27. 44 Guidelines on RRO, paragraph 33. This means that the objection may, inter alia, challenge the elements relied
 
upon to calculate the amount of the fine (Guidelines on RRO, paragraph 34). 45 Guidelines on RRO, paragraph 29. 46 The procedure pursuant to Article 65(1)(b) GDPR is applicable in this case and can be launched at any stage,
 
Guidelines on RRO, paragraph 31. 47 Guidelines on RRO, paragraph 29. A relevant and reasoned objection concerning whether there is an
 
infringement of the GDPR can concern “insufficient factual information or description of the case at stake”, a
 
“disagreement as to the conclusions to be drawn from the findings of the investigation” (Guidelines on RRO,
 
paragraph 27) or refer to an “absence or insufficiency of assessment or reasoning (with the consequence that the
 
conclusion in the draft decision is not adequately supported by the assessment carried out and the evidence
 
presented, as required in Article 58 GDPR)” (Guidelines on RRO, paragraph 29).
 
Adopted 15
 
conclusions of the supervisory authority, both in relation to the determination of an infringement of
 
Article 33 GDPR, as well as the decision on the corrective measures resulting from the investigation.
 
43. The EDPB recalls that each legally binding measure adopted by a supervisory authority must give the
 
reasons for the measure48
 
. The determination as to whether there is an infringement of this
 
Regulation, or whether envisaged action in relation to the controller or processor complies with this
 
Regulation, hinges on the correct identification of the roles of parties who shall be the subject of the
 
measure. Therefore, a draft decision must contain sufficient legal and factual elements to support the
 
proposed decision49
 
. As a result, the EDPB considers that the objection raised by the NL SA concerns
 
both “whether there is an infringement of the GDPR” and “whether or not the envisaged action
 
complies with the GDPR”.
 
44. While the EDPB considers that the objection of the NL SA is therefore relevant and includes legal
 
arguments supporting its position, it does not put forward arguments how such consequences would
 
pose significant risks for the rights and freedoms of data subjects and/or the free flow of data50
 
. The
 
EDPB recalls that the obligation to clearly demonstrate the significance of the risk posed by the draft
 
decision - established by the GDPR - lies with the CSA51
 
. While the possibility for CSAs to provide such
 
demonstration may also depend on the degree of detail of the draft decision itself and on the previous
 
exchanges of information52, such a circumstance, where applicable, cannot completely absolve the CSA
 
from the obligation to clearly set out why it considers that the draft decision, if left unchanged, results
 
in significant risks for the rights and freedoms of individuals.
 
45. The EDPB finds that the objection raised by the NL SA does not clearly demonstrate the risks for the
 
rights and freedoms of individuals as such. On this basis, the EDPB considers that the objection raised
 
by the NL SA does not meet the requirements of Article 4(24) GDPR. b) Assessment of the objection raised by the ES SA
 
46. The objection raised by the ES SA also challenges the sufficiency of the assessment or reasoning in
 
relation to the conclusions drawn by the IE SA as to the legal qualification of TIC and Twitter, Inc.
 
respectively. The objection also makes clear that the correct qualification of the TIC and Twitter, Inc.
 
is key for determining their respective responsibilities, as well as for the competence of the IE SA. As a
 
result, the EDPB also considers that the objection raised by the ES SA concerns both “whether there is
 
an infringement of the GDPR” and “whether or not the envisaged action complies with the GDPR”. The
 
objection of the ES SA also sets out why it considers that a change to the Draft Decision is necessary
 
and how the change would lead to a different conclusion.
 
47. While the EDPB considers that the objection of the ES SA is therefore relevant and includes legal
 
arguments supporting its position, it does not clearly articulate why the decision, if left unchanged in
 
this respect, would pose significant risks for the rights and freedoms of data subjects and, where
 
applicable, the free flow of personal data. On this basis, the EDPB considers that the objection raised
 
by the ES SA does not meet the requirements set out in Article 4(24) GDPR.
 
48 Recital (129) GDPR. 49 Such information is also necessary to ensure the effectiveness of the cooperation and consistency mechanism,
 
so as to allow CSAs to make an informed decision on whether or not to agree or express a relevant and reasoned
 
objection. 50 Guidelines on RRO, paragraph 19. 51 Guidelines on RRO, paragraph 36 and Article 4(24) GDPR. 52 Guidelines on RRO, paragraph 36.
 
Adopted 16
 
c) Assessment of the objection raised by the DE SA
 
48. While the objections expressed by the NL and ES SA primarily relate to an “absence of reasoning”
 
justifying the conclusion that TIC acts as (sole) controller, the DE SA disagrees as to the conclusions to
 
be drawn from the findings of the investigation53. In particular, the DE SA considers that the factual
 
elements included in the file are sufficient to justify the conclusion that Twitter, Inc. does not qualify
 
as a processor, but rather as a joint controller, together with TIC.
 
49. In its objection, the DE SA also sets out why the qualification of the parties is relevant to the
 
determination of “whether there is in infringement”. In particular, the DE SA argues that the legal
 
assessment of the relationship between Twitter, Inc. and TIC affects the determination of the moment
 
of becoming aware of the Breach. According to the DE SA, knowledge must be equally attributed to
 
both (joint) controllers in light of Article 26(1) GDPR. Taking this into account, the DE SA argues that
 
the relevant date when TIC as joint controller obtained knowledge (or rather should have obtained
 
knowledge) needs to be reconsidered by the IE SA.
 
50. The EDPB considers that the objection raised by the DE SE clearly sets out why changing the Draft
 
Decision is considered necessary and how the objection, if followed, would lead to a different
 
conclusion. That being said, the EDPB does not find that the objection raised by the DE SA includes a
 
clear statement regarding the risks posed by the Draft Decision as regards the fundamental rights and
 
freedoms of data subjects in relation to the qualification of the parties as such. On this basis, the EDPB
 
considers that the objection raised by the DE SA does not meet the requirements set out in Article
 
4(24) GDPR.
 
d) Assessment of the objection raised by the FR SA
 
51. The FR SA in essence also considers that the Draft Decision suffers from “an absence or insufficiency
 
of assessment or reasoning”, in that it does not clearly indicate that other elements than TIC’s own
 
statements were taken into account by the IE SA to consider that TIC exercised decision-making power
 
over the processing. Similar to the NL SA and ES SA, the FR SA also stresses the importance that the
 
decision of the LSA is sufficiently reasoned. Different from the NL SA and ES SA, however, the FR SA
 
focuses in its objection primarily on the importance of including such reasoning in establishing the
 
competence of an authority of the LSA, in particular with a view of preventing forum shopping.
 
52. The EDPB recalls that a disagreement on the competence of the supervisory authority acting as LSA to
 
issue a decision in the specific case should not be raised through an objection pursuant to Article 60(4)
 
GDPR and falls outside of the scope of Article 4(24) GDPR54
 
. The EDPB considers that the objection
 
raised by the FR SA does not advance sufficient arguments to clearly demonstrate the significance of
 
the risk for the rights and freedoms of data subjects posed by the Draft Decision. As a result, the EDPB
 
considers that the objection raised by the FR SA does not amount to a relevant and reasoned objection
 
within the meaning of Article 4(24) GDPR.
 
4.4.2 Conclusion
 
53. The EDPB considers that the aforementioned objections satisfy several of the criteria of Article 4(24)
 
GDPR. Differently to the conclusion made by the IE SA, the EDPB considers that each of those
 
objections satisfied the condition of referring alternatively to whether there is an infringement of this
 
Regulation, or whether envisaged action in relation to the controller or processor complies with this
 
53 Guidelines on RRO, paragraph 27. 54 Guidelines on RRO, paragraph 31. The Guidelines go on to state that unlike the objection pursuant to Article
 
60(4) GDPR, the procedure pursuant to Article 65(1)(b) GDPR is applicable at any stage.
 
Adopted 17
 
Regulation. In addition, the EDPB considers that an objection based on the role, or designation, of the
 
parties can in principle fall within the meaning of the definition of ‘relevant and reasoned’ objection
 
under Article 4(24) GDPR. 54. However, as stated above, the aforementioned objections do not meet the threshold of providing a
 
clear demonstration as to the significance of the risks posed by the Draft Decision as regards the
 
fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal
 
data within the European Union.
 
55. In addition, as regards the aforementioned objection raised by the FR SA, in addition to not advancing
 
sufficient arguments to clearly demonstrate the significance of the risk for the rights and freedoms of
 
data subjects posed by the Draft Decision, the objection concerns a disagreement on the competence
 
of the supervisory authority acting as LSA. The EDPB recalls that such disagreement should not be
 
raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article
 
4(24) GDPR55
 
. 56. As a result, the EDPB considers that the aforementioned objections do not meet the requirements set
 
out in Article 4(24) GDPR.
 
57. As a consequence, the EDPB does not take any position on the merit of any substantial issues raised
 
by these objections. The EDPB reiterates that its current decision is without any prejudice to any
 
assessments the EDPB may be called upon to make in other cases, including with the same parties,
 
taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 5 ON THE INFRINGEMENTS OF THE GDPR FOUND BY THE LSA
 
5.1 On the findings of an infringement of Article 33(1) GDPR
 
5.1.1 Analysis by the LSA in the Draft Decision
 
58. The IE SA concluded that TIC did not meet its obligations as a controller under Article 33(1) GDPR,
 
which "cannot be viewed in isolation and must be understood within the context of the broader
 
obligations on controllers under the GDPR, in particular, the obligation of accountability under Article
 
5(2), the relationship between controllers and processors (Article 28), and the obligation to implement
 
appropriate (and effective) technical and organisational measures"
 
56
 
. 59. With regard to the moment at which the controller became aware of the Breach, the Draft Decision
 
concluded that in case the Breach is suffered by the processor, the controller becomes aware when it
 
is notified of the Breach by the processor57, but the controller must ensure that it has sufficient
 
measures in place to facilitate this awareness58. Because TIC as controller was responsible for
 
55 Guidelines on RRO, paragraph 31. 56 Draft Decision, paragraph 6.20. See also Draft Decision, paragraphs 6.5, 6.7, and 6.13. The Draft Decision
 
(paragraph 7.129 (i)) also states that the “requirement under Article 33(1) [...] is predicated upon the controller
 
ensuring that it has internal systems and procedures (and where applicable, systems and procedures in place with
 
any external parties including processors) that are configured, and followed, so as to facilitate prompt awareness,
 
and timely notification, of breaches”. 57 Draft Decision, paragraph 7.129 (iii). 58 Draft Decision, paragraph 7.98.
 
Adopted 18
 
overseeing the processing operations carried out by its processor Twitter, Inc.59, the Draft Decision
 
stated that where the processor does not follow the procedure or the procedure fails otherwise the
 
controller cannot excuse its own delayed notification on the basis of the processor’s fault60, as the
 
performance by a controller of its obligation to notify cannot be contingent upon the compliance by
 
its processor with its obligations under Article 33(2) GDPR61. The IE SA found that in these
 
circumstances the controller must be considered as having constructive awareness of the personal
 
Breach through its processor62, and that such an interpretation reflects the responsibility and
 
accountability of the controller in the GDPR63
 
. 60. According to the Draft Decision, therefore, TIC became actually aware of the Breach on 7 January
 
201964 but should have been aware of the Breach at the latest by 3 January 2019, since on that date
 
Twitter, Inc. as processor first assessed the incident as being a potential data breach and the Twitter, Inc. legal team instructed that the incident be opened65. The Draft Decision also stated that even in the
 
particular circumstances of this situation (where earlier delays had also arisen66, any arrangements in
 
place with Twitter, Inc. should have enabled this67. Instead, due to the “ineffectiveness of the process”
 
in the “particular circumstances” of the case at stake and/or “a failure by [the processor’s] staff to
 
follow its incident management process” there was a delay leading to the controller being notified only
 
on 7 January 201968. This led to the infringement of Article 33(1) GDPR even if less than 72 hours
 
elapsed between the moment at which TIC became actually aware of the Breach (7 January 2019) and
 
the notification (8 January 2019).
 
5.1.2 Summary of the objections raised by the CSAs
 
61. The FR SA raised an objection stating that the findings do not correspond to an infringement of Article
 
33(1) GDPR, but rather of Article 28 or Article 32 GDPR, which set out the obligations of the controller
 
when it decides to have recourse to a processor. This argument relies on the fact that the finding of
 
the infringement of Article 33(1) is mainly based on the failures in the application of the procedure
 
59 Draft Decision, paragraph 7.129 (iv). 60 Draft Decision, paragraph 7.129 (iv). 61 Draft Decision, paragraph 7.129 (x). 62 Draft Decision, paragraph 7.129 (v). 63 Draft Decision, paragraph 7.98. According to the Draft Decision, an alternative interpretation leading to
 
consider that a controller is only “aware” when informed by its processor, leaves a significant lacuna in the
 
protection provided by the GDPR, as it could result in the controller avoiding responsibilities even in case of major
 
delays if it showed it satisfied its obligations in choosing a processor and having proper systems in place, but such
 
systems were disregarded by the processor (Draft Decision, paragraph 7.99). The IE SA further outlined in the
 
Draft Decision that “the alternative application of Article 33(1), and that which was suggested by TIC, whereby
 
the performance by a controller of its obligation to notify is, essentially, contingent upon the compliance by its
 
processor with its obligations under Article 33(2), would undermine the effectiveness of the Article 33 obligations
 
on a controller [and that] [s]uch an approach would be at odds with the overall purpose of the GDPR and the
 
intention of the EU legislator”. 64 Draft Decision, paragraph 7.129 (vi). 65 Draft Decision, paragraph 7.129 (vi). 66 In identifying the 3 January 2019 as the date on which TIC ought to have been aware of the breach, the IE SA
 
also took into account that an earlier delay had arisen during the period from when the incident was first notified
 
by the External Contractor (Contractor 2) to Twitter, Inc. on 29 December 2018 to when Twitter, Inc. commenced
 
its review of same, on 2 January 2019. TIC confirmed, during the course of the inquiry, that this was “due to the
 
winter holiday schedule”. 67Draft Decision, paragraph 7.129 (ix). 68 Draft Decision, paragraph 7.129 (vi).
 
Adopted 19
 
established between TIC and its processor in case of a data breach, whereas Article 33(1) GDPR refers
 
only to the obligation of the controller to notify data breaches to the competent authority.
 
62. The objections of the DE SA, instead, focused on the reasoning leading to the conclusion that Article
 
33(1) GDPR was infringed, without challenging such conclusion per se, and referred more specifically
 
to the determination of the dies a quo of the 72-hour deadline.
 
