Data Privacy FAQs
Why is Twilio a Controller of Communications Usage Data (formerly referred to Customer Usage Data)?
For electronic communications service providers like Twilio, the default position is that they are the controller for any personal data required for the provision of the communications services they provide. We refer to this type of personal data as Communications Usage Data, which includes individual data subjects’ telephone numbers, the date, time, duration, and type of a communication, and the location of the devices receiving that communication.
Twilio processes Communications Usage Data in order to deliver communications (e.g., text messages and voice calls) through different types of communication channels and for the following main purposes:
- Accurately billing customers for their use of the communications services;
- Routing messages;
- Maintaining the security and operation of Twilio’s systems;
- Making telecommunications provider interconnection payments and paying taxes;
- Investigating, detecting, and preventing spam, fraud, and abuse; and
- complying with applicable laws and regulations, such as country-specific phone number regulations.
In doing so, Twilio is a controller because we determine how and why Communications Usage Data needs to be processed for these purposes. Twilio also determines how long Communications Usage Data needs to be retained for these purposes and, once it is no longer needed, we either remove the data from our systems or anonymize, de-identify, or aggregate Communications Usage Data such that it no longer identifies our customers, our customers’ end users, or any other individual.
This controller position follows the guidance from the European Data Protection Board (EDPB):
“Providing an electronic communications service such as an electronic mail service involves processing of personal data. The provider of such services will normally be considered a controller in respect of the processing of personal data that is necessary for the operation of the service as such (e.g., traffic and billing data).”
Twilio can only process Communications Usage Data for purposes unrelated to the operation of our communications services with the authorization our customers provide in the Data Protection Addendum (DPA), which is part of the contractual agreement with Twilio, or any service-specific terms customers agree to or otherwise accept, and in accordance with applicable data protection laws and regulations.
Why are telecommunications providers not treated as sub-processors by Twilio and included in Twilio’s sub-processor list?
Twilio’s telecommunications providers are not considered to be Twilio's processors (or Twilio's customers' sub-processors) under the GDPR because telecommunications providers transmitting communications content (i.e., Customer Content as defined in the Data Protection Addendum (DPA)) are not considered to be processing the personal data contained in the communication.
There are a number of reasons behind this position:
Communications content merely transits a telecommunications provider’s network or service without significant processing being involved, as laws protecting the confidentiality of communications prohibit telecommunications providers from gaining access.
“Disclosure by transmission" is called out in the GDPR definition for “processing” rather than transmission without disclosure, so that no “processing” is involved where there is transmission alone; and
Any other position would be impossible to implement given the complexity of the telecommunications value chain, with many parties involved in the origination, transit, and termination of communications content.
As a result, telecommunications providers act as mere conduits for the transmission of the communications content, as they:
- do not initiate the transmission;
- do not select the receiver of the transmission;
- do not select or modify the information contained in the transmission; and
- do not store the data, except transient storage for the sole purpose of carrying out the transmission.
Please note that this position is industry standard and reflects guidance from supervisory authorities and case law.