Twilio's Binding Corporate Rules: Processor Policy

This Binding Corporate Rules: Processor Policy (“Processor Policy”) establishes Twilio’s approach to compliance with applicable data protection laws (and, in particular, European laws) when processing personal data on behalf of a third party controller

Members of our group of companies that are bound by this Policy are listed in Appendix 1 ("Group Members").

The standards described in the Processor Policy are worldwide standards that apply to all Group Members when processing any personal data as a processor under this Policy. Accordingly, this Processor Policy applies regardless of the origin of the personal data that we process, the country in which we process personal data, or the country in which a Group Member is established.

This Processor Policy applies in particular when we process personal data as a processor on behalf of a third party controller located in Europe, including when the personal data is transferred to a Group Member for processing outside of Europe. This Processor Policy applies regardless of whether our Group Members process personal data by manual or automated means.

For an explanation of some of the terms used in this Processor Policy, like "controller", "process", and "personal data", please see the section headed "Important terms used in this Processor Policy" below.

This Processor Policy applies to all personal data that we process as a processor on behalf of a third party controller (referred to as the “Customer” in this Processor Policy), including personal data processed in the course of providing services to a customer or another Group Member – such as the content of voice, video, SMS and other communications that Twilio's Customers or their end-users send and receive via Twilio's API. When a Customer transfers personal data to us for processing in accordance with this Processor Policy, a copy of this Processor Policy shall be incorporated into the contract with that Customer.

There may be certain Twilio products or services where Twilio processes personal data as a processor but which fall outside of the scope of this Policy ("Excluded Products"). The current list of Excluded Products is at Appendix 10. The Processor Policy will not be incorporated into the contracts that we have with Customers of Excluded Products. We will nonetheless ensure that our processing of any personal data within the Excluded Products is in compliance with applicable data protection laws and when transferring any such personal data for processing outside of Europe that appropriate safeguards, such as the Data Privacy Framework or the European Commission's standard contractual clauses, are put in place in accordance with the General Data Protection Regulation.

All Group Members and their staff must comply with this Processor Policy when processing personal data as a processor on behalf of a Customer, irrespective of the country in which they or the Customer are located.

In particular, all Group Members who process personal data as a processor under this Policy must comply with:

  • the rules set out in Part II of this Processor Policy;
  • the practical commitments set out in Part III of this Processor Policy;
  • the third party beneficiary rights set out in Part IV; and
  • the related policies and procedures appended in Part V of this Processor Policy.

As a data processor, Twilio will have a number of direct legal obligations under applicable data protection laws. In addition, however, the Customer will also pass certain data protection obligations on to Twilio in its contract appointing Twilio as its processor. If Twilio fails to comply with the terms of its processor appointment, this may put the Customer in breach of its applicable data protection laws and Customer may initiate proceedings against Twilio for breach of contract, resulting in the payment of compensation or other judicial remedies.

A Customer may enforce this Processor Policy against any Group Member that is in breach of it. Where a non-European Group Member (or a non-European third party processor appointed by a Group Member) processes personal data for which the Customer is a controller in breach of this Processor Policy, that Customer may enforce the Processor Policy against Twilio Ireland Limited. In such event, Twilio Ireland Limited will be responsible for demonstrating that such Group Member (or third party processor) is not responsible for the breach, or that no such breach took place.

When a Customer transfers personal data to a Group Member for processing in accordance with this Processor Policy, a copy of this Processor Policy shall be incorporated into the contract with that Customer. If a Customer chooses not to rely upon this Processor Policy when transferring personal data to a Group Member outside Europe, that Customer is responsible for implementing other appropriate safeguards in accordance with applicable data protection laws.
 

Management commitment and consequences of non-compliance

Twilio's management is fully committed to ensuring that all Group Members and their staff comply with this Processor Policy at all times. This Processor Policy ensures that our Customers can trust that Twilio will process their personal data appropriately, fairly and lawfully, no matter where that data may be processed within the Twilio organization.

Further, non-compliance with this Processor Policy may cause Twilio to be subject to sanctions imposed by competent supervisory authorities and courts, and may cause harm or distress to individuals whose personal data has not been protected in accordance with the standards described in this Processor Policy.

In recognition of the importance of trust to Twilio’s business and the gravity of the risks associated with violating that trust, staff members who do not comply with this Processor Policy will be subject to disciplinary action, up to and including dismissal.

This Processor Policy applies only to personal data that Twilio processes as a processor in order to provide a service to a Customer.

Twilio has a separate Binding Corporate Rules: Controller Policy that applies when it processes personal data as a controller (i.e. for its own purposes). When a Twilio Group Member processes personal data as a controller, it must comply with the Controller Policy.

In some situations, Group Members may act as both a controller and a processor. Where this is the case, they must comply both with this Controller Policy and also the Processor Policy as appropriate. If in any doubt which policy applies to you, please speak with the Privacy Team whose contact details are provided below.

This Processor Policy is accessible on Twilio's website at www.twilio.com/legal/bcr/processor.

For the purposes of this Processor Policy:

  • the term "applicable data protection laws" means the data protection laws in force in the territory in which the controller of the personal data is located. Where a Group Member processes personal data on behalf of a European controller under this Processor Policy, the term applicable data protection laws shall include the European data protection laws applicable to that controller (including the GDPR, when applicable);
  • the term "competent supervisory authority" means the supervisory data protection authority that is competent for the exporter of personal data;
  • the term "controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data. For example, Twilio is a controller of its HR records and CRM records;
  • the term “criminal convictions and offences data” refers to information relating to criminal convictions and offences or related security measures;
  • the term "Controller Policy" refers to Twilio’s Binding Corporate Rules: Controller Policy, which is available at www.twilio.com/bcr/controller. The Controller Policy applies where Twilio processes personal data as a controller (i.e. for its own purposes);
  • the term "Customer" refers to the third party controller on whose behalf Twilio processes personal data. It includes Twilio's third party customers, as well as Twilio Group Members, when we process personal data on their behalf in the course of providing data processing services to them.

 

  • the term “Data Disclosure Request” means a request received from a public authority (e.g. law enforcement or state security body) (together the "Requesting Authority") from an importing country to disclose personal data processed by Twilio;
  • the term "Europe" as used in this Policy refers to the Member States of the European Economic Area – that is, the Member States of the European Union plus Norway, Liechtenstein and Iceland;
  • the term "Group Member" means the members of Twilio's group of companies listed in Appendix 1;
  • the term "GDPR" means the EU General Data Protection Regulation 2016/679;
  • the term "Lead Supervisory Authority" means the Irish Data Protection Commissiion or another supervisory authority appointed as the lead supervisory authority in the future;
  • the term "personal data" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • the term "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • the term "processor" means a natural or legal person which processes personal data on behalf of a controller. For example, Twilio is a processor of personal data contained in communications content data it processes on behalf of its Customers;
  • the term "Processor Policy" refers to this Binding Corporate Rules: Processor Policy. The Processor Policy applies where Twilio processes personal data as a processor on behalf of a third party;
  • the term "special categories" of data means information that relates to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, as well as any other information deemed sensitive under applicable data protection laws; 
  • the term "staff" refers to all employees, new hires, individual contractors and consultants, and temporary staff engaged by any Twilio Group Member. All staff must comply with this Processor Policy.
  • the term "third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; and
  • "Twilio" (or "we") means the Twilio group of companies.

If you have any questions regarding this Processor Policy, your rights under this Processor Policy or applicable data protection laws, or any other data protection issues, you can contact Twilio's Privacy Team using the details below. Twilio's Privacy Team will either deal with the matter directly or forward it to the appropriate person or department within Twilio to respond.


Attention:

Privacy Team

Email:

privacy@twilio.com

Address:

101 Spear St, Ste 500
San Francisco, CA 94105

Twilio's Privacy Team is responsible for ensuring that changes to this Policy are notified to the Group Members and to Customers whose personal data is processed by Twilio in accordance with Appendix 9.

If you want to exercise any of your data protection rights, please see the data protection rights procedure set out in Appendix 2. Alternatively, if you are unhappy about the way in which Twilio has used your personal data, you can raise a complaint in accordance with our complaint handling procedure set out in Appendix 6.

 

This Processor Policy applies where a Group Member processes personal data as a processor anywhere in the world. All staff and Group Members must comply with the following obligations:


Rule 1 – Lawfulness:

We must ensure that processing is at all times compliant with applicable law and this Processor Policy..


We must at all times comply with any applicable data protection laws, as well as the standards set out in this Processor Policy, when processing personal data. 

Accordingly:

  • where applicable data protection laws exceed the standards set out in this Processor Policy, we must comply with those laws; but
  • where there are no applicable data protection laws, or where applicable data protection laws do not meet the standards set out in this Processor Policy, we must process personal data in accordance with the standards set out in this Processor Policy.

Rule 2 – Cooperation with Customers:

We must cooperate with and assist the Customer to comply with its obligations under applicable data protection laws in a reasonable time and to the extent reasonably possible.


We must cooperate with and assist our Customers to comply with their obligations under applicable data protection laws. We must provide this assistance within a reasonable time and as required under the terms of our contract with the Customer. Assistance may include, for example, helping our Customer to keep the personal data we process on its behalf accurate and up to date, or helping it to provide individuals with access to their personal data, or helping it to conduct data protection impact assessments in accordance with applicable data protection laws.


Rule 3 – Fairness and transparency:

We must, to the extent reasonably possible, assist a Customer to comply with the requirement to explain to individuals how their personal data will be processed.


Our Customer has a duty to explain to the individuals whose data it processes (or instructs us to process), how and why that data will be used. This information must be given in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

This is usually done by means of an easily accessible fair processing statement. We will provide assistance and information to the Customer in accordance with the terms of our contract with the Customer as required to assist them in complying with this requirement.

For example, the terms of our contract with a Customer may require us to provide information about any sub-processors we appoint to process personal data on our Customer’s behalf.


Rule 4 – Purpose limitation:

Where we are acting as a processor, we will only process personal data on behalf of, and in accordance with the instructions of, the Customer.