63. The DE SA argued in its objection that the issue of the allocation of roles affects the determination of
 
the moment of awareness of the Breach, as the knowledge of a breach must be equally attributed to
 
both joint controllers. According to the DE SA, this may lead to considering 26 December 2018 as the
 
date when TIC as joint controller got knowledge/should have got knowledge of the Breach. 5.1.3 Position of the LSA on the objections
 
64. With regard to the objection raised by the FR SA, the IE SA considers that it requests consideration of
 
alternative provisions of the GDPR and that the request by CSAs to consider alternate provisions of the
 
GDPR, would essentially seek to re-scope the Inquiry conducted69: the IE SA concluded that such an
 
objection does not fall within the definition of “relevant and reasoned objection” for the purposes of
 
Article 4(24) GDPR70. The IE SA also stressed its view that an infringement of Article 33(1) GDPR has
 
occurred and did not propose to consider infringements of any other provisions of the GDPR as an
 
alternative to Article 33(1)71
 
, underlining that expanding the range of the infringements to other GDPR
 
obligations at the request of CSAs would “jeopardise the entirety of the Inquiry and Article 60 process
 
by exposing it to the risk of claims of procedural unfairness”
 
72
 
. The IE SA also pointed out that it is
 
examining TIC’s compliance with its broader obligations under the GDPR in the context of another
 
ongoing inquiry73
 
. 65. Concerning the objection raised by the DE SA, with specific regard to the determination of the moment
 
of awareness of the breach, the IE SA submitted that even if a relationship of joint controllership did
 
exist (a view that, as outlined above in Section 4.3, the IE SA did not share) it would not necessarily
 
mean that awareness of the Breach could be equally attributed to both joint controllers74
 
. 5.1.4 Analysis of the EDPB
 
5.1.4.1 Assessment of whether the objections were relevant and reasoned
 
66. As recalled above (see Section 4.4.1), it is necessary to assess whether the objections raised by the
 
CSAs meet the threshold set by Article 4(24) GDPR.
 
67. Although the objection of the FR SA is relevant, since it outlines a disagreement on whether an
 
particular infringement of the GDPR has taken place in the specific case, and it includes legal arguments
 
supporting the objection, it fails to meet the Article 4(24) GDPR standard because it does not include
 
justifications concerning the consequences of issuing a decision without the changes proposed in the
 
objection, and how such consequences would pose significant risks to the rights and freedoms of data
 
69 Composite Memorandum, paragraph 5.45. 70 Composite Memorandum, paragraph 5.45. 71 Composite Memorandum, paragraph 5.47. 72 Composite Memorandum, paragraph 5.44(c). 73 Composite Memorandum, paragraph 5.44(d). 74 Composite Memorandum, paragraph 5.34 (also referring to the CJEU judgment in Wirtschaftsakademie, C- 210/16, paragraph 43).
 
Adopted 20
 
subjects75
 
. Thus, the objection cannot be said to “clearly demonstrate” the significance of the risks
 
posed by the issuance of the Draft Decision (if it were to be issued as final) since it does not provide
 
sufficient arguments as to why such rights and freedoms of data subjects with specific regard to the
 
finding of an infringement of Article 33(1) (instead of Article 32 / 28) GDPR are substantial and
 
plausible76. Therefore, the EDPB concludes the objection of the FR SA is not relevant and reasoned due
 
to the lack of a clear demonstration of the risks as specifically required by the Article 4(24) GDPR. 68. Additionally, with regard to the DE SA’s objection specifically in relation to the determination of the
 
dies a quo for the infringement of Article 33(1) GDPR as depending on the qualification of the parties,
 
the EDPB would like to recall the analysis performed above in Section 4.4 and finds that the objection
 
does not show the implications the Draft Decision with its current content - specifically concerning the
 
reasoning underlying the finding of a Breach of Article 33(1) GDPR - would have for the protected
 
values77 (rights and freedoms of data subjects or, where applicable, free flow of personal data).
 
5.1.4.2 Conclusion
 
69. The EDPB considers that the aforementioned objections satisfied the condition of referring
 
alternatively as to whether there is an infringement of this Regulation, or whether envisaged action in
 
relation to the controller or processor complies with this Regulation, but they do not clearly
 
demonstrate the significance of the risks posed by the Draft Decision as regards the fundamental rights
 
and freedoms of data subjects and, where applicable, the free flow of personal data within the
 
European Union.
 
70. Therefore, the FR and DE SA’s objections do not to meet the requirements in Article 4(24) GDPR78
 
. 5.2 On the findings of an infringement of Article 33(5) GDPR
 
5.2.1 Analysis by the LSA in the Draft Decision
 
71. In the Draft Decision, the IE SA found that TIC did not comply with its obligations under Article 33(5)
 
GDPR to document the Breach, since the documentation furnished by TIC in the course of the inquiry
 
was not considered to contain sufficient information and was not considered to contain a record or
 
document of, specifically, a “personal data breach”, as they amounted to “documentation of a more
 
generalised nature”79
 
. 72. On a different note, the IE SA acknowledged that TIC fully cooperated during the inquiry (although this
 
was not considered as a mitigating factor)80
 
. 5.2.2 Summary of the objections raised by the CSAs
 
73. The EDPB takes the opportunity to highlight, for the sake of clarity, that none of the objections raised
 
challenged the conclusion that TIC infringed Article 33(5) GDPR.
 
75 Guidelines on RRO, paragraph 19. 76 Guidelines on RRO, paragraph 37. 77 Guidelines on RRO, paragraph 37. 78 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these
 
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB
 
may be called upon to make in other cases, including with the same parties, taking into account the contents of
 
the relevant draft decision and the objections raised by the CSAs. 79 Draft Decision, paragraph 10.46. 80 Draft Decision, paragraph 14.50.
 
Adopted 21
 
74. However, the IT SA raised an objection arguing that the finding related to the violation of Article 33(5)
 
GDPR does not appear consistent with the reasoning and elaborations put forward by the LSA as the
 
inadequacy of the documentation that was produced during such an extensive investigation, as based
 
upon multiple interactions between the LSA and the controller, allegedly points to the controller’s poor
 
cooperation with the DPA. According to the IT SA, the finding in the Draft Decision that TIC provided
 
full cooperation during the investigative phase should be reviewed as such full cooperation can only
 
be considered to exist if adequate, exhaustive documentation is made available by the controller in a
 
straightforward manner.
 
5.2.3 Position of the LSA on the objections
 
75. The IE SA is of the opinion that the obligation under Article 33(5) GDPR applies independently of the
 
obligation under Article 31 GDPR to co-operate with the supervisory authority and of how TIC behaved
 
towards, and interacted with, the LSA at the time that the latter initiated its regulatory activities
 
regarding TIC’s Breach81. The IE SA argued the deficiencies on how TIC documented the Breach do not
 
necessarily correlate with a lack of cooperation on TIC’s part82. In addition, the IE SA highlighted that
 
TIC cooperated with the IE SA during the inquiry by responding to all requests for information and by
 
providing all the requested documents, without seeking to disrupt or obstruct the inquiry in any way83
 
.
 
In any case, the IE SA did not consider TIC’s cooperation as a mitigating factor84
 
. For the above- mentioned reasons, the IE SA considered that it was “questionable” as to whether the objection raised
 
by the IT SA is reasoned and relevant, since while it relates to an infringement of the GDPR it does not
 
demonstrate how the IE SA’s position on TIC’s degree of cooperation results in risks posed by the draft
 
decision regarding fundamental rights and freedoms of data subjects85
 
. The IE SA concluded it would
 
not follow said objection86
 
. 5.2.4 Analysis of the EDPB
 
5.2.4.1 Assessment of whether the objections were relevant and reasoned
 
76. The IT SA in its objection does not dispute that an infringement of Article 33(5) GDPR has occurred. A
 
relevant and reasoned objection may question the reasoning underlying the conclusions reached by
 
the LSA in the draft decision only insofar as such reasoning has a link with such conclusions, the
 
objection is adequately reasoned. In this case, the objection does not clearly argue how following it
 
could entail a change in the Draft Decision. Additionally, the objection does not meet the criteria
 
outlined in Article 4(24) GDPR because it fails to clearly demonstrate the significance of the risks posed
 
by the Draft Decision as it does not show the implications the alleged mistake in the Draft Decision
 
would have for the protected values. 5.2.4.2 Conclusion
 
77. As the IT SA’s objection does not meet the requirements of the Article 4(24) GDPR, the Board does not
 
take a position on the merit of the substantial issues raised by this objection. The EDPB reiterates that
 
its current decision is without any prejudice to any assessments the EDPB may be called upon to make
 
81 Composite Memorandum, paragraph 5.87. 82 Composite Memorandum, paragraph 5.87. 83 Composite Memorandum, paragraph 5.87. 84 Composite Memorandum, paragraph 5.87. 85 Composite Memorandum, paragraph 5.88. 86 Composite Memorandum, paragraph 5.88.
 
Adopted 22
 
in other cases, including with the same parties, taking into account the contents of the relevant draft
 
decision and the objections raised by the CSAs.
 
6 ON POTENTIAL FURTHER (OR ALTERNATIVE) INFRINGEMENTS OF
 
THE GDPR IDENTIFIED BY THE CSAS
 
6.1 Analysis by the LSA in the Draft Decision
 
78. Based on the information provided by TIC when it notified the Breach to the IE SA, the IE SA noticed
 
that it appeared from the breach notification form that a period of in excess of 72 hours had elapsed
 
from when TIC (as controller) became aware of the Breach87. For this reason, the IE SA decided to
 
commence, on its own volition, an inquiry to examine whether TIC had complied with its obligations
 
under Article 33(1) and Article 33(5) GDPR88
 
. 79. In order to determine whether TIC complies with its obligations under Article 33(1) GDPR, the IE SA
 
considered them in the context of a controller's broader obligations, including those of accountability
 
(Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of
 
processing of personal data (Article 32 GDPR)89. However, if the IE SA considered the factors and factual
 
matters that led to TIC's delay in being made aware of the Breach by its processor and ultimately in
 
notifying the Breach, the IE SA did not consider whether or not TIC complied with any or each of these
 
obligations other than for the purpose of assessing TIC’s compliance with its obligations under Article
 
33(1) and Article 33(5) GDPR90
 
. 6.2 Summary of the objections raised by the CSAs
 
80. The DE, FR, HU, and IT SAs raised objections that TIC infringed other provisions of the GDPR in addition
 
to, or instead of, Article 33(1) and Article 33(5) GDPR.
 
6.2.1 Infringement of Article 5(1)(f) GDPR on the principle of integrity and
 
confidentiality
 
81. The DE SA raised an objection stating that the "underlying bug" in TIC's application that resulted in the
 
Breach notified to the IE SA should have been considered by the IE SA in its Draft Decision, so as to
 
determine whether this bug actually constituted a significant violation of the confidentiality of
 
personal data, ultimately infringing Article 5(1)(f) GDPR, in addition to Article 33(1) and Article 33(5)
 
GDPR.
 
82. The HU SA raised an objection stating that given the “bug” in TIC’s application over the years and its
 
serious nature affecting data security, the IE SA should investigate whether TIC also infringed Article
 
5(1)(f) GDPR on the principle of integrity and confidentiality.
 
6.2.2 Infringement of Article 5(2) GDPR on the principle of accountability
 
83. The IT SA raised an objection stating that the infringement of Article 33(1) GDPR highlights a much
 
more severe violation of the accountability principle (under Article 5(2) GDPR), since the lack of
 
87 Draft Decision, paragraph 2.11. 88 Draft Decision, paragraph 2.11. 89 Draft Decision, paragraphs 6.13-6.20, 7.111-7.112, 7.122-7.124. 90 Draft Decision, paragraphs 6.13, 7.111, 7.122-7.124.
 
Adopted 23
 
corporate policies to handle security incidents or the failure to comply with them shows that the
 
measures implemented by the controller are inadequate to ensure compliance and to document it.
 
The IT SA argued that these procedural shortcomings are highlighted by the Draft Decision, but the
 
Draft Decision fails to make this the subject of a specific analysis. As this may affect the handling of
 
future data breaches, too, the findings on whether TIC complied with Article 5(2) GDPR should also be
 
part of the IE SA's final decision according to the IT SA. The IT SA also considered that the infringement
 
of Article 5(2) GDPR is confirmed by the controller's inability to state the exact number and nature of
 
the personal data affected, or the total number of data subjects involved.
 
6.2.3 Infringement of Article 24 GDPR on the responsibility of the controller
 
84. The DE SA raised an objection stating that the Draft Decision is not clear on why the IE SA did not assess
 
if the significant violation of the confidentiality of personal data caused by an "underlying bug" is due
 
to an infringement of the requirements of Article 24 GDPR.
 
6.2.4 Infringement of Article 28 GDPR on the relationship with processors
 
85. The FR SA expressed an objection stating that TIC did not respect the obligation of the controller to
 
verify the validity of the procedures set up by its processor. Therefore, the FR SA considers that there
 
is no infringement of Article 33(1) GDPR, but of Article 28 GDPR instead (or Article 32 GDPR -see below
 
Section 6.2.5). The FR SA argued that if TIC's processor is its parent company, “it was all the more easy
 
for TIC to verify the validity of the procedures set out by the parent company and to demand a
 
correction if necessary”.
 
86. The IT SA expressed an objection stating that TIC’s failure to involve the Global DPO in the Detection
 
and Response Team of the processor (Twitter, Inc.), in spite of the fact that this practice was envisaged
 
in TIC's internal policies, shows that the safeguards provided by the processor in terms of implementing
 
the appropriate organisational measures under Article 28(1) GDPR are not extensive enough. In
 
addition, the IT SA argued in its objections that the processor infringed its obligation to assist the
 
controller, according to Article 28(3)(f) GDPR.
 
6.2.5 Infringement of Article 32 GDPR on the security of the processing
 
87. The DE SA raised objections stating that the IE SA should have examined if all appropriate technical
 
and organisational measures (according to Article 32 GDPR) were complied with in this case, and
 
whether infringements in this area should have been made the subject of these proceedings. The DE
 
SA also argues that the Draft Decision is not clear on why the IE SA did not assess if the significant
 
violation of the confidentiality of personal data caused by an "underlying bug" is due to an
 
infringement of the requirements of Article 32 GDPR.
 
88. The FR SA expressed an objection concerning the legal characterisation of the facts carried out by the
 
IE SA and stated that the TIC’s failure to respect the obligation of the controller to verify the validity of
 
the procedures set up by its processor corresponds to an infringement of Article 32 GDPR (or Article
 
28 GDPR - see above Section 6.2.4), rather than of Article 33(1) GDPR. The FR SA argued that if TIC's
 
processor is its parent company, “it was all the more easy for TIC to verify the validity of the procedures
 
set out by its parent company and to demand a correction if necessary”. 89. The HU SA raised objections stating that given the “bug” in TIC’s application over the years and its
 
serious nature affecting data security, the IE SA should investigate whether TIC infringed also Article
 
32 GDPR on TIC’s obligations of security of the processing.
 
Adopted 24
 
6.2.6 Infringement of Article 33(3) GDPR on the content of the notification of a
 
personal data breach on security of processing
 
90. The DE SA expressed objections stating that the IE SA’s examination is lacking, with regard to the scope
 
of the information to be provided in the case of a notification, which is stipulated as binding in Article
 
33(3) GDPR. Based on TIC’s comments on the Breach they provided pursuant to Article 33(5) GDPR and
 
on the description of the investigation of the facts of the case, TIC obviously did not fully comply with
 
its documentation obligation when it first reported the Breach on 8 January 2019. The DE SA
 
considered that there are therefore numerous indications that the result could also be an infringement
 
of Article 33(3) GDPR.
 
