Administrative fine in the amount of EUR 450,000 applied by Data Protection Commission to Twitter International Company for the infringement of Article 33(1) and 33(5) of GDPR

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of EUR 450,000 applied by Data Protection Commission to Twitter International Company for the infringement of Article 33(1) and 33(5) of GDPR.

The Data Protection Commission (DPC) investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure.

The draft decision in this inquiry, having been submitted to other Concerned Supervisory Authorities under Article 60 of the GDPR in May of this year, was the first one to go through the Article 65 (“dispute resolution”) process since the introduction of the GDPR and was the first Draft Decision in a “big tech” case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.