Where we process personal data as a processor, we must only process that personal data on behalf of the Customer and in accordance with its documented instructions (for example, as set out in the terms of our contract with the Customer), including with regard to any international transfers of personal data.

If we are unable to comply with our Customer’s instructions (or any of our obligations under this Processor Policy), we will inform the Customer promptly. The Customer may then suspend its transfer of personal data to us and/or terminate its contract with us (in accordance with the terms of the contract).

In such circumstances, we will return, destroy or store the personal data, including any copies of the personal data, in a secure manner or as otherwise required, in accordance with the terms of our contract with the Customer and, if requested, certify to the Customer that this has been done.

If legislation prevents us from returning the personal data to our Customer, or from destroying it, we must inform the Customer. In such event, we must continue to maintain the confidentiality of the personal data and not actively process the personal data further other than in accordance with the terms of our contract with the Customer.


Rule 5 – Data accuracy and minimisation:

We will assist our Customer to keep the personal data accurate and up to date.


We must assist our Customer to comply with its obligation to keep personal data accurate and up to date. In particular, where a Customer informs us that personal data is inaccurate, we must assist our Customer to update, correct or erase that data without undue delay.

We must also take measures to inform Group Members or third party processors to whom the personal data has been disclosed of the need to update, correct or erase that personal data.


Rule 6 – Storage limitation: We will assist our Customers to store personal data only for as long as is necessary for the purpose for which the information was initially collected.


Where a Customer instructs us that personal data we process on its behalf is no longer needed for the purposes for which it was collected, we will assist our Customer to erase, restrict or anonymise that personal data without undue delay and in accordance with the terms of our contract with the Customer. We must also take measures to inform Group Members or third party processors to whom the personal data has been disclosed of the need to erase, restrict or anonymise that personal data.


Rule 7 – Security, integrity and confidentiality:

We must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the personal data we process on behalf of a Customer.


Where we provide a service to a Customer which involves the processing of personal data, the contract between us and that Customer will set out the technical and organisational security measures we must implement to safeguard that data consistent with applicable data protection laws.

We must ensure that any staff member who has access to personal data processed on behalf of a Customer does so only for purposes that are consistent with the Customer’s instructions and is subject to a duty of confidence.


Rule 8 – Security incident reporting:

We must notify a Customer of any security incident that we experience if it presents a risk to the personal data we process on the Customer’s behalf.


When we become aware of a data security incident that presents a risk to the personal data that we process on behalf of a Customer, we must immediately inform the Privacy Team and follow our data security incident management policies.

The Privacy Team, in coordination with other relevant functions, will review the nature and seriousness of the data security incident and determine whether it is necessary to notify a Customer. The Privacy Team shall be responsible for ensuring that any such notifications, where necessary, are made without undue delay and in accordance with applicable law.


Rule 9 – Engaging sub-processors:

We may only appoint, add or replace sub-processors with authorisation from the Customer and in accordance with its requirements.


We must obtain a Customer’s authorisation before appointing, adding or replacing a sub-processor to process personal data on its behalf. Authorisation must be obtained in accordance with the terms of our contract with the Customer.

We must make available to our Customer up-to-date information about the sub-processors we intend to appoint in order to obtain its authorisation. If, on reviewing this information, a Customer objects to the appointment of a sub-processor, that Customer may take such steps as are consistent with the terms of its contract with us and as referred to in Rule 4 of this Processor Policy regarding the return or destruction of the personal data.


Rule 10 – Sub-processor contracts:

We must only appoint sub-processors who protect personal data to a standard that is consistent with this Processor Policy and our contractual terms with Customers.


We must only appoint external sub-processors who provide sufficient guarantees in respect of the commitments made by us in this Processor Policy. In particular, external sub-processors must implement appropriate technical and organisational security measures to protect the personal data they process, and such measures must be consistent with our commitments to our Customer under our contractual terms with the Customer.

Where we intend to appoint an external sub-processor to process personal data, we must undertake due diligence to ensure it has in place appropriate technical and organisational security measures to protect the personal data. We must impose strict contractual obligations in writing on the sub-processor that require it:

  • to protect the personal data to a standard that is consistent with our commitments to our Customer under the terms of our contract with the Customer;
  • to maintain the security of the personal data, consistent with standards contained in this Processor Policy (and in particular Rules 7, 8 and above);
  • to process personal data only on our instructions (which instructions will be consistent with the instructions of the Customer) or on the Customer’s instructions; and
  • to fulfil such additional obligations as may be necessary to ensure that the commitments made by the sub-processor reflect those made by us in this Processor Policy, and which, in particular, provide for adequate safeguards with respect to the privacy and fundamental rights and freedoms of individuals in respect of any international transfers of personal data.

Rule 11 – Respect for individuals’ data protection rights:

We will assist a Customer to respond to queries or requests made by individuals in connection with their personal data.


We must assist our Customer to comply with its duty to respect the data protection rights of individuals, in accordance with the instructions of our Customer and the terms of our contract with the Customer.

In particular, if any Group Member receives a request from any individual wishing to exercise his or her data protection rights in respect of personal data for which the Customer is the controller, the Group Member must transfer such request promptly to the relevant Customer and not respond to such a request unless authorised to do so or required by law (in accordance with the Data Protection Rights Procedure in Appendix 2).


Rule 12 - Ensuring adequate protection for international transfers:

We must not transfer personal data internationally without ensuring adequate protection for the personal data in accordance with applicable law.


A. Data transfer compliance

i. Various data protection laws around the world, including European laws, may prohibit international transfers of personal data to third countries unless appropriate safeguards are implemented to ensure the transferred data remains protected to the standard required in the country or region from which it is originally transferred.  This includes transfers of personal data to Group Members who are subject to this Processor Policy, and transfers (and onward transfers) from Group Members to third parties who are not subject to this Processor Policy.

ii. Where these requirements exist, we must comply with them.  In addition, as a processor, we must also comply with our Customers’ documented instructions in respect of any international transfers of personal data (as described in Rule 4).  Whenever transferring personal data internationally, or onward transferring personal data to third parties, the Privacy Team must be consulted so that they can ensure that where required in the absence of an adequacy decision, appropriate safeguards, such as standard contractual clauses (for transfers of personal data from Europe) have been implemented to protect the personal data being transferred and a Transfer Impact Assessment (as described below) has been conducted as necessary.

iii. No Group Member may transfer personal data internationally, or onward transfer personal data, unless and until such measures as are necessary to comply with our Customers’ documented instructions, and applicable law rules governing international transfers including onward transfers of personal data, have been satisfied in full.

iv. In the absence of an adequacy decision applicable to the recipient of personal data outside Europe, or in the absence of approprate safeguards in place between the parties, transfers (including onward transfer) may exceptionally take place on the grounds of a legal derogation in compliance with applicable law. 

B. Transfer Impact Assessments

Where GDPR applies to the personal data that will be transferred (or onward transferred), then before a transferring Group Member makes an international transfer (or onward transfer) of personal data to a recipient Group Member or third party data recipient (as applicable) (a “Data Recipient”), the transferring Group Member must undertake a transfer risk assessment (coordinating with the importer as required and with the Privacy Team) to assess whether the laws and practices in the country where the Data Recipient will process the personal data, including any requirements to disclose personal data or measures authorising access to personal data by public authorities, preventing the importer from fulfilling its obligations under this Processor Policy (a “Transfer Impact Assessment”).  The Privacy Team shall liaise with the transferring Group Member as necessary to conduct the Transfer Impact Assessment, and shall coordinate with Twilio Ireland Limited to keep it informed of the Transfer Impact Assessment and its findings. 

ii. No international transfer (or onward transfer) of personal data subject to GDPR may take place unless and until: (a) a Transfer Impact Assessment has been conducted; and (b) any additional safeguards that are identified as necessary pursuant to the Transfer Impact Assessment to protect the transfers of personal data to the Data Recipient have been implemented by the transferring Group Member and Data Recipient. 

iii. We will base the Transfer Impact Assessment on the understanding that the laws and practices of a third country shall respect the essence of the fundamental rights and freedoms, shall not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR (such as national security; defence; public security; the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; other important objectives of general public interest of the EU or of a Member State, in particular an important economic or financial interest of the EU or of a Member State, including monetary, budgetary and taxation matters, public health and social security; the protection of judicial independence and judicial proceedings; the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in certain cases referred to the GDPR; the protection of the data subject or the rights and freedoms of others; and the enforcement of civil law claims) and shall not contradict this Processor Policy.

iv. The Transfer Impact Assessment must take due account in particular of the following elements:

a) the specific circumstances of the transfers, and the envisaged onward transfers within the same third country or to another third country, including the Group Members and further recipients who are involved, the transmission channels used to transfer the data; the purposes of the transfer; the categories and format of the transferred personal data; and the economic sector in which the transfer occurs; the location of the processing;

b) the laws and practices of the third country of destination – including those requiring the disclosure of personal data to public authorities and those authorising access by such authorities to personal data in transit – relevant in light of the specific circumstances of the transfer;

c) any relevant contractual, technical or organisational safeguards tht may need to be put in place to supplement the safeguards under this Processor Policy, including measures applied during transmission and to the processing of the personal data in the country of destination.

v. Twilio Ireland Limited and the Privacy Team shall inform all other Group Members about the findings of the Transfer Impact Assessment, requiring that they apply any identified additional safeguards determined to be necessary in respect of the same type of transfers they make or; where the Transfer Impact Assessment concludes that it is not possible to implement additional safeguards to ensure the importer processing in the third country is compatible with the requirements of this Processor Policy, that the transfers at stake are suspended or ended.  

vi. The Data Recipient must use its best efforts to provide the Privacy Team and the transferring Group Member with relevant information and continue to cooperate with the Privacy Team and the transferring Group Member to ensure compliance with the requirements of this Processor Policy throughout the duration of the transfer and subsequent processing.  If the Data Recipient is not a Group Member (i.e. if it is a third party data recipient), the Privacy Team and the transferring Group Member must exercise appropriate diligence to ensure that the Data Recipient has used such best efforts and will continue to provide such cooperation, including where appropriate by seeking contractual assurances from the Data Recipient.

vii. Each Group Member will document their Transfer Impact Assessment appropriately (coordinating with the Privacy Team) including what supplementary measures are selected and implemented, and will make it available to the competent supervisory authority on request. Furthermore, the Privacy Team will post, maintain and keep up to date information regarding its TIAs available to customers.