6.2.7 Infringement of Article 34 GDPR on the communication of a personal data
 
breach to the data subject
 
91. The HU SA raised objections stating that given the “bug” in TIC’s application over the years and its
 
serious nature affecting data security, the IE SA had to investigate whether TIC infringed also Article
 
34 GDPR on TIC’s obligations of informing the data subjects about the Breach. 6.3 Position of the LSA on the objections
 
92. The LSA provided its response in respect of the objections concerning potential further (or alternative)
 
infringements of the GDPR collectively in its Composite Memorandum shared with the CSAs. The LSA
 
explained that it “exercised its discretion [...] to confine the scope of the Inquiry to the consideration of
 
two discrete issues, being whether TIC had complied with its obligations as a controller under Article
 
33(1) in respect of the notification of the Breach, and whether it had complied with its obligations under
 
Article 33(5) to document the Breach”
 
91. The LSA relied on Section 110(1) of the Irish Data Protection
 
Act 2018, which provides that the IE SA may “cause such inquiry as it thinks fit to be conducted”
 
92. The
 
purpose of the inquiry as described by the IE SA was thus “solely to examine the circumstances
 
surrounding TIC’s apparent delayed notification of the Breach [...] and its documenting of the Breach”,
 
an issue considered by the IE SA as “of considerable importance given that, with close to 200,000
 
breaches notified in two years across the EU, there is a need for clarity on what is required under the
 
breach notification and documentation requirements of the GDPR”
 
93
 
. 93. Within its Composite Memorandum94, the IE SA maintains that objections raised in the context of
 
Article 60(4) GDPR cannot have the effect of challenging the scope of an inquiry. In the case at hand,
 
the LSA recalls that it informed TIC at the beginning of the inquiry that its purpose was to verify TIC’s
 
compliance with Article 33(1) and Article 33(5) GDPR in respect of its notification of a Breach to the
 
LSA 8 January 2019. The whole inquiry process was therefore conducted within that scope, as well as
 
the drafting of the Draft Decision, and TIC was afforded its right to be heard in that regard at each step
 
of the procedure. Therefore, the LSA maintains that if it were to follow the CSAs’ objections and include
 
other infringements in its final decision “on the basis of only the material contained in the Draft
 
Decision”, this would result in jeopardising “the entirety of the Inquiry and Article 60 process by
 
exposing it to the risk of claims of procedural unfairness”
 
95
 
.
 
91 Composite Memorandum, paragraph 1.7. 92 Composite Memorandum, paragraph 1.5. 93 Composite Memorandum, paragraph 1.9. 94 Composite Memorandum, paragraph 5.44. 95 Composite Memorandum, paragraph 5.44(c).
 
Adopted 25
 
94. Furthermore, the LSA explains that it has another ongoing inquiry in relation to other data breaches
 
notified to the LSA by TIC prior to the notification that concerns the case at hand. In that other inquiry,
 
initiated before the one at hand, the LSA highlights that the scope of investigation concerns possible
 
non-compliance with “inter alia, Articles 5, 24, 25, 28, 29 and 32” GDPR96. The LSA considers that this
 
parallel inquiry is indeed assessing TIC’s compliance with its broader obligations under GDPR to
 
determine if compliance insufficiencies caused the data breaches. Consequently, the LSA is of the
 
position that the CSAs will have the possibility to consider such possible infringements in the context
 
of that other inquiry, as they will be consulted on its Draft Decision, in accordance with Article 60(4)
 
GDPR97
 
. 95. TIC submitted that, since the Draft Decision states that “a detailed examination of the technical and
 
organisational measures is beyond the scope of the inquiry”
 
98, it “would not be reasonable or
 
appropriate, and would offend well-established principles of natural justice, if the Decision were to
 
make findings or impose sanctions on TIC in respect of obligations and principles which did not form
 
part of the DPC’s investigation, since TIC has not had an opportunity to address any concerns which the
 
DPC or CSAs may have about TIC’s processes in these areas”
 
99
 
. 6.4 Analysis of the EDPB
 
6.4.1 Assessment of whether the objections were relevant and reasoned
 
6.4.1.1 Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality
 
96. The EDPB notes that the DE SA’s objection on Article 5(1)(f) GDPR is referring to whether there is an
 
infringement of the GDPR by expressing a disagreement as to the conclusions to be drawn from the
 
findings of the investigation. The objection also put forward arguments to support the conclusion that
 
compliance with Article 5(1)(f) GDPR should be assessed. The DE SA’s objection clearly demonstrates
 
the significance of the risks posed by the Draft Decision for the rights and freedoms of data subjects,
 
in particular by highlighting that the facts amount to a “significant” and “substantial” breach of the
 
confidentiality of personal data and that a large number of persons were concerned for a substantial
 
period of time. Furthermore the DE SA also argued that there were indications to consider the
 
existence “systemic error”, which would have required a deeper scrutiny beyond the single specific
 
bug involved.
 
97. The HU SA’s objection can also be considered as relevant as it concerns whether there is an
 
infringement of the GDPR. Additionally it (only) briefly makes reference to factual arguments
 
supporting the need to assess this additional provision (the duration of the bug and its serious nature
 
affecting data security), but does not “clearly demonstrate” the significance of the risks posed by the
 
Draft Decision for risks to the rights and freedoms of individuals as it does not put forward arguments
 
96 Composite Memorandum, paragraph 1.10. 97 Composite Memorandum, paragraph 5.44(d). 98 Draft Decision, paragraph 7.19. 99 “Representations in response to objections and comments from CSAs” submitted by TIC (14 August 2020),
 
paragraph 4.1. The EDPB wishes to highlight that the objections raised by the CSAs were brought to TIC’s
 
attention by the IE SA, and TIC issued the aforementioned representations on the objections, which were taken
 
into account by the IE SA prior to the initiation of the Article 65 procedure and are part of the file under
 
consideration of the EDPB in the context of this procedure. See also footnote 19.
 
Adopted 26
 
or justifications concerning the consequences of issuing a decision without the changes proposed in
 
the objection100
 
. 98. As a consequence the EDPB considers the objection raised by the DE SA in relation to the potential
 
additional infringement of Article 5(1)(f) GDPR to be relevant and reasoned for the purposes of Article
 
4(24) GDPR, but considers the HU SA’s objection in relation to the same topic does not meet the
 
requirements of Article 4(24)101
 
. 99. The EDPB will assess the merits of the substantial issues raised by the DE SA objection in relation to
 
the potential additional infringement of Article 5(1)(f) GDPR (see section 6.4.2 below).
 
6.4.1.2 Infringement of Article 5(2) GDPR on the principle of accountability
 
100. The objection raised by the IT SA is to be considered “relevant” since if followed, it would lead to a
 
different conclusion as to whether there is an infringement of the GDPR
 
102. More specifically, it
 
includes a “disagreement as to the conclusions to be drawn from the findings of the investigation”,
 
since it states that the “findings amount to the infringement of a provision of the GDPR [...] in addition
 
to [...] those already analysed by the draft decision”
 
103
 
. 101. Additionally, the objection is “reasoned” as it includes clarifications as to why the amendment of the
 
decision is proposed104: the proposed change relies on the “lack of formalised corporate policies to
 
handle security incidents [...] or the failure to comply with said policies”, on the fact that such
 
“procedural shortcomings are highlighted by the [IE SA] repeatedly” in the Draft Decision, and on the
 
controller’s inability to state the exact number and nature of the personal data / data subjects affected.
 
102. The IT SA clearly demonstrated the significance of the risks posed by the Draft Decision for
 
fundamental rights and freedoms of data subjects, by showing the “implications the draft decision
 
would have for the protected values”105 and more specifically the “impact on the rights and freedoms
 
of data subjects whose personal data might be processed in the future”106: the objection did so by
 
arguing that the aspects mentioned are “structural in nature as regards the controller’s organization”
 
and “bound to produce effects not simply on the case at issue, but also on the handling of any personal
 
data breach that may occur in the future”.
 
103. As a consequence, the IT SA’s objection on Article 5(2) GDPR meets the requirements set out in Article
 
4(24) GDPR. The EDPB will therefore analyse the merits of the substantial issues raised by this
 
objection107
 
.
 
100 Guidelines on RRO, paragraph 19. 101 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by the
 
HU SA’s objection. The EDPB reiterates that its current decision is without any prejudice to any assessments the
 
EDPB may be called upon to make in other cases, including with the same parties, taking into account the
 
contents of the relevant draft decision and the objections raised by the CSAs. 102 Guidelines on RRO, paragraph 13. 103 Guidelines on RRO, paragraph 27. 104 Guidelines on RRO, paragraph 17. 105 Guidelines on RRO, paragraph 37. 106 Guidelines on RRO, paragraph 43. 107 See section 6.4.2 below.
 
Adopted 27
 
6.4.1.3 Infringement of Article 24 GDPR on the responsibility of the controller
 
104. The DE SA’s objection specifically refers to Chapter 5 "Issues for determination" of the Draft
 
Decision108, and objects to the Draft Decision as to whether Article 24 GDPR was also infringed by
 
TIC109. It relies on the facts110 set out in the Draft Decision that “if a Twitter user with a protected
 
account, using Twitter for Android, changed their email address the bug would result in their account
 
being unprotected”
 
111
 
. and their protected tweets were made publicly available via the service. More
 
precisely, the DE SA is questioning why the IE SA did not examine, in the Draft Decision, the causes of
 
the Breach, in particular in light of Article 24 GDPR, and why the IE SA did not explain in the Draft
 
Decision why it did not perform such examination.
 
105. The DE SA argues that given that the Breach notification revealed “deficiencies in compliance with the
 
GDPR, ... [a] company that is not capable by own means and resources, by inspections of internal or
 
external security teams to find a bug of that prominence and scope should be subject to a deeper
 
scrutiny regarding its security and data processing setup, beyond the single specific bug involved". 106. According to the DE SA, a higher scrutiny into TIC's data processing setup "could result, as the case may
 
be, in an order to the controller to bring processing operations into compliance with the provisions of
 
the GDPR. The case at hand fails to reflect this task. This makes it all the more urgent to examine the
 
corrective powers under Article 58(2) GDPR in this context".
 
107. Therefore, the DE SA pointed out what it considered as an absence of assessment, with the
 
consequences that the conclusions drawn from the findings of the investigation by the LSA could be
 
different112
 
. 108. The DE SA’s objection that “According to Art. 83 (1) GDPR, fines must be “effective, proportionate and
 
dissuasive in each individual case. A sanction is effective and dissuasive if, on the one hand, it is suitable
 
as a general preventive measure to deter the general public from committing infringements and to
 
affirm the general public’s confidence in the validity of Union law, but, on the other hand, it is also
 
suitable as a preventive measure to deter the offender from committing further infringements”.
 
Consequently, the DE SA demonstrates how not changing the Draft Decision to include an assessment
 
of compliance with Article 24 GDPR would pose significant risks for the fundamental rights and
 
freedoms of data subjects113
 
. 109. In its Guidelines on RRO, the EDPB accepts that an objection may challenge the conclusion of the LSA,
 
by considering that the LSA’s findings actually lead to the conclusion that another provision of the
 
GDPR has been infringed in addition to or instead of the provision identified by the LSA114. The EDPB
 
considers that this is precisely the essence of the DE SA’s objection, hence not preventing it from being
 
relevant and reasoned.
 
110. Additionally, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft
 
Decision for the rights and freedoms of data subjects, including by highlighting that a large number of
 
persons were concerned for an equally substantial period of time, reflecting a systemic error that calls
 
108 Guidelines on RRO, paragraph 20. 109 Guidelines on RRO, paragraph 12. 110 Guidelines on RRO, paragraph 14. 111 Draft Decision, paragraph 2.7. 112 Guidelines on RRO, paragraph 29. 113 Guidelines on RRO, paragraph 19. 114 Guidelines on RRO, paragraph 27.
 
Adopted 28
 
for deeper scrutiny, looking beyond the single specific bug involved. As a consequence, the DE SA’s
 
objection on Article 24 GDPR meets the threshold set out in Article 4(24) GDPR.
 
111. In light of the assessment above, the EDPB considers that the DE SA’s objection relating to a possible
 
infringement of Article 24 GDPR is relevant and reasoned in accordance with Article 4(24) GDPR. As a
 
consequence, the EDPB is assessing the merit of the substantial issues raised by this objection (see
 
section 6.4.2 below).
 
6.4.1.4 Infringement of Article 28 GDPR on the relationship with processors
 
112. The FR SA’s objection specifically refers to paragraphs 7.129 iii), iv) and v) of the Draft Decision
 
115, and
 
objects to the Draft Decision as to whether Article 28 GDPR was infringed by TIC instead of Article 33(1)
 
GDPR116. It relies on the facts117 set out in the Draft Decision and on the findings by the LSA that “TIC
 
did not respect the obligation of the controller to verify the validity of the procedures set up by its
 
processor”. 113. According to the FR SA, since Article 28(3)(h) GDPR sets forth the controller’s duties when it uses a
 
processor, the findings should have led the LSA to the conclusion that Article 28(3)(h) GDPR was
 
infringed, instead of Article 33(1) GDPR. Ultimately, it means, for the FR SA, that the sanction issued in
 
fine should address different infringements.
 
114. In its Guidelines on RRO, the EDPB accepts that an objection may challenge the conclusion of the LSA,
 
by considering that the LSA’s findings actually lead to the conclusion that another provision of the
 
GDPR has been infringed in addition to or instead of the provision identified by the LSA118. The EDPB
 
considers that this is precisely the essence of the FR SA’s objection, hence not preventing it from being
 
relevant. The objection also adequately puts forward arguments supporting the conclusion proposed.
 
At the same time, the EDPB notes that the FR SA’s objection does not clearly demonstrate the
 
significant risks posed by the Draft Decision for the fundamental rights and freedoms of data subjects
 
with specific regard to the failure to conclude on the infringement of this specific provision119
 
. In light
 
of this assessment, the EDPB considers that the FR SA’s objection relating to a possible infringement
 
of Article 28 GDPR instead of Article 33(1) GDPR is not relevant and reasoned in accordance with Article
 
4(24) GDPR120
 
. 115. The IT SA’s objects to the Draft Decision as to whether Article 28 GDPR, inter alia, was infringed by TIC
 
in addition to Article 33(1) GDPR121
 
. 116. The IT SA relies on the facts set out in the Draft Decision and on the findings by the LSA that whilst the
 
involvement of the Global DPO in the Detection and Response Team of its processor, Twitter, Inc., is
 
envisaged in TIC’s internal policies, in practice, the Global DPO was not involved. The IT SA also notes
 
that Twitter, Inc., as the processor, failed to assist TIC.
 
