Mark Young, Shona O’Donovan and Paul Maynard of Covington & Burling writes about the recent news-making fine the DPC issued to Twitter. They write, in part:
Process aside, the DPC’s decision contains some interesting points on when a controller is deemed to be “aware” of a personal data breach for the purpose of notifying a breach to a supervisory authority. This may be particularly relevant for companies based in Europe that rely on parent companies in the US and elsewhere to process data on their behalf. The decision also underlines the importance of documenting breaches and what details organizations should include in these internal reports.
Read more on InsidePrivacy.