*This assessment should confirm that, where the GDPR applies to the personal data that will be transferred, those laws and practices respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of the GDPR, and are not otherwise in contradiction with this Processor Policy.

** As regards the impact of such laws and practices on compliance with this Processor Policy, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the importer's processing will not be prevented from complying with the requirements of this Processor Policy, it needs to be supported by other relevant, objective elements, and it is for the Privacy Team, the exporter and importer to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support the conclusion. In particular, the Privacy Team, the exporter and importer have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

C. Transfer Impact Notifications

i. The importer must notify the Privacy Team and the exporter and Twilio Ireland Limited promptly if, at any time during which it receives or processes personal data from the exporter when using the Processor Policy as a tool for transfer, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements of this Processor Policy, including following a change in the laws of the third country where it receives or processes personal data or a specific measure (such as a disclosure request) that would prevent them from fulfilling their obligations under this Processor Policy (a “Transfer Impact Notification”).  If the importer is not a Group Member (i.e. if it is a third party data recipient), the Privacy Team and the exporter must exercise appropriate diligence to ensure that the importer will provide any such Transfer Impact Notification, including where appropriate by seeking contractual assurances from the importer.

ii. The Privacy Team shall further assess the laws and practices of any third country to which it transfers personal data on a regular basis to ensure that any such transfers do not become incompatible with the obligations under this Processor Policy.  The Privacy Team or the exporter must forward the notification to the Customer.

iii. Upon verification of a Transfer Impact Notification from the importer, the Privacy Team, the exporter and Twilio Ireland Limited shall promptly identify appropriate supplementary measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the exporter and/or importer and where appropriate, in consultation with the Customer, to enable them to fulfill their obligations under the Processor Policy. 

iv. Where the exporter, along with Twilio Ireland Limited and the Privacy Team, assesses that the Policies, even if accompanied by supplementary measures, cannot be complied with for a transfer or set of transfers, or if instructed by the competent supervisory authority, it commits to suspend the transfer or set of transfers at stake, as well as all transfers for which the same assessment and reasoning would lead to a similar result, until compliance is again ensured or the transfer is ended.

v. Following a suspension of a transfer in the circumstances set out in para (iii) the exporter shall be entitled to terminate its transfers of personal data to the importer, insofar as it concerns the processing of personal data under this Processor Policy if the Processor Policy cannot be compiled with and compliance is not restored within one month of suspension (in this event, the importer must be required to return or destroy the personal data it received, and any copies thereof, as instructed by the exporter). 


Rule 13 - Privacy by design and by default

We must provide our products and services in a way that assists our Customer to apply privacy by design and by default principles.


We must provide our products and services in a way that assists our Customer to implement privacy by design and privacy by default principles. This means that we must implement appropriate technical and organizational measures when providing our products and services that:  are designed to implement the data protection principles in an effective manner and to integrate the necessary safeguards in order to protect the rights of individuals and meet the requirements of applicable data protection laws ("privacy by design"); and ensure that, by default, only personal data which are necessary for each specific processing purpose are collected, stored, processed and are accessible; in particular, that by default personal data is not made accessible to an indefinite number of people without the individual's intervention ("privacy by default"). These measures must be implemented in accordance with the terms of our agreement with our Customer.

 

PART III: DELIVERING COMPLIANCE IN PRACTICE

To ensure we follow the rules set out in our Processor Policy, in particular the obligations in Part II, Twilio and all of its Group Members must also comply with the following practical commitments:


1. Resourcing and compliance:

We must have appropriate staff and support to ensure and oversee privacy compliance throughout the business.


Twilio has appointed its Chief Privacy Officer supported by the Privacy Team to oversee and ensure compliance with this Processor Policy. The Privacy Team is responsible for overseeing and enabling compliance with this Processor Policy on a day-to-day basis.

A summary of the roles and responsibilities that make up Twilio's compliance structure is set out in Appendix 3.


2. Privacy training:

We must ensure staff are educated about the need to protect personal data in accordance with this Processor Policy.


Group Members must provide appropriate and up-to-date privacy training to staff members who:

  • have permanent or regular access to personal data; 
  • are involved in the processing of personal data or in the development of tools used to process personal data

We will provide such training in accordance with the Privacy Training Program (see Appendix 4).


3. Records of Data Processing We must maintain records of the data processing activities carried out on behalf of a Customer.


We must maintain a record of the processing activities that we conduct on behalf of a Customer in accordance with applicable data protection laws. These records should be kept in writing (including electronic form) and we must make these records available to competent supervisory authorities upon request. The Privacy Team is responsible for ensuring that such records are maintained.


4. Audit: 

We must have data protection audits on a regular basis to verify compliance with the Processor Policy.


We will have data protection audits on a regular basis, which may be conducted by either internal or external accredited auditors. In addition, we will conduct ad hoc data protection audits on specific request from the Chief Legal Officer and Chief Compliance Officer, the Privacy Team, the Audit Committee and/or the Board of Directors. Our audit program will cover all aspects of this Processor Policy and if there are indications of non-compliance, including methods and action plans ensuring that corrective actions have been implemented. 

We will conduct any such audits in accordance with the Audit Protocol (see Appendix 5). This includes communicating the results of the data protection audit to the Enterprise Risk ManagementCommittee, the Board of Twilio Ireland Limited, and where appropriate, also to the Board of Twilio. Inc. and to the competent supervisory authorities upon request. 


5. Complaint handling:

We must enable individuals to raise data protection complaints and concerns.


Group Members must enable individuals to raise data protection complaints and concerns (including complaints about processing under this Processor Policy) by complying with the Complaint Handling Procedure (see Appendix 6).


6. Cooperation with competent supervisory authorities:

We must always cooperate with competent supervisory authorities, accept to be audited and to be inspected (where necessary, on-site) and must take into account their advice and abide by a formal decision of any competent supervisory authority on any issues related to the Processor Policy. 


Group Members must cooperate with competent supervisory authorities by complying with the Cooperation Procedure (see Appendix 7).


7. Updates to this Processor Policy: We will keep this Processor Policy up-to-date and in compliance with applicable data protection laws and will update it in accordance with our Updating Procedure to reflect the current situation (for instance, to take into account modifications of the regulatory environment, the relevant guidance, or changes to the scope of the Policy. 


Whenever updating our Processor Policy, we must comply with the Updating Procedure (see Appendix 9).


8. Conflicts between this Processor Policy and national legislation:

We must take care where local laws conflict with this Processor Policy, and act responsibly to ensure a high standard of protection for the personal data in such circumstances.


If local laws  applicable to any Group Member prevents it from fulfilling its obligations under the Processor Policy or otherwise has a substantial effect on its ability to comply with the Processor Policy, or the instructions it has received from a Customer, the Group Member must promptly inform:

  • the Customer (consistent with the requirements of Rule 4);
  • the Privacy Team;
  • the appropriate data protection authority competent for the Customer; and
  • the appropriate data protection authority competent for the Group Member

unless otherwise prohibited by law.

When undertaking an international transfer of personal data, Group Members must comply with the requirements of Rule 12 of Part II of this Processor Policy, to minimise the likelihood and risk of any such conflict arising in the first place.


9. Government requests for disclosure of personal data:

We must comply with the Government Data Request Procedure in respect of a legally binding request for disclosure of personal data.


If a Group Member receives a legally binding request from a law enforcement authority or state security body for disclosure of personal data which is processed on behalf of an EEA Customer under this Processor Policy, it must:

  • notify the EEA Customer promptly unless prohibited from doing so by a law enforcement authority or applicable law; and
  • use its best efforts to put the request on hold and notify the appropriate data protection authority competent for the EEA Customer by complying with the requirements of its Government Data Request Procedure set out in Appendix 9.

In no event must transfers of personal data from a Group Member to any law enforcement, state security or similar public authority be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.

Application of this Part IV

This Part IV applies where individuals’ personal data are protected under European data protection laws (including the GDPR). This is the case when:

  • those individuals’ personal data are processed in the context of the activities of a thirdparty controller or a Group Member (acting as processor) established in Europe;
  • a non-European Customer (acting as controller) or Group Member (acting as processor) offers goods and services (including free goods and services) to those individuals in Europe; or
  • a non-European Customer (acting as controller) or Group Member (acting as processor) monitors the behaviour of those individuals, as far as their behaviour takes place in Europe;

and that Customer or Group Member (as applicable) then transfers those individuals’ personal data to a non-European Group Member (or its sub-processor) for processing under the Processor Policy.

Entitlement to effective remedies

When this Part IV applies, individuals have the right to pursue effective remedies in the event their personal data is processed by Twilio in breach of the following provisions of this Processor Policy:

  • Part II (Our Obligations) of this Processor Policy;
  • Paragraphs 5 (Complaints Handling), 6 (Cooperation with Competent Supervisory Authorities), 8 (Conflicts between this Processor Policy and national legislation) and 9 (Government requests for disclosure of personal data) under Part III of this Processor Policy; and
  • Part IV (Third Party Beneficiary Rights) of this Processor Policy.

Individuals’ third party beneficiary rights

When this Part IV applies, the right for individuals to pursue effective remedies against Twilio apply only if either (i) the requirements at stake are specifically directed at Twilio as a processor in accordance with applicable data protection law (and in accordance with the guidance published by competent supervisory authorities), or (ii) the individuals cannot bring a claim against a Customer because:

  • the Customer has factually disappeared or ceased to exist in law or has become insolvent; and
  • no successor entity has assumed the entire legal obligations of the Customer by contract or by operation of law.