115 Guidelines on RRO, paragraph 20. 116 Guidelines on RRO, paragraph 12. 117 Guidelines on RRO, paragraph 14. 118 Objection Guidelines on RRO, paragraph 27. 119 Guidelines on RRO, paragraph 29. 120 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these
 
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB
 
may be called upon to make in other cases, including with the same parties, taking into account the contents of
 
the relevant draft decision and the objections raised by the CSAs. 121 Guidelines on RRO, paragraph 12.
 
Adopted 29
 
117. According to the IT SA, with Article 28(1) GDPR requiring controllers to only use processors providing
 
sufficient guarantees to implement appropriate technical and organisational measures, and Article
 
28(3)(f) GDPR requiring the contract between the controller and the processor to stipulate that the
 
processor assist “the controller in ensuring compliance with the obligations pursuant to Articles 32 to
 
36 taking into account the nature of the processing and the information available to the processor”;
 
the findings should have led the LSA to the conclusion that Article 28(1) and Article 28(3)(f) GDPR were
 
also infringed.
 
118. The EDPB considers that the IT objection in relation to Article 28(1) and Article 28(3)(f) GDPR it is to be
 
considered “relevant” since if followed, it would lead to a different conclusion as to whether there is
 
an infringement of the GDPR122. More specifically, it includes a “disagreement as to the conclusions to
 
be drawn from the findings of the investigation”, since it states that the “findings amount to the
 
infringement of a provision of the GDPR [...] in addition to [...] those already analysed by the draft
 
decision”123
 
. 119. Additionally, according to the EDPB, the objection is “reasoned” as it includes clarifications as to why
 
the amendment of the decision is proposed124: the proposed change relies on the fact that the
 
controller did not comply with its internal policies according to which TIC’s DPO should be involved.
 
Besides, the objection raises the point that the processor failed to comply with its contractual
 
obligation to assist the controller, in accordance with Article 28(3)(f) GDPR.
 
120. However, the EDPB notes that the IT SA’s objection relating to Article 28(1) and Article 28(3)(f) GDPR
 
does not clearly demonstrate significant risks posed by the Draft Decision for the fundamental rights
 
and freedoms of data subjects125
 
. As a consequence this objection raised by the IT SA does not meet
 
the requirements set out in Article 4(24) GDPR126
 
. 6.4.1.5 Infringement of Article 32 GDPR on the security of the processing
 
121. The DE SA’s objection, if followed, would entail a change leading to a different conclusion as to
 
whether there is an infringement of the GDPR, since it identified a “disagreement as to the conclusions
 
to be drawn from the findings of the investigation”
 
127 by pointing out that the findings may indicate an
 
infringement also of Article 32 GDPR. Thus, the EDPB therefore considers that there is a link between
 
the content of the objection and the potential different conclusion128. In addition, this objection is
 
related to specific legal and factual content of the Draft Decision129
 
. 122. Additionally, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft
 
Decision for the rights and freedoms of data subjects, in particular by highlighting that the facts amount
 
to a “significant” and “substantial” breach of the confidentiality of personal data and that a large
 
number of persons were concerned for a substantial period of time. Furthermore the DE SA also argued
 
122 Guidelines on RRO, paragraph 13. 123 Guidelines on RRO, paragraph 27. 124 Guidelines on RRO, paragraph 17. 125 Guidelines on RRO, paragraph 29. 126 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these
 
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB
 
may be called upon to make in other cases, including with the same parties, taking into account the contents of
 
the relevant draft decision and the objections raised by the CSAs. 127 Guidelines on RRO, paragraph 28. 128 Guidelines on RRO, paragraph 13. 129 Guidelines on RRO, paragraph 14.
 
Adopted 30
 
that there were indications to consider the existence of a “systemic error”, which would have required
 
a deeper scrutiny beyond the single specific bug involved.
 
123. In light of the assessment above, the EDPB considers that the DE SA’s objection relating to a possible
 
infringement of Article 32 GDPR is relevant and reasoned in accordance with Article 4(24) GDPR. As a
 
consequence, the EDPB is assessing the merit of the substantial issues raised by this objection (see
 
point 6.4.2 below).
 
124. As regards the FR SA’s objection, the EDPB considers it as meeting the criterion of “relevant” because
 
if the LSA would have followed it, there would be a different conclusion as to whether there is an
 
infringement of the GDPR130
 
. The FR SA’s objection is based on the reasoning provided by the IE SA in
 
its Draft Decision and this reasoning is linked with conclusion as to whether an infringement of the
 
GDPR has been correctly identified131
 
. The EDPB recalls that the CSA has to present the facts allegedly
 
leading to a different conclusion132 and notes that in the case at stake the objection analyses the facts
 
that would lead to the violation of Article 32(1)(d) GDPR, instead of violation of Article 33(1) GDPR,
 
and does so in a coherent, clear and precise way, by clearly indicating which parts of the decision of
 
the IE SA it disagrees with. The FR SA’s objection is clearly relevant by outlining a disagreement on
 
whether an infringement of the GDPR has taken place. However, the FR SA’s objection only succinctly
 
explains the reasons for its proposed change and does not clearly demonstrate the significance of the
 
risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects in
 
relation to the failure to find an infringement of Article 32 GDPR. As a consequence this objection
 
raised by the FR SA does not meet the requirements set out in Article 4(24) GDPR133
 
. 125. The HU SA’s objection also referred to whether there is an infringement of the GDPR, arguing that the
 
possible infringement of the principle of integrity and confidentiality should also be investigated. The
 
HU SA’s objection is clearly relevant by outlining that an additional provision of the GDPR (i.e. Article
 
32 GDPR) should have been investigated. However, the HU SA does not explain how the Draft Decision
 
would pose such risks, nor does it fully explain why specific aspects of the decision are deficient in its
 
point of view134. The HU SA’s objection fails to meet the criterion of providing sound reasoning for its
 
objection, by referring to legal or factual arguments. On the contrary, it just recommends that the IE
 
SA would also need to investigate the controller’s compliance with Article 32 GDPR. As a consequence
 
this objection raised by the HU SA does not meet the requirements set by Article 4(24) GDPR135
 
. 6.4.1.6 Infringement of Article 33(3) GDPR on the content of the notification of a personal data
 
breach on security of processing
 
126. The DE SA considers that the Draft Decision indicates that Article 33(3) GDPR could be infringed in
 
addition to other provisions of GDPR. In that sense, it is about “whether there is an infringement” of
 
130 Guidelines on RRO, paragraph 13. 131 Guidelines on RRO, paragraph 16. 132 Guidelines on RRO, paragraph 18. 133 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these
 
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB
 
may be called upon to make in other cases, including with the same parties, taking into account the contents of
 
the relevant draft decision and the objections raised by the CSAs. 134 Guidelines on RRO, paragraph 18. 135 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these
 
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB
 
may be called upon to make in other cases, including with the same parties, taking into account the contents of
 
the relevant draft decision and the objections raised by the CSAs.
 
Adopted 31
 
the GDPR, and that it has not been examined and addressed by the Draft Decision. Hence, the DE SA
 
considers that, if changed, the Draft Decision would lead to the conclusion of additional infringements
 
of GDPR.
 
127. However, the DE SA does not clearly demonstrate the significant risks posed by the Draft Decision to
 
the fundamental rights and freedoms of data subjects. As a consequence, the DE SA’s objection on
 
Article 33(3) GDPR fails to meet the requirements set out in Article 4(24) GDPR136
 
. 6.4.1.7 Infringement of Article 34 GDPR on the communication of a personal data breach to the
 
data subject
 
128. The HU SA considers that the Draft Decision indicates that Article 34 GDPR could be infringed in
 
addition to other provisions of GDPR, especially in light of the fact that the bug lasted over the years,
 
and given the serious nature affecting the controller’s security. In that sense, it is about “whether there
 
is an infringement” of the GDPR, and that it has not been examined and addressed by the Draft
 
Decision. Hence, the HU SA considers that, if changed, the Draft Decision would lead to the conclusion
 
of additional infringements of GDPR.
 
129. However, the HU SA does not clearly demonstrate the significant risks posed by the Draft Decision to
 
the fundamental rights and freedoms of data subjects. As a consequence, the HU SA’s objection on
 
Article 34 GDPR do not meet the requirements set out in Article 4(24) GDPR137
 
. 6.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and
 
reasoned objections and conclusion
 
130. The Board now analyses the objections found being relevant and reasoned - in particular the DE SA’s
 
objections on Article 5(1)(f), Article 24 and 32 GDPR, as well the IT SA’s objection on Article 5(2) GDPR
 
- as well as the LSA’s response to those objections and the TIC submissions.
 
131. In accordance with Article 65(1)(a) GDPR, in the context of a dispute resolution procedure the EDPB
 
shall take a binding decision concerning all the matters which are the subject of the relevant and
 
reasoned objections, in particular whether there is an infringement of the GDPR. The EDPB can (and
 
must) make a binding decision which shall whenever possible, taking into account the elements of the
 
file and the respondent’s right to be heard, provide a final conclusion on the application of the GDPR
 
in relation to the case at hand. The LSA will then be obliged to implement the changes in its final
 
decision.
 
132. The Board considers that the available factual elements included in the Draft Decision and in the
 
objections are not sufficient to allow the EDPB to establish the existence of further (or alternative)
 
infringements of Article 5(1)(f), 5(2), 24 and 32 GDPR. 133. The Board considers that, as a general matter, the limited scope of the inquiry by the IE SA - focused
 
since the outset only on whether there were infringements by TIC of Article 33(1) and 33(5) GDPR -
 
136 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these
 
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB
 
may be called upon to make in other cases, including with the same parties, taking into account the contents of
 
the relevant draft decision and the objections raised by the CSAs. 137 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these
 
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB
 
may be called upon to make in other cases, including with the same parties, taking into account the contents of
 
the relevant draft decision and the objections raised by the CSAs.
 
Adopted 32
 
directly affects the remit of the investigation and further fact finding, as well as the ability for CSAs to
 
put forward sufficient elements for the EDPB to sustain the objections. 134. The EDPB recalls the duty for the LSA to “endeavour to reach consensus” with the CSAs (Article 60(1)
 
GDPR) and to provide, without delay, the CSAs with “the relevant information” on the matter (Article
 
60(3) GDPR). Even in case of an own-volition inquiry, the Guidelines on reasoned and relevant
 
objectionsstate that LSA “should seek consensus regarding the scope of the procedure (i.e. the aspects
 
of data processing under scrutiny) prior to initiating the procedure formally”138, including in the context
 
of a possible new proceeding.
 
135. Whilst the EDPB considers that SAs enjoy certain degree of discretion to decide how to frame the scope
 
of their inquiries, the EDPB recalls that one of the main objectives of the GDPR is to ensure consistency
 
throughout the European Union, and the cooperation between the LSA and CSAs is one of the means
 
to achieve this. The EDPB also recalls the existence of a full range of the cooperation tools provided
 
for by the GDPR (including Articles 61 and 62 GDPR), bearing in mind the goal of reaching consensus
 
within the cooperation mechanism and the need to exchange all relevant information, with a view to
 
ensuring protection of the fundamental rights and freedoms of data subjects.
 
136. The EDPB considers that in determining the scope of the inquiry, whilst it can be limited, a LSA should
 
frame it in such a way that it permits the CSAs to effectively fulfil their role, alongside the LSA, when
 
determining whether there has been an infringement of the GDPR.
 
7 ON THE CORRECTIVE MEASURES DECIDED BY THE LSA - IN
 
PARTICULAR, THE IMPOSITION OF A REPRIMAND
 
7.1 Analysis by the LSA in the Draft Decision
 
137. The Draft Decision explains that, while in the Preliminary Draft Decision the proposed corrective
 
powers to be imposed were both a reprimand, pursuant to Article 58(2)(b) GDPR, and an
 
administrative fine, pursuant to Article 58(2)(i) GDPR, the final Draft Decision consists of the imposition
 
only of an administrative fine on TIC as the controller139
 
. 138. In its submissions in relation to the Preliminary Draft Decision, TIC objected to the decision to issue a
 
reprimand, contending that the infringements of Article 33(1) and Article 33(5) GDPR do not comprise
 
“processing operations”, while Article 58(2)(b) GDPR provides supervisory authorities with the power
 
to issue reprimands where processing operations have infringed provisions of the GDPR140. TIC’s
 
argument mainly relied on the fact that neither the delay in notifying the SA nor the failure to keep
 
appropriate records amounts to a processing operation in itself141
 
. 139. In its Draft Decision, the IE SA explained its decision not to issue a reprimand by recalling the argument
 
put forward by TIC in its submissions in relation to the Preliminary Draft Decision, contending that the
 
infringements of Article 33(1) and Article 33(5) GDPR do not comprise “processing operations”, while
 
Article 58(2)(b) GDPR provides supervisory authorities with the power to issue reprimands where
 
processing operations have infringed provisions of the GDPR142
 
. The IE SA considered that the term
 
138 Guidelines on RRO, paragraph 28. 139 Draft Decision, paragraph 12.1. 140 TIC’s submissions in relation to the Preliminary Draft Decision, paragraph 11.1. 141 Draft Decision, paragraph 12.4. 142 TIC’s submissions in relation to the Preliminary Draft Decision, paragraph 11.1.
 
Adopted 33
 
‘processing operation(s)’ appears 50 times in the GDPR and seems to be used to denote the treatment
 
or use of, in other words things that are done to, personal data controlled by a controller, but that at
 
the same time the definition of “processing” provided by the GDPR is very broad, which makes it
 
arguable that given that a breach is something affecting or done to, personal data, it follows that the
 
notification obligation (insofar as it inherently must entail an examination of what has happened to
 
personal data or how it has been affected) is intrinsically connected to one or more processing
 
operations143
 
. The IE SA did not consider it necessary to definitely conclude on the meaning and effect
 
of the term “processing operations” in the Draft Decision, but “on balance” considered that TIC’s legal
 
argument was “a stateable one”, deciding not to proceed with the issuing of a reprimand to TIC144
 
. 7.2 Summary of the objections raised by the CSAs
 
140. The DE SA raised an objection concerning the fact that while in the Preliminary Draft Decision both a
 
reprimand and a fine were envisaged, only a fine was included in the Draft Decision. The DE SA
 
disagreed with the reasoning put forward by the IE SA concerning the decision to not impose a
 
reprimand. According to the DE SA, the legal reasoning accepted by the LSA as “stateable” is not
 
convincing as the legal interpretation requires not only an examination of the wording of the provision,
 
but also of its meaning and purpose, the history of its development and its systematic integration into
 
the entire regulatory complex.
 
