Decision concerning Twitter International Company - April 2022

Date of Decision: 27 April 2022

A complaint was lodged directly with the DPC on 02 July 2019 against Twitter International Company (“Twitter”), and accordingly was handled by the DPC in its role as lead supervisory authority.

The complainant alleged that, following the suspension of their Twitter account, Twitter failed to comply with an erasure request they had submitted to it within the statutory timeframe. Further, the complainant alleged that Twitter had requested a copy of their photographic ID in order to action their request without a legal basis to do so. Finally, the complainant alleged that Twitter had retained their personal data following their erasure request without a legal basis to do so.

While the complaint was lodged directly with the DPC by an individual who resides in the UK, the DPC considered that the nature of the data processing operations complained of were such that they substantially affect, or are likely to substantially affect, not only the specific data subject based in the UK who made the complaint but more generally data subjects across the EU in circumstances where such data subjects may be subject to a suspension of their account and wish to make an erasure request. Therefore, the DPC concluded that the type of processing complained of is processing which meets the definition of cross border processing under Article 4(23)(b) of the GDPR.

Following intervention by the DPC, Twitter complied with the complainant’s erasure request without the need to provide a copy of their ID. However, the DPC notes that Twitter failed to comply with the erasure request submitted by the complainant within the statutory timeframe.

The decision-making followed the procedure set out in Article 60 of the GDPR for cross border processing. The procedure included an examination of the complaint by the DPC, including an attempt to amicably resolve the complaint; a Draft Decision circulated amongst the Concerned Supervisory Authorities; the DPC’s careful consideration of each relevant and reasoned objection received, which in this case the DPC followed certain of the relevant and reasoned objections received; a Revised Draft Decision circulated amongst the Concerned Supervisory Authorities; the adoption of the Final Decision; and finally informing the complainant of the decision.

In its decision the Data Protection Commission found that Twitter infringed the General Data Protection Regulation as follows:

• Article 5(1)(c) of the GDPR as the DPC found that Twitter’s requirement that the complainant verify his identity by way of submission of a copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR.
• Article 6(1) of the GDPR as the DPC found that Twitter had not identified a valid lawful basis under Article 6(1) of the GDPR for seeking a copy of the complainant’s photographic ID in order to process his erasure request.
• Article 17(1) of the GDPR as the DPC found that Twitter infringed Article 17(1) of the GDPR, as there was an undue delay in handling the complainant’s request for erasure.
• Article 12(3) of the GDPR as the DPC found that Twitter infringed Article 12(3) of the GDPR by failing to inform the data subject within one month of the action taken on his erasure request pursuant to Article 17 of the GDPR.

In light of the extent of the infringements, the DPC issued a reprimand to Twitter, pursuant to Article 58(2)(b) of the GDPR. Further the DPC ordered Twitter, pursuant to Article 58(2)(d), to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so.

For more information, you can download a copy of the full decision at this link: Twitter International Company April 2022 (PDF, 9.0 MB).