In such cases, individuals may exercise the following rights:

  • Complaints: Individuals may complain to a Group Member and/or to a European data protection authority, in accordance with the Complaints Handling Procedure at Appendix 7;
  • Proceedings: Individuals may lodge a complaint against a Group Member for violations of this Processor Policy, before a competent court in the EU where the controller or processor has an establishment or where the individual has his or her habitual residence in accordance with the Complaints Handling Procedure at Appendix 7;
  • Transparency: Individuals also have the right to obtain a copy of the Processor Policy on request to the Privacy Team at privacy@twilio.com.

Responsibility for breaches by non-European Group Members

Twilio Ireland Limited will at any given time be responsible for and will take any action necessary to remedy any breach of the Processor Policy by a non-European Group Member and will pay compensation for any material or non-material damages resulting from the violation of the Processor Policy by such Group Members. 

In particular:

  • If an individual can demonstrate damage it has suffered likely occurred because of a breach of this Processor Policy by a non-European Group Member (or a non-European sub-processor appointed by a Group Member), Twilio Ireland Limited will have the burden of proof to show that the non-European Group Member (or non-European subprocessor) is not responsible for the breach, or that no such breach took place.
  • where a non-European Group Member (or any non-European third party sub-processor acting on behalf of a Group Member) fails to comply with this Processor Policy, individuals may exercise their rights and remedies at any given time against Twilio Ireland Limited and, where appropriate, receive compensation (as determined by a competent court or other competent authority) from Twilio Ireland Limited for any material or non-material damage suffered as a result of a breach of this Processor Policy.

Shared liability for breaches with controllers

Where Twilio is engaged by a Customer to conduct processing and both are responsible for harm caused by the processing in breach of this Processor Policy, Twilio accepts that both Twilio and the Customer may be held liable for the entire damage in order to ensure effective compensation of the individual.

 

Appendix 1

TWILIO GROUP MEMBERS

Part A: Twilio group members in the European Economic Area

Name of entity

Registered address

1. Twilio Estonia OU

Veerenni tn 38, Tallinn 11313, Estonia

2. Twilio Germany GmbH

c/o Satellite Office UDL GmbH & Co. KG, Unter den Linden 10, 10117 Berlin, Germany

3. Twilio IP Holding Limited

70 Sir John Rogerson's Quay, Dublin 2, Dublin, Ireland D02R296

4. Twilio Ireland Limited

70 Sir John Rogerson's Quay, Dublin 2, Dublin, Ireland D02R296

5. Twilio Spain, S.L.

c/o Gestiona-t Legal & Management Solutions,  Avenida del Doctor Arce, 14, 28002 Madrid, Espana

6. Twilio Sweden AB

c/o Baker McKenzie Advokatbyrå KB,  Box 180, 101 23 Stockholm, Sweden

7. Twilio Berlin GmbH (c/o Satellite Office UDL GmbH & Co. KG)

Unter den Linden 10, 10117 Berlin, Germany

8. Twilio Netherlands B.V. (c/o TMF Netherlands B.V. / TMF Group)

c/o Regus, Gustav Mahlerphein 2, Regus Amsterdam Vinoly, 1082MA Amsterdam, The Netherlands

9. Twilio France SARL

c/o Primexis, Tour Pacific, 11-13 cours Valmy, 92977 Paris La Défense Cedex

Part B. Twilio group members outside of the European Economic Area

Name of entity

Registered address

1. Twilio Australia Pty Ltd

c/o Baker McKenzie, Tower One - International Towers Sydney, Level 46, 100 Barangaroo Avenue, Barangaroo NSW 2000

2. Twilio Canada Corp.

c/o Lawson Lundell LLP, 1600 - 925 West Georgia Street, Vancouver, BC V6C 3L2

3. Twilio Colombia S.A.S

c/o Baker McKenzie, Carrera 11 No 79-35, Piso 9 - Centro Empresarial Sequoya Plaza, Bogota, Columbia

4. Twilio Hong Kong Limited

c/o Baker McKenzie 14th Floor, One Taikoo Place 979 King's Road, Quarry Bay, SAR Hong Kong

5. Twilio Inc.

c/o Corporation Service Company,  251 Little Falls Drive, Wilmington, DE 19808

6. Twilio Japan G.K. (c/o ARK Outsourcing KK)

c/o ARK Outsourcing KK, 3-5-704 Ebisu, Shibuya-ku, Tokyo 150-0013, Japan

7. Twilio ROW Ltd

C/O CML, Century House, 16 Par-la-Ville Road, Hamilton HM08, Bermuda

8. Twilio Singapore Pte. Ltd

c/o Baker McKenzie,  8 Marina Boulevard #05-02, Marina Bay Financial Centre, Singapore 018981

9. Teravoz Telecom Telecomunicacoes Ltda.

Rua Padra Joao Manuel, n० 808, 3०, Cerqueira Cesar, CEP 01411-000, São Paulo, Brazil

10. Twilio Technology India Private Limited

c/o CoWorks,  Cowrks, RMZ Ecoworld, The Bay Area, 3rd Flr, Bldg 6A, Outer Ring Road, Devarabeesanahalli, Bellandur, Bangalore - 560103, Karantak

11. Twilio UK Limited

c/o Baker McKenzie, 100 New Bridge Street, London, United Kingdom, EC4V 6JA

DATA PROTECTION RIGHTS PROCEDURE

1. Introduction

1.1. Twilio's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") safeguard personal data transferred between the Group Members.

1.2. Individuals whose personal data are processed by Twilio under the Policies have certain data protection rights, which they may exercise by making a request to the controller of their information (whether the controller is Twilio or a Customer) (a“Data Protection Rights Request”).

1.3. This Binding Corporate Rules: Data Protection Rights Procedure (“Procedure”) describes how Twilio will respond to any Data Protection Rights Requests it receives from individuals whose personal data are processed and transferred under the Policies.

2. Individual’s data protection rights

2.1. Twilio must assist individuals to exercise the following data protection rights, consistent with the requirements of applicable data protection laws:

a. The right of access: This is a right for an individual to obtain confirmation whether a controller processes personal data about them and, if so, to be provided with details of that personal data and access to it. This process for handling this type of request is described further in paragraph 4 below;

b. The right to rectification: This is a right for an individual to obtain rectification without undue delay of inaccurate personal data a controller may process about him or her. The process for handling this type of request is described further in paragraph 5 below.

c. The right to erasure: This is a right for an individual to require a controller to erase personal data about them on certain grounds – for example, where the personal data is no longer necessary to fulfil the purposes for which it was collected. The process for handling this type of request is described further in paragraph 5 below.

d. The right to restriction: This is a right for an individual to require a controller to restrict processing of personal data about them on certain grounds. The process for handling this type of request is described further in paragraph 5 below.

e. The right to object: This is a right for an individual to object, on grounds relating to his or her particular situation, to a controller’s processing of personal data about him or her, if certain grounds apply. The process for handling this type of request is described further in paragraph 5 below.

f. The right to data portability: This is a right for an individual to receive personal data concerning him or her from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply. The process for handling this type of request is described further in paragraph 6 below.

g. The right to opt-out from marketing communication. This is a right for an individual to object, in an easy-to-exercise manner and free of charge, to the use of their personal data for direct marketing purposes and we will honour all such opt-out requests. The process for handling this type of request is described further in paragraph 7 below. 

h. The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal affects or similarly significantly affects individuals' rights: We will not make any decision, which produces legal effects concerning an individual or or that similarly significantly affects them, based solely on the automated processing of that individual's personal data, including profiling. The process for handling this type of request is described further in paragraph 8 below. 

3. Responsibility to respond to a Data Protection Rights Request

3.1. Overview

3.1.1. The controller of an individual’s personal data is primarily responsible for responding to a Data Protection Rights Request and for helping the individual concerned to exercise his or her rights under applicable data protection laws.

3.1.2. As such, when an individual contacts Twilio to make any Data Protection Rights Request then:

a. where Twilio is the controller of that individual’s personal data under the Controller Policy, it must help the individual to exercise his or her data protection rights directly in accordance with this Procedure; and

b. where Twilio processes that individual’s personal data as a processor on behalf of a Customer under the Processor Policy, Twilio must inform the relevant Customer promptly and provide it with reasonable assistance to help the individual to exercise his or her rights in accordance with the Customer’s duties under applicable data protection laws.

3.2. Assessing responsibility to respond to a Data Protection Rights Request

3.2.1. If a Group Member receives a Data Protection Rights Request from an individual, it must pass the request to the Privacy Team at privacy@twilio.com immediately upon receipt indicating the date on which it was received together with any other information which may assist the Privacy Team to deal with the request.

3.2.2. The Privacy Team will make an initial assessment of the request as follows:

a. the Privacy Team will determine whether Twilio is a controller or processor of the personal data that is the subject of the request;

b. where the Privacy Team determines that Twilio is a controller of the personal data, it will then determine whether the request has been made validly under applicable data protection laws, whether an exemption applies (in accordance with section 3.4 below) and respond to the request (in accordance with section 3.5 below); and

c. where the Privacy Team determines that Twilio is a processor of the personal data on behalf of a Customer, it shall pass the request promptly to the relevant Customer in accordance with its contract terms with that Customer and will not respond to the request directly unless authorised to do so by the Customer.

3.3. Assessing the validity of a Data Protection Rights Request

3.3.1. If the Privacy Team determines that Twilio is the controller of the personal data that is the subject of the request, Twilio will then contact the individual in writing to confirm receipt of the Data Protection Rights Request.

3.3.2. A Data Protection Rights request must generally be made in writing, which can include email, unless applicable data protection laws allow a request to be made orally. A Data Protection Rights Request does not have to be official or mention data protection law to qualify as a valid request.

3.3.3. If Twilio has reasonable doubts concerning the identity of the individual making a request, it may request such additional information as is necessary to confirm the identity of the individual making the request. Twilio may also request any further information which is necessary to action the individual's request.