7.3 Position of the LSA on the objections
 
141. In its Composite Memorandum, the IE SA considered that whereas the DE SA’s objection does relate
 
to “whether envisaged action in relation to a controller or processor complies with [the GDPR]”, it does
 
not demonstrate how not issuing a reprimand to TIC could lead to significant risks for data subjects145
 
on the decision to not issue a reprimand was not relevant and reasoned in accordance with Article
 
4(24) GDPR.
 
142. Nonetheless addressing the merits of the substantial issue(s) raised by the objections, the LSA
 
explained that it considered the term “processing operations” in accordance with its meaning and
 
application throughout the whole GDPR, noticing that this term is only used for SAs’ powers under
 
Article 58 GDPR. Following TIC’s submissions in its response to the CSAs’ objections on that point, the
 
LSA decided, having regard to the scope of the inquiry that focussed on the controller’s obligations in
 
relation to the Breach notification, that its inquiry “did not involve a finding that the underlying
 
‘processing operations’ relating to the Breach infringed [...] the GDPR”
 
146. Therefore, the LSA
 
considered that there was no reason to review its decision to not issue a reprimand in light of the DE
 
SA’s objection.
 
143. The LSA noted that its position in the Draft Decision to not issue a reprimand is only applicable to the
 
specific circumstances of this case; hence is without any prejudice for future decisions on reprimands
 
that could be made by the LSA or any other CSA147
 
.
 
143 Draft Decision, paragraph 12.5. 144 Draft Decision, paragraph 12.5. The other separate arguments made by TIC concerning reasons why the
 
imposition of a reprimand was not considered appropriate (TIC’s submissions in relation to the Preliminary Draft
 
Decision, paragraphs 11.2-11.4) were not considered separately, in light of the aforementioned decision (Draft
 
Decision, paragraph 12.6). 145 Composite Memorandum, paragraph 5.79. 146 Composite Memorandum, paragraph 5.78. 147 Composite Memorandum, paragraph 5.78.
 
Adopted 34
 
7.4 Analysis of the EDPB
 
7.4.1 Assessment of whether the objections were relevant and reasoned
 
144. The DE SA objection refers to the compliance of the envisaged action with the GDPR, as it indicates
 
what corrective action would, in its view, be appropriate for the LSA to include in the final decision: it
 
is therefore a relevant objection, which adequately shows the different conclusion proposed.
 
Furthermore, it includes legal reasoning supporting its view and proposes an alternative legal
 
interpretation. Nevertheless, the objection does not clearly demonstrate the significance of the risk
 
posed by the Draft Decision for rights and freedoms of data subjects and/or the free flow of personal
 
data. In particular, it does not provide motivation on how the failure to impose a reprimand in this
 
specific case - where a fine is also imposed - may trigger risks for data subjects’ fundamental rights and
 
freedoms.
 
7.4.2 Conclusion
 
145. The EDPB considers that this objection does not meet the requirements of Article 4(24) GDPR.
 
146. The EDPB notes the LSA position that its position to not issue a reprimand is only applicable to the
 
specific circumstances of this case; hence is without any prejudice for future decisions on reprimands
 
that could be made by the LSA or any other CSA148
 
. 147. As previously indicated, the decision of the EDPB not to assess the merits of the substance of the
 
objection raised is without prejudice to future EDPB decisions on the same or on similar issues.
 
8 ON THE CORRECTIVE MEASURES - IN PARTICULAR, THE
 
CALCULATION OF THE ADMINISTRATIVE FINE
 
8.1 Analysis by the LSA in the Draft Decision
 
148. The Draft Decision explains how the IE SA considered the criteria in Article 83(2) GDPR in deciding
 
whether to impose an administrative fine and how to determine its amount149
 
. 149. As regards the calculation of the fine, the Draft Decision analysed, first, the nature, gravity and
 
duration of the infringement, as per Article 83(2)(a) GDPR150
 
. The Draft Decision took into account the
 
“nature, scope or purpose of the processing” by referring to the nature of the processing operations
 
carried on by Twitter (a “microblogging” and social media platform on which users have the
 
opportunity to document their thoughts in “tweets”), to the nature of the processing that gave rise to
 
the Breach (arising from a bug leading to previously ‘protected’ tweets becoming ‘unprotected’ and
 
publicly accessible - in cases where Android users changed the email address), and to the scope of the
 
processing (the bug affected at least 88,726 EU/EEA users, as additional people were affected between
 
148 Composite Memorandum, paragraph 5.78. 149 Draft Decision, paragraphs 14.1-14.62. 150 Article 83(2)(a) GDPR refers to “the nature, gravity and duration of the infringement taking into account the
 
nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the
 
level of damage suffered by them”.
 
Adopted 35
 
the date of the bug on 4 November 2014 and its full remediation on 14 January 2019 but it was not
 
possible for them to be all identified)151
 
. 150. The Draft Decision also took into account the number of data subjects affected and the level of
 
damage suffered by them152 by concluding that the number of data subjects who could have been
 
potentially affected by the delayed notification and the potential for damage to data subjects arising
 
from the consequent delayed assessment by the SA were relevant factors to take into consideration153
 
.
 
It was recalled that the impact on individual users and the possibility of damage arising therefrom will
 
impact on the level and nature of the personal data made public and that there was at least a potential
 
for damage to data subjects linked to the delaying of remedial actions154. The position of the IE SA in
 
the Preliminary Draft was that “whilst TIC had not confirmed the precise nature of the data made public
 
in the Breach, it was reasonable to deduce that, given the scale of the affected users and the nature of
 
the service offered by TIC, some of the personal data released in relation to, at least, some of the users
 
will have included sensitive categories of data and other particularly private material”
 
155
 
. This position
 
was further nuanced in the Draft Decision in light of TIC’s submissions, as the IE SA decided that “less
 
weight should be attributed to this factor”, on the basis of the fact that “while it cannot be definitively
 
said that no users affected by the Breach were affected by the delayed notification, there was no direct
 
evidence of damage to them arising from the delayed notification”
 
156
 
. 151. With respect to the nature of the infringement, the Draft Decision highlighted that the infringements
 
of Articles 33(1) and 33(5) GDPR do not relate to the substantive matter of the Breach157
 
. The IE SA
 
also considered that the nature of the obligations under Articles 33(1) and 33(5) GDPR are such that
 
compliance is central to the overall functioning of the supervision and enforcement regime performed
 
by supervisory authorities in relation to both the specific issue of personal data breaches but also the
 
identification and assessment of wider issues of non-compliance by controllers and that non- compliance with such obligations has serious consequences in that it risks undermining the effective
 
exercise by SAs of their functions under the GDPR158
 
. 152. With regard to the gravity of the infringement of Article 33(1) GDPR, the Draft Decision took account
 
of how it interfered with the overall purpose of notifying a personal data breach to the supervisory
 
authority, of the fact that no material damage to data subjects was shown, of the fact that the remedial
 
measures by TIC were limited to forward looking action to close down the bug (and did not amount to
 
a backward looking analysis to identify the risks to data subjects arising from the Breach) and TIC’s
 
apparent failure to carry out any formal risk assessment159
 
. The Draft Decision did not consider TIC’s
 
contention that the Breach was due to an isolated failure (which led to the delay in notifying the DPO)
 
to be of sufficient weight as to lessen the gravity of the infringement (but did take into account of such
 
isolated nature of the incident, departing from the provisional view in the Preliminary Draft that the
 
151 Draft Decision, paragraph 14.2. 152 Draft Decision, paragraphs 14.3-14.5. 153 Draft Decision, paragraph 14.5. 154 Draft Decision, paragraph 14.5 (the Draft Decision notes that “Clearly, the impact on individual users, and
 
the possibility of damage arising therefrom, will depend on the level of personal data made public and, also,
 
the nature of that personal data”). 155 Draft Decision, paragraph 14.5. 156 Draft Decision, paragraph 14.5. 157 Draft Decision, paragraph 14.6. 158 Draft Decision, paragraph 14.11. 159 Draft Decision, paragraphs 14.16-14.18.
 
Adopted 36
 
Breach was indicative of a broader, more systemic issue)160
 
. Concerning the gravity of the infringement
 
of Article 33(5) GDPR, the Draft Decision highlighted that proper documentation of breaches is
 
required in order to enable a supervisory authority to verify the controller’s compliance with Article
 
33 GDPR161 and that the IE SA was required to raise multiple queries in order to gain clarity concerning
 
the facts surrounding the notification of the Breach162
 
, but acknowledged that the deficiencies in the
 
documentation arose from a good faith misunderstanding of the requirements (which are, however,
 
clear from the wording of the provision)163. The Draft Decision concluded that each infringement was
 
at the “low to moderate end of the scale of gravity”
 
164
 
. 153. With regard to the duration of the infringement of Article 33(1) GDPR, the Draft Decision considered
 
that it was a period of two days and evaluated it in light of the overall timeframe generally permitted
 
for breach notifications (72 hours), noting that it was not a trivial or inconsequential one165
 
. Concerning the duration of the infringement of Article 33(5) GDPR, the Draft Decision concluded that
 
it was ongoing166
 
. 154. In relation to Article 83(2)(b) GDPR (the intentional or negligent character of the infringement), the IE
 
SA concluded in its Draft Decision that there was a negligent character to TIC’s infringement of Article
 
33(1) GDPR167, outlining that the delay in the notification of the Global DPO occurred because part of
 
the internal protocol of the Twitter Group was not completed as prescribed and the protocol was not
 
as clear as it could have been168. This led to the conclusion that the delay arose as a result of a
 
negligence on the part of the controller, but TIC’s submission that the delayed notification was not
 
indicative of a broader systemic issue and amounted to an isolated occurrence was accepted169. The IE
 
SA did not identify any evidence of intentional conduct with regard to the infringement of Article 33(1)
 
GDPR170
 
. The Draft Decision also identified that there was a negligent character to TIC’s infringement
 
of Article 33(5) GDPR171, since there was no knowledge and wilfulness to cause the infringement (which
 
would have amounted to intent) but the documentation was not sufficient to enable compliance with
 
Article 33 to be verified172
 
. 155. As regards Article 83(2)(c) GDPR, i.e. action taken by the controller to mitigate the damage suffered
 
by data subjects, the Draft Decision considered that remedial measures were taken to avoid repetition
 
of the issue and to rectify the bug, which were considered as the sole mitigating factor in assessing the
 
amount of the fine to be imposed173
 
. 156. The Draft Decision considered Article 83(2)(d) GDPR, i.e. the degree of responsibility for the controller
 
or processor, by noting the existing and subsequently enhanced technical and organisational measures
 
160 Draft Decision, paragraph 14.19. 161 Draft Decision, paragraph 14.20. 162 Draft Decision, paragraph 14.21. 163 Draft Decision, paragraph 14.24. 164 Draft Decision, paragraph 14.24. 165 Draft Decision, paragraph 14.26 (it commenced on the expiration of the 72 hours from 3 January 2019 (i.e.
 
on 6 January 2019) and ended at the time of TIC’s notification of the Breach on 8 January 2019). 166 Draft Decision, paragraph 14.29. 167 Draft Decision, paragraph 14.34. 168 Draft Decision, paragraphs 14.33-14.34. 169 Draft Decision, paragraph 14.34. 170 Draft Decision, paragraph 14.35. 171 Draft Decision, paragraph 14.38. 172 Draft Decision, paragraphs 14.36, 14.38. 173 Draft Decision, paragraphs 14.39-14.42.
 
Adopted 37
 
implemented by TIC as controller, including the amendment of the internal protocol of the Twitter
 
Group (which the IE SA found was not as clear as it could have been) and the staff training measures
 
taken afterwards by Twitter, Inc.(additional training was provided internally highlighting the
 
importance of mentioning the DPO team - and therefore TIC as controller - in the internal ticket
 
system), as well as the existence of internal structures and safeguards concerning responsibility for
 
information security issues and the existence of a recurring external third party expert audit of Twitter,
 
Inc.’s Information Security Programme174
 
. Although the issues that arose were not found to be
 
indicative of a broader systemic issue175 and TIC demonstrated a generally responsible and accountable
 
approach towards data security176
 
, it was considered that there was a moderate to high level of
 
responsibility demonstrated by the controller as a lack of clarity in the protocol was shown also by its
 
subsequent amendment177
 
. 157. The degree of cooperation with the supervisory authority was evaluated, in line with Article 83(2)(f)
 
GDPR, and was found to not amount to a mitigating factor178. The IE SA acknowledged that TIC
 
cooperated fully but noted that this was a statutory obligation and TIC did not go beyond such duty179
 
. 158. In relation to Article 83(2)(g) GDPR concerning the categories of personal data affected, the Draft
 
Decision concluded that any category of personal data could have been affected by the delayed
 
notification and that it cannot be definitively said that there was no damage to data subjects or no
 
affected categories of personal data180
 
. 159. The manner in which infringement became known to the IE SA was considered to be a relevant factor
 
in the determination of the amount of the fine (in line with Article 83(2)(h) GDPR), since while TIC was
 
forthcoming in furnishing all available documentation the records did not allow the IE SA to verify
 
compliance with Article 33 GDPR and the information originally provided in the notification made to
 
the IE SA was of an imprecise nature181
 
. 160. The criteria in Article 83(2)(e), (i) and (j) GDPR were found to be not applicable, and no further
 
elements were identified in relation to Article 83(2)(k) GDPR182
 
. 161. The IE SA underlined in its Draft Decision that in the absence of specific EU-level guidelines on the
 
calculation of fines, it was not bound to apply any particular methodology or use a fixed financial
 
starting point183 and that the expression “due regard” provides SAs with a broad discretion as to how
 
to weigh the factors in Article 83(2) GDPR184
 
. 162. As regards the identification of the relevant undertaking to calculate the fining cap established by
 
Article 83(4) GDPR, the IE SA underlined that the fact that TIC enjoys autonomy in its control over data
 
processing does not mean that it ceases to be part of a single economic entity with its parent company
 
174 Draft Decision, paragraphs 14.43-14.47. 175 Draft Decision, paragraphs 14.45. 176 Draft Decision, paragraph 14.47. 177 Draft Decision, paragraph 14.47. 178 Draft Decision, paragraph 14.50. 179 Draft Decision, paragraph 14.49. 180 Draft Decision, paragraph 14.54. 181 Draft Decision, paragraph 14.58. 182 Draft Decision, paragraphs 14.48, 14.59, 14.60, 14.61. 183 Draft Decision, paragraph 15.2. 184 Draft Decision, paragraph 15.1.
 
