With many technology firms choosing Dublin as their European base, the Irish Data Protection Commission (the “DPC”) acts as one of the leading data regulators of big tech in Europe. In its first major decision concerning Twitter International Company (“Twitter Ireland”) (an Irish incorporated subsidiary of Twitter Inc., incorporated in the United States), the DPC fined Twitter Ireland $500,000.00 for failing to notify the DPC in a timely manner of a breach concerning users’ personal data and failing to keep appropriate records of the breach. Whilst the fine falls well short of the maximum fine permitted under the European General Data Protection Regulation (“GDPR”) (which provides for fines of up to 4% of annual worldwide revenue), the DPC has clarified important points of principle under GDPR. In particular, the decision provides guidance on the nature of the controller-processor relationship, clarifying that a controller cannot hide behind its processor’s late notification of a breach if the controller should have known of the breach earlier had the protocols and processes that ought to be in place in the context of a controller-processor relationship been properly followed. The DPC also made clear that the time period by which the relevant supervisory authorities must be informed of a personal data breach will be strictly enforced, as will the requirements that the controller is under to keep appropriate records of the breach.