3.4. Exemptions to a Data Rights Protection Rights Request

3.4.1. Twilio will not refuse to act on Data Protection Rights Requests unless it can demonstrate that an exemption applies under applicable data protection laws.

3.4.2. Twilio may be exempt under applicable data protection laws from fulfilling the Data Protection Rights Request (or be permitted to charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested) if it can demonstrate that the individual has made a manifestly unfounded or excessive request (in particular, because of the repetitive character of the request).

3.4.3. If Twilio decides not to take action on the Data Protection Rights Request, Twilio will inform the individual without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the competent supervisory authority and seeking a judicial remedy.

3.5. Responding to a Data Protection Rights Request

3.5.1. Where Twilio is the controller of the personal data that is the subject of the Data Protection Rights Request, and Twilio has already confirmed the identity of the requestor and has sufficient information to enable it to fulfil the request (and no exemption applies under applicable data protection laws), then Twilio shall deal with the Data Protection Rights Request in accordance with paragraph 4, 5 or 6 below (as appropriate).

3.5.2. Twilio will respond to a Data Protection Rights Request without undue delay and in no case later than one (1) month of receipt of that request. This one (1) month period may be extended by two (2) further months only if the request is complex or due to the number of requests that have been made. In the event, an individual has Data Protection Rights available under applicable law which allow for the processing of such requests within a period longer than one (1) month, Twilio may accommodate the Data Protection Rights Request in an alternative time period, provided it complies with the time periods as set forth in applicable law. 

4. Requests for access to personal data

4.1. Overview

4.1.1. An individual may require a controller to provide the following information concerning processing of his or her personal data:

a. confirmation as to whether the controller holds and is processing about that individual;

b. if so, a description of the personal purposes of the processing, the categories of personal data concerned, the envisaged period(s) (or the criteria used for determining those periods(s)) for which the personal data will be stored, and the recipients or categories of recipients to whom the information is, or may be, disclosed by the controller;

c. information about the individual’s right to request rectification or erasure of his or her personal data or to restrict or object to its processing;

d. information about the individual’s right to lodge a complaint with a competent supervisory authority;

e. information about the source of the personal data if it was not collected from the individual;

f. details about whether the personal data is subject to automated decision-making (including automated decision-making based on profiling) which produces legal effects concerning the individual or similarly significantly affects them; and

g. where personal data is transferred from the European Economic Area to a country outside of the European Economic Area, the appropriate safeguards that Twilio has put in place relating to such transfers in accordance with applicable data protection laws.

4.1.2. An individual is also entitled to request a copy of his or her personal data from the controller. Where an individual makes such a request, the controller must provide that personal data to the individual in intelligible form.

4.2. Process for responding to access requests from individuals

4.2.1. If Twilio receives an access request from an individual, this must be passed to the Privacy Team at privacy@twilio.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

4.2.2. Where Twilio determines it is the controller of the personal data and responsible for responding to the individual directly (and that no exemption to the right of access applies under applicable data protection laws), the Privacy Team will arrange a search of all relevant electronic and paper filing systems.

4.2.3. The Privacy Team may refer any complex cases to the Chief Legal Officer / Chief Compliance Officer for advice, particularly where the request concerns information relating to third parties or where the release of personal data may prejudice commercial confidentiality or legal proceedings.

4.2.4. The personal data that must be disclosed to the individual will be collated by the Privacy Team into a readily understandable format. A covering letter will be prepared by the Privacy Team which includes all information required to be provided in response to an individual's access request (including the information described in paragraph 4.1.1).

4.3. Exemptions to the right of access

4.3.1. A valid request may be refused on the following grounds:

a. If the refusal to provide the information is consistent with applicable data protection law (for example, where a European Group Member transfers personal data under the Controller Policy, if the refusal to provide the information is consistent with the applicable data protection law in the European Member State where the Group Member is located);

b. where the personal data is held by Twilio in non-automated form that is not or will not become part of a filing system; or

c. the personal data does not originate from Europe, has not been processed by any European Group Member, and the provision of the personal data requires Twilio to use disproportionate effort.

d. The Privacy Team will assess each request individually to determine whether any of the above- mentioned exemptions applies. A Group Member must never apply an exemption unless this has been discussed and agreed with the Privacy Team.

5. Requests to correct, update or erase personal data, or to restrict or cease processing personal data

5.1. If Twilio receives a request to correct, update or erase personal data, or to restrict or cease processing of an individual’s personal data, this must be passed to the Privacy Team at privacy@twilio.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

5.2. Once an initial assessment of responsibility has been made then:

a. where Twilio is the controller of that personal data, the request must be notified to the Privacy Team promptly for it to consider and deal with as appropriate in accordance with applicable data protection laws.

b. where a Customer is the controller of that personal data, the request must be notified to the Customer promptly for it to consider and deal with as appropriate in accordance with its duties under applicable data protection laws. Twilio shall assist the Customer to fulfil the request in accordance with the terms of its contract with the Customer.

5.3. To assist the Privacy Team in assessing an individual's request for restriction of processing of his or her personal data, the grounds upon which an individual may request restriction are when:

a. the accuracy of the personal data is contested by the individual, for a period enabling Twilio to verify the accuracy of the personal data;

b. the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of its use instead;

c. Twilio no longer needs the personal data for the purposes of the processing, but it is required by the individual for the establishment, exercise or defence of legal claims; or

d. Twilio has exercised his or her right to object pending the verification whether the legitimate grounds of the controller override his or her objection right.

5.4. To assist the Privacy Team in assessing an individual's request for erasure of his or her personal data, the grounds upon which an individual may request erasure are when:

a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b. the individual withdraws consent on which the processing is based and there is no other legal ground for the processing;

c. the individual exercises its right to object to processing of his or her personal data and there are no overriding legitimate grounds for continued processing;

d. the personal data have been unlawfully processed;

e. the personal data have to be erased for compliance with a legal obligation to which the controller is subject; or

f. the personal data have been collected in relation to the offer of information society services to a child under the age of 16 and a parent or guardian has not consented to the processing.

5.5. When Twilio must rectify or erase personal data, either in its capacity as controller or on instruction of a Customer when it is acting as a processor, Twilio will notify other Group Members and any sub-processor to whom the personal data has been disclosed so that they can also update their records accordingly.

5.6. Where Twilio acting as a controller must restrict processing of an individual's personal data, it must inform the individual before it subsequently lifts any such restriction.

5.7. If Twilio acting as controller has made the personal data public, and is obliged to erase the personal data pursuant to a Data Protection Rights Request, it must take reasonable steps, including technical measures (taking account of available technology and the cost of implementation), to inform controllers which are processing the personal data that the individual has requested the erasure by such controllers of any links to, or copy or replication of, the personal data

6. Right to data portability

6.1. If an individual makes a Data Protection Rights Request to Twilio acting as controller to receive the personal data that he or she has provided to Twilio in a structured, commonly used and machine- readable format and/or to transmit directly such information to another controller (where technically feasible), Twilio’s Privacy Team will consider and deal with the request appropriately in accordance with applicable data protection laws insofar as the processing is based on that individual's consent or on the performance of, or steps taken at the request of the individual prior to entry into, a contract.

7. Right to opt-out from marketing communications

7.1 If an individual makes a Data Protection Rights Request to Twilio, acting as a controller, to opt-out from marketing communications, Twilio’s Privacy Team will forward the request to the relevant business function or otherwise provide a mechanism that is accessible to the individual for the purpose of exercising their right to opt-out of marketing communications.

8. Right to opt-out from automated decision making

8.1 If individual makes a Data Protection Rights Request to Twilio to not be subject to a decision based solely on automated processing, including profiling, Twilio’s Privacy Team will ensure the individual is exempted from such processes, unless such decision is: (i) necessary for entering into, or performing, a contract between a Group Member and that individual; (ii) authorized by applicable law (which, in the case of personal data about individuals in Europe, must be European Union or Member State law); or (iii) based on the individual's explicit consent. In the (i) and (iii) cases above, we must implement suitable measures to protect the individual's rights and freedoms and legitimate interests, including the right to obtain human intervention, to express his or her view and to contest the decision. We must never make automated individual decisions about individuals using their special categories of data and criminal convictions and offenses data, unless they have given explicit consent or another lawful basis applies.

9. Questions about this Data Protection Rights Procedure

9.1 All queries relating to this Procedure are to be addressed to the Privacy Team or at privacy@twilio.com.

PRIVACY COMPLIANCE STRUCTURE

1. Introduction

1.1. Twilio's compliance with global data protection laws and the “Binding Corporate Rules: Controller Policy” and “Global Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") is overseen and managed throughout all levels of the business by a global, multi-layered, cross-functional privacy compliance structure.

1.2. Twilio's Privacy Compliance Structure has the full support of Twilio's executive management. Further information about Twilio's Privacy Compliance Structure is set out below and in the structure chart provided at Annex A.

2. Chief Privacy Officer

2.1. Twilio has appointed a Chief Privacy Officer (“CPO”) receiving the highest management support to provide executive-level oversight of, and responsibility for, ensuring Twilio's compliance with applicable data protection laws and the Policies.

2.2. The CPO reports directly to the Board of Directors on all material or strategic issues relating to Twilio's compliance with data protection laws and the Policies, and is also accountable to Twilio's independent Audit Committee. The CPO can inform the Board of Directors if any questions or problems arise during the performance of his/her duites. The CPO leads and is supported by Twilio’s Privacy Team.

2.3. The CPO’s key responsibilities with regard to privacy include:

  • Ensuring that the Policies and other privacy-related policies, objectives and standards are defined and communicated.
  • Reporting at least annually (and more often, if needed, in response to specific risks or concerns), on global data protection compliance to Twilio's Board of Directors.
  • Providing clear and visible senior management support and resources for the Policies and for privacy objectives and initiatives in general.
  • Evaluating, approving and prioritizing remedial actions consistent with the requirements of the Policies, strategic plans, business objectives and regulatory requirements.
  • Periodically assessing privacy initiatives, accomplishments, and resources to ensure continued effectiveness and improvement.
  • Ensuring that Twilio's business objectives align with the Policies and related privacy and information protection strategies, policies and practices.
  • Facilitating communications on the Policies and privacy topics with the Board of Directors and independent Audit Committee.
  • Dealing with any escalated privacy complaints in accordance with the Binding Corporate Rules: Complaint Handling Procedure.
  • Dealing with competent supervisory authorities' investigations. 
  • Supporting the conduct of any data protection audits carried out by supervisory authorities, in accordance with the Binding Corporate Rules: Cooperation Procedure.

