Irish Data Protection Commission Fines Twitter for Failures in Notifying Data Breach: DPC Finds Twitter’s Irish Subsidiary Had Constructive Knowledge of a Personal Data Breach Through its Processor, and Thus Failed to Notify in a Timely Manner and to Adequately Document the Breach.

Sullivan & Cromwell LLP - December 21, 2020

The Irish Data Protection Commission (“DPC”) has fined Twitter’s Irish subsidiary for failing to notify a data breach in a timely manner and failing to adequately document the breach. The DPC’s decision demonstrates the vital importance of ensuring that both the necessary processes are in place between controllers and processers to ensure swift notification by the processor to a controller on its becoming aware of a breach, and that those processes are implemented in practice. The DPC’s decision also highlights the strict manner in which the steps that a controller must take to notify breaches of personal data under GDPR will be applied.

Subscribe to our Memos