Adopted 38
 
and noted that, in addition to the ownership of TIC by Twitter, Inc., the General Counsel of Twitter,
 
Inc. appears to be one of the three directors of TIC185
 
. 163. For this reasons, the cap for the value of any fine imposed was calculated by the LSA with reference to
 
Twitter, Inc.’s turnover186
 
. As the annual turnover of Twitter, Inc., in 2018, amounted to 3 billion USD, the cap was considered to be 60 million USD (2% of 3 billion USD)187
 
. 164. In applying the principles of effectiveness, proportionality and dissuasiveness (Article 83(1) GDPR), the Draft Decision considered that a fine cannot be effective if it does not have significance relative to
 
the revenue of the controller, that the infringement needs to not be considered in the abstract,
 
regardless of the impact on the controller, and that future infringements need to be deterred188
 
. 165. The IE SA proposed to impose an administrative fine within the range of 150,000-300,000 USD, i.e.
 
between 0.005% and 0.01% of the undertaking’s annual turnover or between 0.25% and 0.5% of the
 
maximum amount of the fine which may be applied in respect of these infringements. This equates to
 
a fine in Euro of between 135,000 and 275,000189
 
. 8.2 Summary of the objections raised by the CSAs
 
166. The AT SA raised an objection concerning the amount of the proposed fine and the fact that the LSA
 
proposed a range of amounts instead of a fixed sum. With regard to Article 83(2)(a) GDPR, the AT SA
 
highlighted that at least 88,726 people (but probably more) were affected by the Breach and “it is very
 
likely that sensitive data were disclosed to the broader public”.
 
167. The objection raised by the AT SA expressed a disagreement as to how the time at which the controller
 
should be deemed to be aware of a data breach was analysed in the Draft Decision. More specifically,
 
the AT SA argued in its objection that TIC should have made a data breach notification within 72 hours
 
after the processor received the bug report and thus became aware of the Breach. The AT SA
 
highlighted that TIC is responsible for overseeing the processing operations carried out by its
 
processor, and that a controller should not seek to hide the failure of its processor with whom it has a
 
contractual relationship and which was selected by the controller itself. This contributes to the
 
assessment of the infringement of Article 33(1) GDPR by the AT SA as “grave”.
 
168. With regard to the “intentional or negligent character of the infringement” (Article 83(2)(b) GDPR), the
 
AT SA argued that the behaviour of TIC should be labelled as “intentional”, on the basis of the criteria
 
of knowledge and wilfulness established in the Guidelines on the application and setting of
 
administrative fines (“WP253”) of the Article 29 Working Party, endorsed by the EDPB190. As to the
 
criterion referring to actions taken to mitigate the damage suffered by data subjects (Article 83(2)(c)
 
GDPR), the AT SA highlighted that “initially it was not TIC’s intention to notify users who were affected
 
by the breach” and “the steps taken by Twitter Inc. to rectify the bug are the sole mitigating factor”.
 
185 Draft Decision, paragraph 15.13. 186 Draft Decision, paragraph 15.14. 187 Draft Decision, paragraph 15.19. 188 Draft Decision, paragraph 15.18. 189 Draft Decision, paragraph 15.20 (The higher end of the range proposed in the Draft Decision is lower than in
 
the Preliminary Draft Decision, in order to reflect changes in the views in relation to gravity, the degree of
 
responsibility of the controller and whether the infringements were systemic). In paragraph 15.21, the Draft
 
Decision underlined that in order to protect TIC’s procedural rights a range of a fine was proposed as opposed
 
to a fixed figure, and acknowledged the possibility that CSAs would comment on where in that range the
 
penalty should lie. 190 <nowiki>https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237</nowiki>.
 
Adopted 39
 
Finally, AT SA considers the range of fine proposed by the IE SA neither effective, nor proportionate,
 
nor dissuasive having regard to the criteria listed in Article 83(2)(a) – (k) GDPR. As a conclusion, the AT
 
SA proposed the imposition of a higher administrative fine, which could meet the requirement of
 
effectiveness, proportionality and dissuasiveness (namely “a minimum amount of 1 % of the
 
undertaking’s annual turnover”).
 
169. The DE SA raised an objection arguing that the fine proposed by the LSA is “too low” and “does not
 
comply with the provisions of Article 83(1) GDPR”. More specifically, the DE SA argued that the fine is
 
not dissuasive. The objection recalled that a sanction can be deemed effective and dissuasive if it is
 
suitable both as a general preventive measure - to deter the general public from committing
 
infringements and to affirm the general public's confidence in the validity of Union law - and as a
 
special preventive measure - to deter the offender from committing further infringements. The DE SA
 
goes on to argue that the financial capacity of an undertaking (in terms of turnover) can provide an
 
important indication of the amounts required to achieve dissuasiveness: this may entail taking into
 
account the part of the turnover generated by the products in respect of which the infringement has
 
been committed, which may provide an indication of the scale of the infringements. The DE SA also
 
argues that the dissuasive effect of high fines can only be achieved if the amounts imposed cannot be
 
easily paid because of large assets or high income, highlighting that the fine must have a dissuasive
 
effect, particularly in relation to specific data processing. As a consequence, the threatened fine must
 
be high enough to make data processing uneconomic and objectively inefficient. As Twitter’s business
 
model is based on processing data, and as Twitter generates turnover mainly through data processing,
 
the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high that
 
it would render the illegal data processing unprofitable. On the basis of the fine concept applicable to
 
the DE SAs, the fine for the infringement described in the Draft Decision would range from
 
approximately EUR 7,348,035.00 to EUR 22,044,105.00.
 
170. The HU SA argued that, although “fines are justified for the committed infringements”, “the fine set
 
out in the draft is unreasonably low, disproportionate and thus not dissuasive in view of the gravity of
 
the committed infringement and the Controller’s worldwide market power”.
 
171. The IT SA asked the LSA to “review the draft decision as also related to quantification of the
 
administrative fine, taking also account of specific aggravating elements of the case with regard to the
 
nature of the data controller and the severity and duration of the data breach”.
 
8.3 Position of the LSA on the objections
 
172. The IE SA assessed that the objections raised by the AT SA, DE SA and HU SA in relation to the
 
administrative fine to be ‘relevant and reasoned’ within the meaning of Article 4(24) GDPR. At the
 
same time, the IE SA did not follow these objections for the reasons set out in the Composite
 
Memorandum191
 
. 173. In particular, as regards to the AT and DE SA's objections, the IE SA considers that its assessment and
 
application of the factors at Articles 83(2)(a) and (b) GDPR, as elaborated in its Draft Decision, is
 
appropriate. Regarding the AT SA's objection, the IE SA argues that TIC's infringement of Article 33(1)
 
and Article 33(5) GDPR was the result of TIC's negligence rather than an intentional omission192
 
. Therefore, the IE SA believes that the fine as proposed by the AT SA is not proportionate193. In addition,
 
191 Composite Memorandum, paragraphs 5.60-5.72. 192 Composite Memorandum, paragraph 5.62. 193 Composite Memorandum, paragraph 5.63.
 
Adopted 40
 
the IE SA argues that the concern of the AT SA regarding the fining range proposed in the Draft
 
Decision, as opposed to a fixed sum, was not well elaborated and clarified by this CSA194
 
. With regard
 
to the DE SA's objection, the IE SA took note of the objection of the DE SA regarding the need for the
 
fine to meet the requirement of dissuasiveness, but is of the opinion that the level of the fine proposed
 
by the DE SA is not proportionate in this case195
 
. For the above-mentioned reasons, the IE SA considers
 
these objections are reasoned and relevant, but proposes not to follow them196
 
. 174. The IE SA has taken due account of the AT SA’s view in relation to the timing of TIC’s awareness and
 
notification of the Breach but concluded that notwithstanding TIC’s actual ‘awareness’ of the Breach
 
on 7 January 2019, TIC ought to have been aware of the Breach at the latest by 3 January 2019197
 
. In
 
identifying 3 January 2019 as the date on which TIC ought to have been aware of the breach, the IE SA
 
took into account that an earlier delay had arisen during the period from when the incident was first
 
notified by a contractor to Twitter, Inc. to when Twitter, Inc. commenced its review198
 
. Further, the IE
 
SA clarifies that it is not suggesting that, "as a matter of generality, data controllers ought to
 
automatically be considered to have awareness of data breaches at the same time at which their
 
processor becomes aware of the breach"
 
199
 
. Also, the IE SA states that "it will usually be the case that
 
a processor which experiences a breach will be aware of the incident at an earlier point in time than its
 
controller, and that, provided the process agreed between the controller and the processor is effective
 
and / or is followed, the controller will be made ‘aware’ of the breach [...] in a manner that enables it
 
to comply with its obligation to notify same"
 
200
 
. 8.4 Analysis of the EDPB
 
8.4.1 Assessment of whether the objections were relevant and reasoned
 
175. Concerning the possibility for relevant and reasoned objections on whether envisaged action in
 
relation to the controller or processor complies with the GDPR201 to challenge the amount of proposed
 
fines, the EDPB recently clarified that “it is possible that the objection challenges the elements relied
 
upon to calculate the amount of the fine”
 
202. This can amount to an example of objection concerning
 
whether the envisaged action in relation to the controller or processor complies with the GDPR.
 
176. In the case at stake, the AT SA’s objection challenges the elements relied upon by the IE SA in
 
calculating the amount of the fine and thus concerns the compliance of the proposed action vis-a-vis
 
the controller with the GDPR. The AT SA clarified the connection between its objection and the Draft
 
Decision and demonstrated how the proposed changes would lead to a different conclusion.
 
Additionally, it provided arguments on why the amendment of the decision is proposed, by providing
 
an alternative interpretation of three of the criteria listed by Article 83 GDPR and by making reference
 
to factual and legal arguments. The AT SA clearly demonstrates the significance of the risks posed by
 
the Draft Decision, first of all, by arguing that the proposed fine is not adequately effective and
 
dissuasive and by recalling that to this end it needs to be likely to deter the general public from
 
committing a similar infringement and confirm the public’s confidence in the application of Union law,
 
194 Composite Memorandum, paragraph 5.64. 195 Composite Memorandum, paragraph 5.68. 196 Composite Memorandum, paragraphs 5.65, 5.68. 197 Composite Memorandum, paragraph 5.48. 198 Composite Memorandum, paragraph 5.50. 199 Composite Memorandum, paragraph 5.50. 200 Composite Memorandum, paragraph 5.50. 201 GDPR, Article 4(24). 202 Guidelines on RRO, paragraph 34.
 
Adopted 41
 
as well as to deter the controller from committing further infringements. Additionally, in the
 
assessment of the gravity of the infringement the objection also refers to the extent to which data
 
subjects (in a number likely to be higher than the one identified) were affected by the Breach (e.g. by
 
having their previously protected tweets, likely to include sensitive data, exposed to the wider public).
 
The alleged intentionality of the infringement, according to the AT SA, implies a far greater impact on
 
the ability to know right from wrong than a negligent infringement. In light of the assessment above,
 
the EDPB considers that the AT SA’s objection is relevant and reasoned in accordance with Article 4(24)
 
GDPR. As a consequence, the EDPB will assess the merit of the substantial issues raised by this
 
objection (see section 8.4.2 below).
 
177. The DE SA’s objection is also to be considered relevant as it concerns the compliance of the envisaged
 
action with the GDPR, by challenging the elements relied upon to calculate the amount of the fine.
 
More specifically, it argues that the fine imposed by the IE SA is not dissuasive and thus the calculation
 
performed does not comply with Article 83(1) GDPR. The DE SA clarified that a sanction is to be
 
considered effective and dissuasive, when it serves as a general preventive measure to deter general
 
public from committing infringements as well as to affirm its trust to the validity of the Union law, but
 
also when it deters the offender from committing additional infringements. In addition, the DE SA
 
clearly demonstrates the significance of the risks that the Draft Decision poses to the rights and
 
freedoms of the data subjects as the failure to impose a dissuasive and effective sanction may not be
 
able to deter the controller from committing further infringements.
 
178. Another argument provided by the DE SA to demonstrate the significance of the risks is that the failure
 
to appropriately handle the Breach suggests a “systemic error”, which would have required submitting
 
the controller to a deeper scrutiny, beyond the single specific incident. The DE SA also recalled that a
 
large number of persons was concerned and the period of time was equally substantial and concluded
 
that the corrective powers imposed on the basis of Article 58(2) GDPR need to be examined in light of
 
these elements. To conclude, the EDPB considers that the DE SA’s objection is reasoned and relevant
 
within the definition of Article 4(24) GDPR. As a consequence, the EDPB will assess the merit of the
 
substantial issues raised by this objection (see section 8.4.2 below).
 
179. The HU SA’s objection is relevant as it also concerns the compliance of the envisaged action with the
 
GDPR, by stating that the proposed fine is “unreasonably low, disproportionate and thus not
 
dissuasive”. However, while the objection refers to “the “bug” in the controller’s application over the
 
years” and to “its serious nature affecting data security”, as well as to the “gravity of the committed
 
infringement” and to the “controller’s worldwide market power”, it does not clearly demonstrate the
 
significance of the risks for rights and freedoms of data subjects posed by the amount of the fine as
 
proposed by the IE SA. As a consequence, the EDPB considers this objection does not meet the
 
requirements of Article 4(24) GDPR203
 
. 180. Last, the relevance of the objection raised by the IT SA is also shown by its reference to whether the
 
proposed action complies with the GDPR, as it argues that the IE SA should review the Draft Decision
 
in relation to the quantification of the administrative fine. By referring to the “foregoing objections” and thus to the fact that the aspects mentioned are “structural in nature as regards the controller's
 
organisation” and “bound to produce effects not simply on the case at issue, but also on any data
 
203 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these
 
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB
 
may be called upon to make in other cases, including with the same parties, taking into account the contents of
 
the relevant draft decision and the objections raised by the CSAs.
 
Adopted 42
 
breach that may occur in the future”, the IT SA’s objection clearly demonstrates the significance of the
 
risks for the rights and freedoms of data subjects with respect to the quantification of the fine.
 
181. Therefore, EDPB considers that the IT SA’s objection is reasoned and relevant meeting the
 
requirements of Article 4(24) GDPR. As a consequence, the EDPB will assess the merit of the substantial
 
issues raised by this objection.
 
8.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and
 
reasoned objections
 
182. The EDPB considers that the objections found to be relevant and reasoned in this subsection204 require
 
the assessment of whether the Draft Decision proposes a fine in line with the criteria established by
 
Article 83 GDPR and the Article 29 Working Party Guidelines on the application and setting of
 
administrative fines for the purposes of the Regulation 2016/679 (“WP253”) (endorsed by the
 
EDPB)205
 
. 183. Indeed, the consistency mechanism may also be used to promote a consistent application of
 
administrative fines206: where a relevant and reasoned objection challenges the elements relied upon
 
by the LSA to calculate the amount of the fine, the EDPB can instruct the LSA to engage in a new
 
calculation of the proposed fine by eliminating the shortcomings in the establishment of causal links
 
between the facts at issue and the way the proposed fine was calculated on the basis of the criteria in
 
Article 83 GDPR and of the common standards established by the EDPB207
 
. A fine should be effective,
 
proportionate or dissuasive, as required by Article 83(1) GDPR, taking account of the facts of the
 
case208
 
. In addition, when deciding on the amount of the fine the LSA shall take into consideration the
 
criteria listed in Article 83(2) GDPR.
 