3. Privacy Team

3.1.1.  The Twilio Privacy Team consists of Twilio’s in-house privacy counsel, as well as other non-legal privacy operations staff. The Privacy Team reports directly to Twilio’s CPO and Data Protection Officer, who in turn, reports to the Chief Legal Officer. Reporting to the CPO ensures appropriate independence and oversight of duties relating to all aspects of Twilio's data protection compliance.

3.2. The Privacy Team is accountable for managing and implementing Twilio's data privacy program internally (including the Policies) and for ensuring that effective data privacy controls are in place for any third party service provider Twilio engages. In this way, the Privacy Team is actively engaged in addressing matters relating to Twilio's privacy compliance on a routine, day-to-day basis.

3.3. The Privacy Team’s responsibilities include:

  • Providing guidance about the collection and use of personal data subject to the Policies and to assess the processing of personal data by Twilio Group Members for potential privacy-related risks.
  • Responding to inquiries and compliance relating to the Policies from staff members, customers and other third parties raised through its dedicated e-mail address at privacy@twilio.com.
  • Helping to implement the Policies and related policies and practices at a functional and local country level, providing guidance and responding to privacy questions and issues.
  • Providing input on audits of the Policies, coordinating responses to audit findings and responding to inquiries of the supervisory authorities.
  • Monitoring changes to global privacy laws and ensuring that appropriate changes are made to the Policies and Twilio's related policies and business practices.
  • Overseeing training for staff on the Policies and on data protection legal requirements in accordance with the Binding Corporate Rules: Privacy Training Program.
  • Promoting the Policies and privacy awareness across business units and functional areas through privacy communications and initiatives.
  • Evaluating privacy processes and procedures to ensure that they are sustainable and effective.
  • Reporting periodically on the status of the Policies to the CPO and Board of Directors and / or Audit Committee as appropriate.
  • Ensuring that the commitments made by Twilio in relation to updating, and communicating updates to the Policies are met in accordance with the Binding Corporate Rules: Updating Procedure.
  • Overseeing compliance with the Binding Corporate Rules: Data Protection Rights Procedure and the handling of any requests made under it.

4. Security Compliance and Assurance Team

4.1. Twilio’s Security Compliance and Assurance team, which is made up of members of the wider Trust and Security Team, reports to the Chief Digital Officer. This team has a number of specific responsibilities in relation to the implementation and oversight of the Policies and privacy matters more generally, including:

  • Audit of attendance of privacy training courses as set out in the Binding Corporate Rules: Privacy Training Program.
  • Overseeing independent audits of compliance with the Policies as set out in the Binding Corporate Rules: Audit Protocol and ensuring that such audits address all aspects of the Policies.
  • Ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of Twilio's Privacy Team and that any corrective actions are determined and implemented within a reasonable time.

5. Privacy & Security Committee

5.1.Twilio's Privacy & Security Committee comprises functional leads or key representatives from the main functional areas within Twilio, including security, sales, marketing, HR, procurement, product development, legal and compliance.

5.2. The key responsibilities of Members of the Privacy Committee include 

  • Promoting the Policies at all levels in their functional areas.
  • Assisting the Privacy Team with the day-to-day implementation and enforcement of Twilio's privacy policies (including the Policies) within their respective areas of responsibility.
  • Escalating questions and compliance issues or communicating any actual or potential violation of relating to the Policies to the Privacy Team.
  • Through its liaison with the Privacy Team, the Privacy Committee serves as a channel through which the Privacy Team can communicate data privacy compliance actions to all key functional areas of the business.

5.3. The Privacy Committee will meet on a formal and regular basis, at a minimum frequency of every six months, to ensure a coordinated approach to data protection compliance across all functions.

6. Data Proection Officer

6.1 Twilio has appointed a DPO who assists Group Members and provides oversight of Twilio's compliance with applicable data protection laws and the Policies. The DPO reports directly to executive management, including Twilio's independent Audit Committee and does not perform any tasks that could result in a conflict of interest, such as, for instance, DPIAs or Policy audits. Twilio’s DPO is also responsible for:

  • informing and advising staff who carry out processing of their obligations pursuant to applicable data protection laws and the Controller Policy;

  • monitoring compliance with data protection regulations, the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

  • providing advice where requested as regards the data protection impact assessment and monitoring its performance;

  • cooperating with the competent supervisory authority;

  • acting as the contact point for the competent supervisory authorities on issues relating to processing, including prior consultation, and consulting, where appropriate, with regard to any other matter

7. Twilio Staff

7.1. All staff members within Twilio are responsible for supporting the functional Privacy & Security Committee members on a day-to-day basis and adhering to Twilio privacy policies.

7.2. In addition, Twilio personnel are responsible for escalating and communicating any potential violation of the privacy policies to the appropriate Privacy & Security Committee member or, if they prefer, the Twilio Privacy Team. On receipt of a notification of a potential violation of the privacy policy the issue will be investigated to determine if an actual violation occurred. Results of such investigations will be documented.

8. Contact Details

8.1 Twilio’s DPO and Privacy Team and Privacy & Security Committee can be directly contacted at privacy@twilio.com or by writing to Twilio Privacy at 101 Spear St. Ste. 500, San Francisco, CA 94105

 

PRIVACY TRAINING PROGRAM

1. Background

1.1. The “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") provide a framework for the transfer of personal data between Twilio's Group Members. The document sets out the requirements for Twilio to train its staff members on the requirements of the Policies.

1.2. Twilio must train staff members (including new hires, temporary staff and individual contractors whose roles bring them into contact with personal data) on the basic principles of data protection, confidentiality and information security awareness. This must include training on applicable data protection laws, including European data protection laws. Training shall also include guidance on data protection best practices and any security certifications applicable to Twilio such as ISO 27001. This training is repeated on a regular basis as specified in Section 3.2 below. 

1.3. Staff members who have permanent or regular access to personal data and who are involved in the processing of personal data or in the development of tools to process personal data must receive additional, tailored training on the Policies and specific data protection issues relevant to their role.

1.4. These trainings are further described below.

2. Responsibility for the Privacy Training Program

2.1. Twilio's Privacy Team has overall responsibility for privacy training at Twilio, with input from colleagues from other functional areas, including Legal, Information Security, Security Compliance and Assurance, HR and other departments, as appropriate. The Privacy Team will review training from time to time to ensure it addresses all relevant aspects of the Policies and that it is appropriate for individuals who have permanent or regular access to personal data, who are involved in the processing of personal data or in the development of tools to process personal data.

2.2. Twilio's senior management is committed to the delivery of data protection training courses, and will ensure that staff are required to participate, and given appropriate time to attend, such courses. Course attendance must be recorded and monitored via regular audits of the training process. These audits are performed by Twilio's Security Compliance and Assurance Team and/or independent third party auditors.

  1.  If these training audits reveal persistent non-attendance, this will be escalated to the Privacy Team for action. Such action may include escalation of non-attendance to appropriate managers within Twilio who will be responsible and held accountable for ensuring that the individual(s) concerned attend and actively participate in such training.

3. Delivery of the training courses

3.1. Twilio will deliver mandatory training courses, either in person or electronically, supplemented by face to face training for staff members. The courses are designed to be both informative and user-friendly, generating interest in the topics covered.

3.2. All Twilio staff members must complete data protection training (including training on the Policies):

a. as part of their induction program;

b. as part of a regular refresher training at least every year;

c. as and when necessary to stay aware of changes in the law; and

d. as and when necessary to address any compliance issues arising from time to time.

3.3. Certain staff members must receive supplemental specialist training, in particular staff members who handle customer or employee personal data in Product Development, HR and Customer Support or whose business activities include processing special categories of personal data and criminal convictions and offenses data. Specialist training shall be delivered as additional modules to the basic training package, and will be tailored as necessary to the course participants.

4. Training on data protection

4.1. Twilio's training on data protection and the Policies will cover the following main areas:

4.1.1. Background and rationale:

a. What is data protection law?

b. What are key data protection terminology and concepts?

c. What are the data protection principles?

d. How does data protection law affect Twilio internationally?

e. What are Twilio’s BCR Policies?

4.1.2. The Policies:

a. An explanation of the Policies

b. The scope of the Policies

c. The requirements of the Policies

d. Practical examples of how and when the Policies apply

e. The rights that the Policies give to individuals

f. The privacy implications arising from processing personal data for clients

4.1.3. Where relevant to a staff member's role, training will cover the following procedures under the Policies:

a. Data Subject Rights Procedure

b. Audit Protocol

c. Updating Procedure

d. Cooperation Procedure

e. Complaint Handling Procedure

f. Government Data Request Procedure, including how to handle requests for access to personal data by public authorities

AUDIT PROTOCOL

Binding Corporate Rules: Audit Protocol

1. Background

1.1. Twilio's “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") safeguard personal data transferred between the Twilio group members Group Members.

1.2. Twilio must audit its compliance with the Policies on a regular basis, and this document describes how and when Twilio must perform such audits. Although this Audit Protocol describes the formal assessment process by which Twilio will audit its compliance with the Policies, this is only one way in which Twilio ensures that the provisions of the Policies are observed and corrective actions taken as required.

1.3. In particular, Twilio's Privacy Tteam provides ongoing guidance about the processing of personal data and continually assesses the processing of personal data by Group Members for potential privacy-related risks and compliance with these Policies.

2. Conduct of an audit

Overview of audit requirements

2.1. Compliance with the Policies is overseen on a day to day basis by the Security Compliance and Assurance Team. The Security Compliance and Assurance Team is responsible for overseeing independent audits of compliance with the Policies and will ensure that such audits address all aspects of the Policies, including methods and action plans ensuring that corrective actions have been implemented. 

2.2. The Security Compliance and Assurance Team receives guaranteed independence as to the performance of their duties related to these audits.

2.3. The Security Compliance and Assurance Team is responsible for ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of the Privacy Team and that any corrective actions are determined and implemented within a reasonable time. Serious non-compliance issues will be escalated to the Chief Legal Officer and Chief Compliance Officer and, ultimately, the Board of Directors in accordance with paragraph 2.10.

2.4. Where Twilio acts as a processor, the Customer (or auditors acting on its behalf) may audit Twilio for compliance with the commitments made in the Processor Policy and may extend such audits to any sub-processors acting on Twilio's behalf in respect of such processing. Such audits shall be conducted in accordance with the terms of Customer's contract with Twilio.

Frequency of audits 

2.5. Frequency of audits of compliance with the Policies will be determined on the basis of the risk(s) posed by the processing activities covered by the Policies to the rights and freedoms of data subjects and audits will be conducted:

a. at least annually in accordance with Twilio's audit procedures; and/or

b. at the request of the Chief Legal Officer and Chief Compliance Officer and / or the Board of Directors; and/or

c. as determined necessary by the Privacy Team or Audit Committee (for example, in response to a specific incident) and / or

d. (with respect to audits of the Processor Policy), as required by the terms of the Customer's contract with Twilio.

Scope of audit

2.6. The Privacy Team will determine the scope of an audit following a risk-based analysis that takes into account relevant criteria such as:

a. areas of current regulatory focus;

b. areas of specific or new risk for the business;

c. areas with changes to the systems or processes used to safeguard data;

d. use of innovative new tools, systems or technologies;

e. areas where there have been previous audit findings or complaints;

f. the period since the last review; and

g.the nature and location of the personal data processed.

2.7. In the event that a Customer exercises its right to audit Twilio for compliance with the Processor Policy, the scope of the audit shall be limited to the data processing facilities, data files and documentation relating to that Customer. Twilio will not provide a Customer with access to systems which process personal data of another Customer.

Auditors

2.8. Audit of the Policies (including any related procedures and controls) will be undertaken by internal or external independent and experienced professional auditors appointed by Twilio and acting under a duty of confidence and in possession of the required professional qualifications as necessary to perform audits of the Policies.

2.9. In the event that a Customer exercises its right to audit Twilio for compliance with the Processor Policy, such audit may be undertaken by that Customer, or by independent and suitably experienced auditors approved by that Customer, in accordance with the terms of the Customer's contract with Twilio.

2.10. The competent supervisory authorities may audit Group Members for the purpose of reviewing compliance with the Policies (including any related procedures and controls) in accordance with the Binding Corporate Rules: Cooperation Procedure.

Reporting

2.11. Data protection audit reports must be submitted to the Chief Legal Officer and Chief Compliance Officer, Lead Privacy Counsel and the Chief Digital Officer, and, provided that it cannot result in a conflict of interests, to the Data Protection Officer and the board of Twilio Ireland Limited and, where appropriate to Twilio. Inc.'s board. 

2.12. Twilio will provide copies of the results of data privacy audits of the Policies (including any related procedures and controls) to competent supervisory authorities; and

2.13. Twilio will to the extent that an audit of compliance with the Processor Policy relates to personal data Twilio processes on behalf of a Customer, to that Customer

2.14. The Lead Privacy Counsel and Data Protection Officer is responsible for liaising with the competent supervisory authorities for the purpose of providing the information outlined in paragraph 2.11.

COMPLAINT HANDLING PROCEDURE

1. Background

Twilio's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") safeguard personal data transferred between the Twilio Group Members.

This Complaint Handling Procedure describes how complaints brought by an individual whose personal data is processed by Twilio under the Policies must be addressed and resolved.

This procedure will be made available to individuals whose personal data is processed by Twilio under the Controller Policy and to Customers on whose behalf Twilio processes personal data under the Processor Policy.

2. How individuals can bring complaints

Any individuals may raise a data protection question, concern or complaint (whether related to the Policies or not) by e-mailing Twilio’s Privacy Team at privacy@twilio.com or by writing to Twilio’s Privacy Team at 101 Spear Street, Suite 500, San Francisco, CA 94105.  We encourage using this point of contact, however, compliants received by other means will also be addressed. 

3. Complaints where Twilio is a controller

Who handles complaints?

3.1.1. The Privacy Team will handle all questions, concerns, or complaints in respect of personal data for which Twilio is a controller (such as personal data processed in the context of human resources administration or customer relationship management), including questions, concerns or complaints arising under the Controller Policy. The Privacy Team will liaise with colleagues from relevant business and support units as necessary to address and resolve such questions, concerns and complaints.

What is the response time?

3.1.2. Twilio will acknowledge receipt of a question, concern or complaint to the individual concerned without undue delay, investigating and providing information on actions taken to the complainant without undue delay and in any event within one (1) month. Our substantive response to a data subject complaint will include details of any remedial action taken. 

3.1.3. If, due to the complexity of the complaint, a substantive response cannot be given within this period, Twilio will advise the individual accordingly and provide a reasonable estimate (not exceeding two (2) further months, i.e. three (3) months in total) of the timescale within which a substantive response will be provided.

What happens if an individual disputes a finding?

3.1.4. If the individual notifies Twilio that it disputes any aspect of the response finding, the Privacy Team will refer the matter to the Chief Privacy Officer (CPO). The CPO will review the case and advise the individual of his or her decision either to accept the original finding or to substitute a new finding. The CPO will respond to the complainant within one (1) month from being notified of the escalation of the dispute.

3.1.5. As part of its review, the CPO may arrange to meet the parties to the dispute in an attempt to resolve it. If, due to the complexity of the dispute, a substantive response cannot be given within one (1) month of its escalation, the CPO will advise the complainant accordingly and provide a reasonable estimate for the timescale within which a response will be provided which will not exceed three (3) months from the date the dispute was escalated.

3.1.6. If the complaint is upheld, the CPO will arrange for any necessary steps to be taken as a consequence. If the complaint is rejected, the CPO will notify the individual within the timescales set out above. 

3.1.7 Individuals who are not satisfied by the response finding from Twilio, may go straight to the procedure in Section 5, below. 

4. Complaints where Twilio is a processor

Communicating complaints to the Customer

4.1.1. Where a complaint is brought in respect of the processing of personal data for which Twilio is a processor on behalf of a Customer, Twilio will communicate the details of the complaint to the relevant Customer without delay and without handling it (unless Twilio has agreed in the terms of its contract with the Customer to handle complaints).

4.1.2. Twilio will cooperate with the Customer to investigate the complaint, in accordance with the terms of its contract with the Customer and if so instructed by the Customer.

What happens if a Customer no longer exists?

4.1.3. In circumstances where a Customer has disappeared, no longer exists or has become insolvent, and no successor entity has taken its place, individuals whose personal data are processed under the Processor Policy have the right to complain to Twilio and Twilio will handle such complaints in accordance with paragraph 3 of this Complaint Handling Procedure.

4.1.4. In such cases, individuals also have the right to complain to a competent supervisory authority and to file a claim with a court of competent jurisdiction, including where they are not satisfied with the way in which their complaint has been resolved by Twilio. Such complaints and proceedings will be handled in accordance with paragraph 5 of this Complaint Handling Procedure.

5. Right to complain to a competent supervisory authority and to commence proceedings

Overview

5.1.1 Where individuals' personal data:

a. are processed in Europe by a Group Member acting as a controller and/or transferred to a Group Member located outside Europe under the Controller Policy; or

b. are processed in Europe by a Group Member acting as a processor and/or transferred to a Group Member located outside Europe under the Processor Policy;

then those individuals have certain additional rights to pursue effective remedies for their complaints, as described below.

5.1.2 The individuals described in above have the right to complain to a competent supervisory authority (in accordance with paragraph 5.2) and/or to commence proceedings in a court of competent jurisdiction (in accordance with paragraph 5.3). Such right is not dependent on the data subject having used the complaint handling process prior to registering a complaint, including whether or not they have first complained directly to the Customer in question or to Twilio.

5.1.3. Twilio accepts that complaints and claims made pursuant to paragraphs 5.2 and 5.3 may be lodged by a not-for-profit body, organization or association acting on behalf of the individuals concerned.

5.2. Complaint to a supervisory authority

5.2.1. If such an individual wishes to complain about Twilio's processing of his or her personal data to a supervisory authority on the basis that a European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection laws, he or she may complain about that European Group Member to the data protection authority in the European territory:
a. of his or her habitual residence;
b. of his or her place of work; or
c. where the alleged infringement occurred.

5.2.2.
If an individual wishes to complain about Twilio's processing of his or her personal data to a supervisory authority on the basis that a non-European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection laws, then Twilio Ireland Limited will submit to the jurisdiction of the competent supervisory authority (determined in accordance with paragraph 5.2.1 above) in place of that non-European Group Member, as if the alleged breach had been caused by Twilio Ireland Limited.

5.3. Proceedings before a national court

5.3.1. If an individual wishes to commence court proceedings against Twilio on the basis that a European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection laws, then he or she may commence proceedings against that European Group Member in the European territory:
a. In which that European Group Member is established; or
b. of his or her habitual residence.

5.3.2.
If an individual wishes to commence court proceedings against Twilio on the basis that a non-European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection laws, then Twilio Ireland Limited will submit to the jurisdiction of the competent court (determined in accordance with paragraph 5.3.1 above) in place of that non-European Group Member, as if the alleged breach had been caused by Twilio Ireland Limited.

CO-OPERATION PROCEDURE

1. Introduction

1.1. This Binding Corporate Rules: Cooperation Procedure sets out the way in which Twilio will cooperate with competent supervisory authorities in relation to the "Twilio Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy").

2. Cooperation Procedure

2.1. Where required, Twilio will make the necessary personnel available for dialogue with a competent supervisory authority in relation to the Policies.