184. As regards the nature, gravity and duration of the infringement found in Articles 33(1) and 33(5) GDPR,
 
Article 83(2)(a) GDPR requires to take into consideration inter alia the nature, scope and purpose of
 
the processing concerned as well as the number of data subjects affected and the level of damage
 
suffered by them.
 
185. The EDPB agrees with the IE SA that the infringement to consider is not the Breach as such but the
 
compliance with Articles 33(1) and 33(5) GDPR to notify that breach to the competent SA and to
 
document that breach. 186. The EDPB notes that the IE SA takes into account the nature of the processing as well as the number
 
of data subjects affected. As regards the nature of the processing, the IE SA describes as a
 
“microblogging” and social media platform on which users have the opportunity to document their
 
thoughts in “tweets”. The EDPB considers that when assessing the nature of the processing, one must
 
also take into consideration the fact the “processing concerned” involved communications by data
 
subjects who deliberately chose to restrict the audience of those communications. The EDPB takes
 
note that the IE SA Draft Decision considered that: “the impact on individual users, and the possibility
 
of damage arising therefrom, will depend on the level of personal data made public and, also, the
 
nature of that personal data. In this regard, I indicated in the Preliminary Draft that whilst TIC had not
 
204 These objections are those of the AT SA, DE SA, and IT SA. 205 Article 29 Working Party Guidelines on the application and setting of administrative fines for the purposes of
 
the Regulation 2016/679, WP253 adopted on 3 October 2017 (endorsed by the EDPB on 25 May 2020). 206 GDPR, Recital 150. 207 Guidelines on RRO, paragraph 34. 208 EDPB Guidelines on administrative fines, p. 7.
 
Adopted 43
 
confirmed the precise nature of the data made public in the Breach, it was reasonable to deduce that,
 
given the scale of the affected users and the nature of the service offered by TIC, some of the personal
 
data released in relation to, at least, some of the users will have included sensitive categories of data
 
and other particularly private material”
 
209
 
. However, the IE SA, based on TIC submissions, gave less
 
weight to this factor than it did in the Preliminary Draft, as there was no direct evidence of damage210
 
. The EDPB considers, however, that the IE SA should still have given significant weight to the fact that
 
the “processing concerned” involves communications by data subjects who deliberately chose to
 
restrict the audience of those communications, when evaluating the nature of the processing
 
concerned. In particular, the IE SA should have given significant weight to this fact given that it was
 
recalled by the IE SA in the Draft Decision, where the IE SA considered that "the large scale of the
 
affected user segment gives rise to the possibility of a much broader spectrum of damage arising from
 
the Breach, particularly given the nature of the service being offered by TIC" and "the likelihood that
 
many users will have relied on the function of keeping “tweets” private to share information or views
 
(in the comfort of what they believe to be a private and controlled environment) that they would not
 
ordinarily release into the public domain"
 
211
 
. 187. Moreover, when it comes to the scope of the processing concerned as such, the IE SA appears to
 
substitute the scope of the processing with the number of the data subjects affected. The EDPB
 
considers that the nature and the scope of the “processing” to take into consideration in the
 
determination of the fine is not the processing operation consisting in the (accidental) disclosure
 
(personal data breach), or the cause thereof, but rather the scope of the underlying processing carried
 
out by TIC, as described in the previous paragraph. 188. According to the AT SA, the timing when the controller became aware of the breach impacts on the
 
gravity of the infringement of Article 33(1) GDPR. The objection raised by the AT SA expressed a
 
disagreement as to how the time at which the controller should be deemed to be aware of a data
 
breach should be determined or assessed. More specifically, the AT SA argued in its objection that TIC
 
should have made a data breach notification within 72 hours after the processor became aware of the
 
bug. This contributes to the assessment of the infringement of Article 33(1) GDPR by the AT SA as
 
“grave”.
 
189. In this respect, the EDPB recalls that the Guidelines on personal data breach notification under
 
Regulation 2016/679 (“WP250”)212, which were endorsed by the EDPB, state that the "focus of any
 
breach response plan should be on protecting individuals and their personal data. Consequently, breach
 
notification should be seen as a tool enhancing compliance in relation to the protection of personal
 
data"
 
213
 
. 190. According to the Guidelines on personal data breach notification, a controller should be regarded as
 
having become “aware” when that controller has a reasonable degree of certainty that a security
 
incident has occurred that has led to personal data being compromised214
 
. Since the controller uses
 
the processor to achieve its purposes, in principle, the controller should be considered as “aware” once
 
209 Draft Decision, paragraph 14.51. 210 See paragraph 150 above. 211 Draft Decision, paragraph 14.51. 212 Article 29 Working Party Guidelines on personal data breach notification under Regulation 2016/679, WP250
 
rev.01, endorsed by the EDPB (hereinafter, “Guidelines on personal data breach notification”). 213Guidelines on personal data breach notification, p. 5. 214 Guidelines on personal data breach notification, p.10-11.
 
Adopted 44
 
the processor has informed it of the breach215
 
. However, the GDPR puts an obligation on the controller
 
to ensure that they will be “aware” of any breaches in a timely manner so that they can take
 
appropriate action"216 and explain that "the controller may undertake a short period of investigation in
 
order to establish whether or not a breach has in fact occurred. During this period of investigation the
 
controller may not be regarded as being “aware”"
 
217
 
. However, the Guidelines clarify that this initial
 
investigation should begin as soon as possible and that a more detailed investigation can then
 
follow218
 
. 191. The Guidelinesthus make it clear that the controller, and by extension, the processor, are to act swiftly.
 
"In most cases these preliminary actions should be completed soon after the initial alert (i.e. when the
 
controller or processor suspects there has been a security incident which may involve personal data) –
 
it should take longer than this only in exceptional cases"219
 
. 192. Having regard to the above, the EDPB agrees with the position of the IE SA’s assessment according to
 
which the controller cannot be expected to have become aware at the moment its processor has
 
realised that a security incident has occurred. As provided in the WP29 Guidelines on data breach
 
notifications, which were endorsed by the EDPB, there needs to be a degree of certainty that a
 
personal data breach has occurred before awareness can be stipulated. It is not clear from the facts at
 
issue as reflected in the Draft Decision that this was the case before the 3 January 2019. In this case, AT SA did not prove that TIC reached the necessary degree of certainty as to the fact that a data breach
 
had occurred earlier than when the IE SA found TIC to be “aware” of the breach. As a consequence,
 
the EDPB considers that the assessment of the gravity of the infringement does not need to be adjusted
 
in light of a different determination of when the controller became aware of the data breach.
 
193. Moreover, as regards the gravity of the infringement, the EDPB agrees with IE SA that the compliance
 
with Articles 33(1) and 33(5) GDPR are central to the overall functioning of the supervision and
 
enforcement regime.
 
194. As regards the objection raised by the AT SA regarding the intentional nature of the infringement, the
 
EDPB considers that the objection did not sufficiently demonstrate that from the moment the
 
controller gained knowledge it intentionally disregarded its duty of care.
 
195. However, as regards the negligent nature of the infringement, the EDPB considers that a company for
 
whom the processing of personal data is at the core of its business activities should have in place
 
sufficient procedures for the documentation of personal data breaches, including remedial actions,
 
which will enable it to also comply with the duty of notification under Article 33(1) GDPR. This element
 
implies an additional element to take into consideration in the analysis of the gravity of the
 
infringement.
 
196. The EDPB recalls that the CJEU has consistently held that a dissuasive penalty is one that has a genuine
 
deterrent effect220. In that respect, a distinction can be made between general deterrence
 
(discouraging others from committing the same infringement in the future) and specific deterrence
 
215 Guidelines on personal data breach notification, p. 13. 216 Guidelines on personal data breach notification, p.11. 217 Guidelines on personal data breach notification, p.11 (emphasis added). 218 Guidelines on personal data breach notification, p.11. 219 Guidelines on personal data breach notification, p.12 (emphasis added). 220 See Opinion of Advocate General Geelhoed of 29 April 2004 in Judgment of 12 July 2005, Commission / France,
 
C-304/02, EU:C:2005:444, par. 39.
 
Adopted 45
 
(discouraging the addressee of the fine from committing the same infringement again)221. Moreover,
 
the severity of penalties must be commensurate with the seriousness of the infringements for which
 
they are imposed222. It follows that fines must not be disproportionate to the aims pursued, that is to
 
say, to compliance with the data protection rules and that the amount of the fine imposed on an
 
undertaking must be proportionate to the infringement viewed as a whole, account being taken in
 
particular of the gravity of the infringement
 
223
 
. 197. While the LSA in its Draft Decision made reference to the requirement that the file must be dissuasive
 
and proportionate, the EDPB considers that the LSA did not sufficiently substantiate how the fine
 
proposed addresses these requirements. In particular, the EDPB notes that the LSA moves from
 
calculating the maximum amount of the fine (set at $60 million) to stating the proposed fining range
 
(set between $150.000,- and $300.000,-), without further explanation as to which particular elements
 
led the LSA to identify this specific range224
 
. Beyond the general reference to the relevant factors of
 
Article 83 (2) GDPR, there is not a clear motivation for the choice of the proposed percentage (between
 
0.25% and 0.5%) of the maximum applicable fine under Article 83(4) GDPR.
 
198. In this regards, the EDPB has elaborated above the reasons to why the LSA in its Draft Decision should
 
have given greater weight to the element relating to the nature, scope and negligent character of the
 
infringement and therefore consider that the proposed fine range should be adjusted accordingly.
 
8.4.3 Conclusion
 
199. Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and therefore
 
does not fulfil its purpose as a corrective measure, in particular it does not meet the requirements of
 
Article 83(1) GDPR of being effective, dissuasive and proportionate. 200. Thus, the EDPB requests the IE SA to re-assess the elements it relies upon to calculate the amount of
 
the fixed fine225 to be imposed on TIC so as to ensure it is appropriate to the facts of the case.
 
201. The EDPB notes that the analysis of the objections is limited to the substance of the objections to be
 
considered as relevant and reasoned. The scope of the EDPB’s analysis concerning the calculation of
 
the fine is therefore limited to an analysis of the method of the calculation of the fines as such. It does
 
not constitute an implicit or explicit validation by the EDPB, of the analysis carried out by the LSA
 
regarding the infringement of Article 33(1) or Article 33(5) GDPR or the legal qualification of the Twitter
 
Inc. and TIC respectively. The EDPB reiterates that its current decision is without any prejudice to any
 
assessments the EDPB may be called upon to make in other cases, including with the same parties,
 
taking into account the contents of the relevant draft decision and the objections raised by the CSAs.
 
9 BINDING DECISION
 
202. In light of the above and in accordance with the task of the EDPB under Article 70(1)(t) GDPR to issue
 
binding decisions pursuant to Article 65 GDPR, the Board issues the following binding decision in
 
accordance with Article 65(1)(a) GDPR:
 
221 See inter alia Judgment of 13 June 2013, Versalis Spa / Commission, C-511/11, ECLI:EU:C:2013:386, para. 94. 222 CJEU Judgment of 25 April 2013, Asociaţia Accept, C-81/12. 223 Marine - Harvest EU General Court T-704/14, 26 October 2017. 224 Draft Decision 15.19 and 15.20. 225 This should preferably already be provided in the Art 60 GDPR draft decision.
 
Adopted 46
 
203.On the objections concerning the qualification of controller and processor and the competence of the
 
LSA:  The EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the
 
objections raised, as they do not meet the requirements of Article 4(24) GDPR. 204.On the objections concerning the infringements of Article 33(1) and 33(5) GDPR found by the LSA:  In relation to the objection of the FR SA on the absence of an infringement of Article 33(1) GDPR, the objection of the DE SA on the determination of the dies a quo for the infringement of Article
 
33(1) GDPR, and the objection of the IT SA relating to the infringement of Article 33(5) GDPR, the
 
EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the
 
objections raised as they do not meet the requirements of Article 4(24) GDPR. 205.On the objections relating to the possible further (or alternative) infringements of the GDPR identified
 
by the CSAs:  In relation to the objection of the DE SA on the possible infringements of Article 5(1)(f), Article 24,
 
and Article 32 GDPR, and to the objection of the IT SA on the possible infringement of Article 5(2)
 
GDPR, the EDPB decides that, while they meet the requirements of Article 4(24) GDPR, the IE SA
 
is not required to amend its Draft Decision because the available factual elements included in the
 
Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence
 
of infringements of Articles 5(1)(f), Article 5(2), Article 24, and Article 32 GDPR.  In relation to the objection of the DE SA relating to the possible infringement of Article 33(3)
 
GDPR, the objection of the FR SA relating to the possible infringement of Article 28 and Article 32
 
GDPR, the objection of the HU SA relating to the possible infringement of Article 5(1)(f), Article
 
32, and Article 34 GDPR, and the objection of the IT SA relating to the possible infringement of
 
Article 28 GDPR, the EDPB decides that the IE SA is not required to amend its Draft Decision on
 
the basis of the objections raised as they do not meet the requirements of Article 4(24) GDPR.
 
206.On the objection concerning the decision of the LSA to not issue a reprimand:  In relation to the objection of the DE SA concerning the decision of the IE SA not to issue a
 
reprimand, the EDPB decides that the IE SA is not required to amend its Draft Decision on the
 
basis of the objection raised as it does not meet the requirements of Article 4(24) GDPR. 207.On the objection concerning the calculation of the fine suggested by the LSA:  In relation to the objection of the HU on the insufficiently dissuasive nature of the fine, the EDPB
 
decides that the IE SA is not required to amend its Draft Decision on the basis of the objection
 
raised as it does not meet the requirements of Article 4(24) GDPR.  In relation to the objection of the AT SA, the objection of the DE SA, and the objection of the IT
 
SA on the insufficiently dissuasive nature of the fine, the EDPB decides that they meet the
 
requirements of Article 4(24) GDPR and that the IE SA is required to re-assess the elements it
 
relies upon to calculate the amount of the fixed fine to be imposed on TIC, and to amend its Draft
 
Decision by increasing the level of the fine in order to ensure it fulfils its purpose as a corrective
 
measure and meets the requirements of effectiveness, dissuasiveness and proportionality
 
established by Article 83(1) GDPR and taking into account the criteria of Article 83(2) GDPR.
 
Adopted 47
 
10 FINAL REMARKS
 
208. This binding decision is addressed to the IE SA and the CSAs. The IE SA shall adopt its final decision on
 
the basis of this binding decision pursuant to Article 65(6) GDPR.
 
209. Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the
 
EDPB does not take any position on the merit of any substantial issues raised by these objections. The
 
EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be
 
called upon to make in other cases, including with the same parties, taking into account the contents
 
of the relevant draft decision and the objections raised by the CSAs.
 
210. According to Article 65(6) GDPR, the IE SA shall communicate its final decision to the Chair within one
 
month after receiving the binding decision.
 
211.Once such communication is done by the IE SA, the binding decision will be made public pursuant to
 
Article 65(5) GDPR.
 
212. Pursuant to Article 70(1)(y) GDPR, the IE SA’s final decision communicated to the EDPB will be included
 
in the register of decisions which have been subject to the consistency mechanism.
 