2.2. Twilio will review, consider and (as appropriate) abide by:

i. any advice or decisions of relevant competent supervisory authorities on any data protection law issues that may affect the Policies; and

ii. any guidance published by the European Data Protection Board or any successor to i) in connection with Binding Corporate Rules for Processors and Binding Corporate Rules for Controllers.

2.3. Twilio will provide upon request (i) any information about the processing operations covered by the Policies and (ii) copies of the results of any audit it conducts of the Policies to a competent supervisory authority.

2.4. Twilio agrees that:

a. a competent supervisory authority may audit (including where necessary, on site) any Group Member for compliance with the Policies, and

b. a competent supervisory authority may audit any Group Member who processes personal data for a Customer established within the jurisdiction of that data protection authority for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction;

2.5. Twilio agrees to abide by a formal decision of any competent data protection authority on any issues relating to the interpretation and application of the Policies (unless and to the extent that Twilio is entitled to appeal any such decision and has chosen to exercise such right of appeal).

2.6 Any dispute related to a competent supervisory authority's exercise of supervision of compliance with the Processor Policy will be resolved by the courts of the Member State of that supervisory authority, in accordance with that Member State's procedural law. The Group Members agree to submit themselves to the jurisdiction of these courts.

UPDATING PROCEDURE

1. Introduction

1.1. This Binding Corporate Rules: Updating Procedure describes how Twilio must communicate changes to the "Binding Corporate Rules: Controller Policy" ("Controller Policy") and to the "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies") to competent supervisory authorities, individual data subjects, its Customers and to Twilio Group Members bound by the Policies.

1.2. Any reference to Twilio in this procedure is to the Privacy Team who is accountable for ensuring that the commitments made by Twilio in this Updating Procedure are met.

2. Records keeping

2.1. Twilio must maintain a change log which sets out details of each and every revision made to the Policies, including the nature of the revision, the reasons for making the revision, the date the revision was made, and who authorised the revision.

2.2. Twilio must also maintain an accurate and up-to-date list of Group Members that are bound by the Policies and of the sub-processors appointed by Twilio to process personal data on behalf of Customers. This information will be made available online and provided to data subjects and upon request to competent supervisory authorities and to Customers.

2.3. The Privacy Team shall be responsible for ensuring that the records described in this paragraph 2 are maintained and kept accurate and fully up-to-date.

3. Changes to the Policies

3.1. All proposed changes to the Policies must be reviewed and approved by the Lead Privacy Counsel in order to ensure that a high standard of protection is maintained for the data protection rights of individuals who benefit from the Policies. No changes to the Policies shall take effect unless reviewed and approved by the Lead Privacy Counsel.

3.2. Twilio will communicate all other changes to the Policies (including reasons that justify the changes) and changes to the list of Group Members bound by the Policies:

i. without undue delay to all Group Members bound by the Policies via written notice (which may include e-mail);

ii. systematically to Customers and the individuals who benefit from the Policies via www.twilio.com (and, if any changes materially affect Twilio's processing operations on behalf of a Customer, they must be communicated to Customers before they take effect, in accordance with paragraph 4.2 below); and

iii. to the supervisory authorities via the Lead Authority, once a year. 

3.3. Once annually, the Lead Supervisory Authority shall be notified of any changes made to the Policies, or the list of Group Members. The Lead Supervisory Authority shall also be notified once annually in instances where no changes have been made.

4. Communication of substantial changes

4.1. If Twilio makes any substantial changes to the Policies that would detrimentally affect the level of protection offered by the Policies, or otherwise significantly affect the Policies (for example, by making changes to the binding nature of the Policies, change of the liable Group Members, etc), Twilio will communicate any such changes in advance to the competent supervisory authorities via the Lead Supervisory Authority with a brief explanation of the reasons for the update.

4.2. If a proposed change to the Processor Policy will materially affect Twilio’s processing of personal data on behalf of a Customer, Twilio will also:

a. actively communicate the proposed change to the affected Customer before it takes effect, and with sufficient notice to enable the affected Customer to raise objections; and

b. the Customer may then suspend the transfer of personal data to Twilio and/or terminate the contract, in accordance with the terms of its contract with Twilio.

5. Transfers to new Group Members

5.1. If Twilio intends to transfer personal data to any new Group Members under the Policies, it must first ensure that all such new Group Members are bound by the Policies before transferring personal data to them.

Government Data Request Procedure

1. Introduction

1.1. This Binding Corporate Rules: Government Data Request Procedure sets out Twilio's procedure for responding to Data Disclosure Requests.

1.2. Where Twilio receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this Procedure. If applicable data protection law(s) require a higher standard of protection for personal data than is required by this Procedure, Twilio will comply with the relevant requirements of applicable data protection law(s).

2. General principle on Data Disclosure Requests

2.1. As a general principle, Twilio does not disclose personal data in response to a Data Disclosure Request unless either:
a. it is under a compelling legal obligation to make such disclosure; or
b. taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.

2.2. For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Twilio will cooperate with the competent supervisory authorities and, where it processes the requested personal data on behalf of a Customer, notify the Customer, in order to address the Data Disclosure Request. Even where disclosure is required, Twilio's policy is that the Customer should have the opportunity to protect the personal data requested because it has the greatest interest in opposing, or is in the better position to comply with, a Data Disclosure Request.

3. Handling of a Data Disclosure Request

3.1. All Data Disclosure Requests must be passed to Twilio's Legal Requests team immediately upon receipt, indicating the date on which it was received together with any other information that may assist Twilio's Legal Requests team to deal with the request. Twilio's Legal Requests Team will consult with the Privacy Team about the privacy implications of the Data Disclosure Request and any data protection measures that must be taken, and will notify and confer with the Privacy Team when necessary.

3.2. Data Disclosure Requests Regarding Personal DAta Protected Under European Data Protection Laws

3.2.1. If a Group Member acting as an importer:

(i)  receives a legally binding Data Disclosure Request under the laws of the country of destination or of another third country, for disclosure of personal data transferred pursuant to the Controller Policy, it must notify promptly the Group Member acting as the exporter and, where possible, the data subjects (if necessary with the help of the exporter). Such notification must include information about the Requesting Authority, the personal data that is requested, the legal basis on which the Data Disclosure Request is based and the response provided, 

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to the Controller Policy in accordance with the laws of the country of destination, it must notify promptly the Group Member acting as the exporter and, where possible, the data subjects (if necessary with the help of the exporter). 

3.2.2. If prohibited from notifying the exporter or the data subjects, the importer will carefully consider whether to request a waiver of such prohibition and will maintain a record of the decision to request a waiver to provide upon request of the exporter.

3.3. Reviewing a Data Disclosure Request

3.3.1 Twilio's Legal Requests team will carefully review the legality of each and every Data Disclosure Request on a case-by-case basis, in particular whether the Data Disclosure Request remains within the powers granted to the Requesting Authority. Twilio's Legal Requests team will liaise with the legal department and outside counsel as appropriate to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, as well as its validity under applicable laws, in order to identify whether action may be needed to challenge the Data Disclosure Request.

3.4 Challenging a Data Disclosure Request

3.4.1. Twilio will challenge the request if, after careful assessment, it appears that there are reasonable grounds to consider that the request is unlawful under the applicable laws of the country in which the recipient is located, or under applicable obligations under international law, and principles of international comity.  

3.4.2. When challenging a request, Twilio will seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It will not disclose the personal data requested until required to do so under the applicable procedural rules.

3.4.3. Where applicable, Twilio may appeal the decision of the Requesting Authority in accordance with the procedural laws of the country in which the recipient is located.

3.5 Responding to a Data Disclosure Request

3.5.1 Twilio shall provide the minimum amount of personal data permissible when responding to a Data Disclosure Request, based on a reasonable interpretation of the request.


4. Data Disclosure Request pertaining to Data of a European Customer - Notification, Transparency and Documentation

Where a Group member is acting as an importer and is processing personal data on behalf of an European Customer pursuant to the Processor Policy, it will;

4.1. (i) after assessing the nature, context, purposes, scope and urgency of the Data Protection Request, Twilio will notify and provide the European Customer with the details of the Data Disclosure Request prior to disclosing any personal data, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

(ii) put the request on hold in order to notify and consult with the competent supervisory authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification and,

(iii) notify and consult with competent supervisory authorities and suspend the request unless prohibited from doing so. In this case Twilio will use its best efforts (taking into account the nature, context, purposes, scope and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the request on hold so that Twilio can consult with the competent supervisory authorities, which may also, in appropriate circumstances, include seeking a court order to this effect. Twilio will maintain a written record of the efforts it takes.

4.2 If, despite having used its best efforts, Twilio is not in a position to notify the competent supervisory authorities of the request, Twilio commits to preparing an annual report (a “Transparency Report”) which reflects to the extent permitted by applicable laws, the number and type of Data Disclosure Requests it has received in the preceding year and, if possible, the Requesting Authorities who made those requests. Twilio shall provide this report to the lead data protection authority which authorized its BCR (and any other data protection authorities that the lead authority may direct) once a year.

4.3. Twilio shall document its legal assessment and any challenge to the Data Disclosure Request and, to the extent permissible under the national/local laws of the country where the importer is located, make the documentation available to the exporter and to the competent supervisory authorities, upon request.

4.4. The importer shall provide the exporter, at regular intervals upon request, with information on the Data Disclosure Requests received (including the number of requests, type of data requested, requesting authorities, whether such requests have been challenged and outcome). If the importer is or becomes partially or completely prohibited from providing this information to the exporter, it shall, without undue delay, inform the exporter accordingly.

4.5. The importer shall preserve the above mentioned information in paragraph 6.14.3 for as long as the personal data are subject to the safeguards under this Processor Policy, and shall make it available to the competent supervisory authorities upon request.


5. Bulk transfers

5.1. In no event will any Group Member provide access to personal data to a Requesting Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.

EXCLUDED PRODUCTS

  • SendGrid branded services
  • Teravoz branded services