For the European Data Protection Board
 
The Chair
 
(Andrea Jelinek)

Revision as of 16:30, 5 May 2021

- 1/2021
LogoEDPB.png
Authority: EDPB
Jurisdiction: European Union
Relevant Law: Article 4(24) GDPR
Article 5(1)(f) GDPR
Article 28 GDPR
Article 33(1) GDPR
Article 33(5) GDPR
Article 60(4) GDPR
Article 65(1)(a) GDPR
Type: Other
Outcome: n/a
Started:
Decided: 09.11.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 1/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: EDPB website' (in EN)
Initial Contributor: n/a

English Summary

Facts

After a data breach that occurred with Twitter, the IE SA (DPC) issued a draft decision to the other SAs. They sustained their relevant and reasoned objections under Article 60 GDPR (FR, DE, DK, IT, NL, ES, HU).

Therefore, the EDPB issued its first decision under Article 65(1)(a) GDPR and answers to all the objections of the SAs.

Dispute

  • Are Twitter Inc and TIC (Twitter Ireland) controller, processor, or joint controllers ?
  • Where is the main establishment of Twitter, and therefore does the DPC have jurisdiction ?
  • When is a relevant and reasoned objection admissible under Article 4(24) GDPR ?
  • Can we hold violations of the GDPR other than Article 33(1) and (5) ?


Holding

1. On the admissibility of an objection, the jurisdiction of the DPC, the controller-processor relationship

In essence, the objections raised addressed the fact that the Draft Decision does not contain enough evidence to legally and factually establish the roles of the entities concerned.

The EDPB considers that an objection concerning the role, or designation, of the parties can fall within the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24) GDPR, as this can affect the determination as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation.

However, the EDPB considers that an objection on the competence of the supervisory authority acting as LSA should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR.

Moreover, the EDPB considers that the aforementioned objections do not meet the requirements set out in Article 4(24) GDPR.

2. On the violation of Article 33(1) obligation to notify in due time

According to the Draft Decision, therefore, TIC became actually aware of the Breach on 7 January 2019 but should have been aware of the Breach at the latest by 3 January 2019, since on that date Twitter, Inc. as processor first assessed the incident as being a potential data breach and the Twitter, Inc. legal team instructed that the incident be opened. The Draft Decision stated that where the processor does not follow the procedure or the procedure fails otherwise the controller cannot excuse its own delayed notification on the basis of the processor’s fault, as the performance by a controller of its obligation to notify cannot be contingent upon the compliance by its processor with its obligations under Article 33(2) GDPR. This led to the infringement of Article 33(1) GDPR even if less than 72 hours elapsed between the moment at which TIC became actually aware of the Breach (7 January 2019) and the notification (8 January 2019).

The FR SA raised an objection stating that the findings do not correspond to an infringement of Article 33(1) GDPR, but rather of Article 28 or Article 32 GDPR, which set out the obligations of the controller when it decides to have recourse to a processor.

The DE SA argued in its objection that the issue of the allocation of roles affects the determination of the moment of awareness of the Breach, as the knowledge of a breach must be equally attributed to both joint controllers.

The IE SA considers that it requests consideration of alternative provisions of the GDPR and that the request by CSAs to consider alternate provisions of the GDPR, would essentially seek to re-scope the Inquiry conducted: the IE SA concluded that such an objection does not fall within the definition of “relevant and reasoned objection” for the purposes of Article 4(24) GDPR.

Again, the EDPB considered that the raised objections do not clearly demonstrate the significance of the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects.

3. On the violation of Article 33(5) GDPR

The Draft Decision of the DPC found that TIC did not comply with its obligations under Article 33(5) GDPR to document the Breach, since the documentation furnished by TIC in the course of the inquiry was not considered to contain sufficient information and was not considered to contain a record or document of, specifically, a “personal data breach”, as they amounted to “documentation of a more generalised nature.

According to the IT SA, the finding in the Draft Decision that TIC provided full cooperation during the investigative phase should be reviewed as such full cooperation can only be considered to exist if adequate, exhaustive documentation is made available by the controller in a straightforward manner.

The EDPB does not take a position on the merit of the substantial issues raised by this objection " because it fails to clearly demonstrate the significance of the risks posed by the Draft Decision as it does not show the implications the alleged mistake in the Draft Decision would have for the protected values".

4. On potential alternative or further violations o the GDPR identified by the CSAs (concerned authorities)

In order to determine whether TIC complies with its obligations under Article 33(1) GDPR, the IE SA considered them in the context of a controller's broader obligations, including those of accountability (Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of processing of personal data (Article 32 GDPR). However, the DPC did not consider whether or not TIC complied with any or each of these obligations other than for the purpose of assessing TIC’s compliance with its obligations under Article 33(1) and Article 33(5) GDPR.

The DE, FR, HU, and IT SAs raised objections that TIC infringed other provisions of the GDPR in addition to, or instead of, Article 33(1) and Article 33(5) GDPR.

The LSA (DPC) recalls that it informed TIC at the beginning of the inquiry that its purpose was to verify TIC’s compliance with Article 33(1) and Article 33(5) GDPR in respect of its notification of a Breach to the LSA 8 January 2019. Therefore, the LSA maintains that if it were to follow the CSAs’ objections and include other infringements in its final decision “on the basis of only the material contained in the Draft Decision”, this would result in jeopardising “the entirety of the Inquiry and Article 60 process by exposing it to the risk of claims of procedural unfairness.

The other provisions being addressed by the objections of the SAs are the following:

  • Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality
    • The EDPB considers the objection raised by the DE SA in relation to the potential additional infringement of Article 5(1)(f) GDPR to be relevant and reasoned for the purposes of Article 4(24) GDPR, but considers the HU SA’s objection in relation to the same topic does not meet the requirements of Article 4(24)
  • Infringement of Article 5(2) GDPR on the principle of accountability
    • The EDPB considered that the IT SA’s objection on Article 5(2) GDPR meets the requirements set out in Article 4(24) GDPR. The EDPB will therefore analyse the merits of the substantial issues raised by this objection
  • Infringement of Article 24 GDPR on the responsibility of the controller
    • The EDPB accepts that an objection may challenge the conclusion of the LSA, by considering that the LSA’s findings actually lead to the conclusion that another provision of the GDPR has been infringed in addition to or instead of the provision identified by the LSA. The EDPB considers that this is precisely the essence of the DE SA’s objection, hence not preventing it from being relevant and reasoned. Therefore, the EDPB is assessing the merit of the substantial issues raised by this objection
  • Infringement of Article 28 GDPR on the relationship with processors.
    • According to the EDPB, the objections of FR and IT do not clearly demonstrate the significant risks posed by the Draft Decision for the fundamental rights and freedoms of data subjects with specific regard to the failure to conclude on the infringement of this specific provision
  • Infringement of Article 32 GDPR on the security of the processing
    • According to the EDPB, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft Decision for the rights and freedoms of data subjects, in particular by highlighting that the facts amount to a “significant” and “substantial” breach of the confidentiality of personal data and that a large number of persons were concerned for a substantial period of time. However, the objections of the FR and HU DPA do not meet the requirement of Article 4(24) GDPR.
  • Infringement of Article 33(3) GDPR on the content of the notification of a personal data breach on security of processing
    • According to the EDPB, the DE SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects. As a consequence, the DE SA’s objection on Article 33(3) GDPR fails to meet the requirements set out in Article 4(24) GDPR
  • Infringement of Article 34 GDPR on the communication of a personal data breach to the data subject
    • The HU SA considers that, if changed, the Draft Decision would lead to the conclusion of additional infringements of GDPR. However, the EDPB concludes that the HU SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects

The Board analyses the objections found being relevant and reasoned - in particular the DE SA’s objections on Article 5(1)(f), Article 24 and 32 GDPR, as well the IT SA’s objection on Article 5(2) GDPR - as well as the LSA’s response to those objections and the TIC submissions. The Board considers that the available factual elements included in the Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence of further (or alternative) infringements of Article 5(1)(f), 5(2), 24 and 32 GDPR. Even in case of an own-volition inquiry, the Guidelines on reasoned and relevant objections state that LSA “should seek consensus regarding the scope of the procedure (i.e. the aspects of data processing under scrutiny) prior to initiating the procedure formally”138, including in the context of a possible new proceeding. The EDPB also recalls the existence of a full range of the cooperation tools provided for by the GDPR (including Articles 61 and 62 GDPR), bearing in mind the goal of reaching consensus within the cooperation mechanism and the need to exchange all relevant information, with a view to ensuring protection of the fundamental rights and freedoms of data subjects. The EDPB considers that in determining the scope of the inquiry, whilst it can be limited, a LSA should frame it in such a way that it permits the CSAs to effectively fulfil their role, alongside the LSA, when determining whether there has been an infringement of the GDPR.

5. On the lack of reprimand in the draft decision

The proposed corrective powers to be imposed were both a reprimand, pursuant to Article 58(2)(b) GDPR, and an administrative fine, pursuant to Article 58(2)(i) GDPR, the final Draft Decision consists of the imposition only of an administrative fine on TIC as the controller

The LSA decided, having regard to the scope of the inquiry that focussed on the controller’s obligations in relation to the Breach notification, that its inquiry “did not involve a finding that the underlying ‘processing operations’ relating to the Breach infringed [...] the GDPR” . Therefore, the LSA considered that there was no reason to review its decision to not issue a reprimand in light of the DE SA’s objection.

The EDPD considered anyway that the objection by the DE SA did not meet the requirement of Article 4(24) GDPR since it does not provide motivation on how the failure to impose a reprimand in this specific case - where a fine is also imposed - may trigger risks for data subjects’ fundamental rights and freedoms.

6. On the calculation of the fine

Considering all the factors of Article 83(2) GDPR, the IE SA proposed to impose an administrative fine within the range of 150,000-300,000 USD, i.e. between 0.005% and 0.01% of the undertaking’s annual turnover or between 0.25% and 0.5% of the maximum amount of the fine which may be applied in respect of these infringements. This equates to a fine in Euro of between 135,000 and 275,000.

  • AT SA considers the range of fine proposed by the IE SA neither effective, nor dissuasive, nor proportionate
  • DE SA raised an objection arguing that the fine proposed by the LSA is “too low” and “does not comply with the provisions of Article 83(1) GDPR. As Twitter’s business model is based on processing data, and as Twitter generates turnover mainly through data processing, the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high that it would render the illegal data processing unprofitable. On the basis of the fine concept applicable to the DE SAs, the fine for the infringement described in the Draft Decision would range from approximately EUR 7,348,035.00 to EUR 22,044,105.00
  • HU SA argued that, although “fines are justified for the committed infringements”, “the fine set out in the draft is unreasonably low, disproportionate and thus not dissuasive in view of the gravity of the committed infringement and the Controller’s worldwide market power
  • IT SA asked the LSA to “review the draft decision as also related to quantification of the administrative fine, taking also account of specific aggravating elements of the case with regard to the nature of the data controller and the severity and duration of the data breach

Decision of the EDPB on the above:

- The EDPB agrees with the position of the IE SA’s assessment according to which the controller cannot be expected to have become aware at the moment its processor has realised that a security incident has occurred.

- The EDPB considers that a company for whom the processing of personal data is at the core of its business activities should have in place sufficient procedures for the documentation of personal data breaches, including remedial actions, which will enable it to also comply with the duty of notification under Article 33(1) GDPR. This element implies an additional element to take into consideration in the analysis of the gravity of the infringement.

- While the LSA in its Draft Decision made reference to the requirement that the file must be dissuasive and proportionate, the EDPB considers that the LSA did not sufficiently substantiate how the fine proposed addresses these requirements. In particular, the EDPB notes that the LSA moves from calculating the maximum amount of the fine (set at $60 million) to stating the proposed fining range (set between $150.000,- and $300.000,-), without further explanation as to which particular elements led the LSA to identify this specific range224 . Beyond the general reference to the relevant factors of Article 83 (2) GDPR, there is not a clear motivation for the choice of the proposed percentage (between 0.25% and 0.5%) of the maximum applicable fine under Article 83(4) GDPR

- In this regards, the EDPB has elaborated above the reasons to why the LSA in its Draft Decision should have given greater weight to the element relating to the nature, scope and negligent character of the infringement and therefore consider that the proposed fine range should be adjusted accordingly

- the EDPB considers that the fine proposed in the Draft Decision is too low and therefore does not fulfil its purpose as a corrective measure, in particular it does not meet the requirements of Article 83(1) GDPR of being effective, dissuasive and proportionate

- the EDPB requests the IE SA to re-assess the elements it relies upon to calculate the amount of the fixed fine225 to be imposed on TIC so as to ensure it is appropriate to the facts of the case

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details. 


      

  
    
      en
    
    
           Bulgarian (bg)
          
           Czech (cs)
          
           Danish (da)
          
           German (de)
          
           Estonian (et)
          
           Greek (el)
          
           Spanish (es)
          
           French (fr)
          
           Irish (ga)
          
           Croatian (hr)
          
           Italian (it)
          
           Latvian (lv)
          
           Lithuanian (lt)
          
           Hungarian (hu)
          
           Maltese (mt)
          
           Dutch (nl)
          
           Polish (pl)
          
           Portuguese (pt-pt)
          
           Romanian (ro)
          
           Slovak (sk)
          
           Slovenian (sl)
          
           Finnish (fi)
          
           Swedish (sv)
          
  
    
      

  
  
    
      
            
          
            
    


  
          
            
  
  
              



      


      
        
      EDPB adopted documents - 48th plenary
        
  22 April 2021

        
                      EDPB
                  
    
  


  

      
          
  

        


    
  
          
            
  
  
              



      


      
        
      EDPB adopted documents - 48th plenary
        
  22 April 2021

        
                      EDPB
                  
    
  

      

  
  
    
      
            
          
            
    


  
          
            
  
  
              



      


      
        
      Italian DPA: Major Critical Issues for Vaccination Pass
        
  4 May 2021

        
                      Italy
                  
    
  


  
    
    


  
          
            
  
  
              



      


      
        
      Dutch DPA fines municipality for Wi-Fi tracking
        
  29 April 2021

        
                      Netherlands
                  
    
  


  
    
    


  
          
            
  
  
              



      


      
        
      Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA
        
  28 April 2021

        
                      Portugal
                  
    
  


  

      
          
  

        


    
  
          
            
  
  
              



      


      
        
      Italian DPA: Major Critical Issues for Vaccination Pass
        
  4 May 2021

        
                      Italy
                  
    
  

  
          
            
  
  
              



      


      
        
      Dutch DPA fines municipality for Wi-Fi tracking
        
  29 April 2021

        
                      Netherlands
                  
    
  

  
          
            
  
  
              



      


      
        
      Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA
        
  28 April 2021

        
                      Portugal
Retrieved from "https://gdprhub.eu/index.php?title=EDPB_-_Binding_Decision_1/2020_-_%27Twitter%27&oldid=15661"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki