Twitter for Business FAQ
Who are these FAQs for?
These FAQs are for you, or your business, whether you are a Twitter advertiser, partner, supplier, developer or other stakeholders!
What is Twitter’s approach to GDPR and other applicable data protection laws?
Do we have a data processing agreement (DPA) with Twitter?
Twitter ensures data is protected through its commercial terms in a number of ways, including through the use of DPAs that supplement its service terms and agreements. The DPA that applies to your relationship with Twitter will depend on the Twitter products and services that you use or that you provide to Twitter. For example, if you are an advertiser, you can refer to your Ads MSA, located here: https://legal.twitter.com/ads-terms/us.html to find out more information about which set of data processing terms apply to you. If you are a Twitter vendor or supplier, the terms of your DPA with Twitter are attached as a schedule to your Master Services Agreement.
Will Twitter sign a third-party data processing agreement?
Unfortunately, Twitter cannot sign a third-party’s data processing agreement (DPA). Twitter’s DPAs have been carefully prepared to reflect our global data practices and obligations, including our intra-company data transfers. Our DPAs are drafted with an understanding of how our products and services work and are designed to comply with applicable data protection laws and the commitments we have made to our users, employees and customers. Our DPAs set out the minimum standards and protections that we require third parties to follow when processing Twitter’s persdata and equally are designed to ensure the adequate protection of our partners’ data.
How does Twitter comply with the legal requirements for transferring data?
Twitter’s services are primarily designed to help people participate in a conversation about what’s happening around the world. As a global service, we have developed global data practices designed to ensure that our customers’ information is protected. Twitter International Unlimited Company, an Irish commercial entity, is the controller of our data in the European Union, EFTA States, or the United Kingdom, so if you are located in the European Union, EFTA States, or the United Kingdom and you share data with Twitter, you share it with Twitter International Unlimited Company. In order to provide our services and operate as a global business, we transfer personal data from Europe to the US and other countries where our group companies and suppliers are located. We currently rely on the standard contractual clauses adopted by the European Commission (SCCs) to transfer personal data outside Europe in compliance with the GDPR. For additional information, please review Twitter’s Global Operations and Data Transfer information.
How does Twitter conduct Transfer Impact Assessments (TIA)?
On 16 July 2020, the Court of Justice of the European Union issued a ruling that requires organizations transferring European personal data outside Europe to ensure that the data continues to be afforded an essentially equivalent level of protection to that guaranteed by the GDPR. To meet these requirements, we have implemented a process whereby we assess (and document) the data protection and privacy risks when transferring personal data outside Europe. This involves an assessment of: (1) the laws and practices of the destination country that may impinge on the protections provided by the GDPR and the chosen transfer mechanism, including surveillance laws and practices that allow public authorities to gain access to personal data; and (2) whether "supplementary measures" (in addition to the SCCs) are required to ensure the data remains protected according to European standards.
Any transfers that are categorized as "High risk" are escalated to our legal team for further review. If we find that the risks associated with the proposed transfer can not be mitigated, the transfer may be avoided or suspended.
This process is continuously re-evaluated to take into account evolving guidance, knowledge and experience on this subject and to meet the needs and expectations of regulators and customers.
Can Twitter provide us with information we need to conduct our own Transfer Impact Assessments?
We take our responsibility to safeguard the personal data entrusted to us by our customers and partners seriously and to that end have adopted a number of technical, contractual and organizational safeguards to protect such data. Information about these measures are outlined below to support you in conducting your own Transfer Impact Assessments.
Twitter provides the following technical measures to secure customer data:
Encryption: Twitter has a data handling policy that requires non-public data to be encrypted in transit. Where appropriate, Twitter uses TLS or other similar encryption schemes to encrypt such data.
Security and certifications: Twitter maintains SOC II Type II certification for our Custom Audiences products. Additional information about Twitter's security practices and certifications are available in our Data Protection Addendum.
Our standard Data Protection Agreements (DPAs) now incorporate the standard contractual clauses adopted by the European Commission (SCCs) as well as Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018.
To the extent we are acting as the data importer, we are subject to the following requirements:
Technical measures: Twitter is contractually obligated to have in place appropriate technical and organizational measures to safeguard the personal data of the data exporter (both under our DPAs as well as the SCCs).
Transparency: Twitter is obligated under the SCCs to notify the data exporter in the event it is made subject to a request for government access to the data exporter’s personal data from a government authority. In the event that Twitter is legally prohibited from making such a disclosure, Twitter is contractually obligated to challenge such prohibition and seek a waiver.
Actions to challenge access: Under the SCCs, Twitter is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.
To the extent we are acting as the data exporter, in addition to conducting our own Transfer Impact Assessments, we contractually require all our partners that process personal data on our behalf to abide by rigorous privacy and security standards.
Twitter, as a global organization, has implemented numerous organizational measures to secure our partners’ personal data. These include:
Policy for government access: Twitter publishes and follows the following Guidelines for Law Enforcement in responding to any government requests for data. To obtain data from Twitter, law enforcement officials must follow the appropriate legal process for the type of information sought, such as a subpoena, court order, or a warrant.
Onward transfers: Twitter requires all service providers to undergo a thorough cross-functional due-diligence process by subject matter experts in our Information Security, Privacy and Data Protection, and Risk & Compliance teams to ensure that the personal data of our partners receives adequate protection. This process includes a review of the data Twitter plans to share with the service provider and its associated level of risk, the service provider’s security policies, measures, and third party audits, and whether the service provider has a mature privacy program that respects the rights of data subjects.
Data Handling: Twitter’s internal data handling policy was written in accordance with security industry best practices. The policy categorizes data by sensitivity, ranging from public to highly sensitive. Handling requirements differ based on the category of sensitivity the data in question falls within. The policy requires that data be handled in accordance with these requirements.
Privacy by Design: Privacy by design is a priority with every product Twitter builds. To achieve this, Twitter continues to build out its processes to review all product launches and service developments. This process involves Twitter’s Information Security, Product, and Privacy and Data Protection teams. Twitter’s Privacy Center outlines Twitter’s approach to privacy.
Access Control: Twitter has both role-based and least-privilege access control policy and infrastructure. This means that users are given the minimum levels of access or permissions needed to perform their jobs. Twitter addresses access control through identification, authorization, and authentication practices. Per Twitter’s policies, access to further data and systems is evaluated and granted based on a valid business justification, which is reviewed at regular intervals.
Employee Training: Every new Twitter employee and contractor goes through data privacy, security, and management training.
Audit: Twitter has an internal audit team that drives information security and privacy audits, as well as other audits, throughout the organization. Twitter also works with independent external auditors to assess its Information Security and Privacy and Data Protection programs.
Incident Management: Twitter has an incident response team that sits within the security organization. This team works from an established incident response plan that aligns with industry standards. The team is staffed to respond 24x7 to any issue that may arise.
Is Twitter a data controller or a data processor?
In some instances, Twitter may be your data processor. For example, when you upload a custom audience to Twitter, we act as your data processor. You are the data controller of that audience, and as such, you are responsible for ensuring that you have an adequate basis to process the data, including to transfer it to Twitter for processing. We may also be your processor or service provider for certain aspects of our conversion tracking products, if you implement the functionality we offer to restrict Twitter’s use of certain data you make available to us in connection with those products.
How does Twitter respond to requests from individuals who wish to exercise their privacy rights? Can Twitter help my business respond to requests I get for data Twitter might have?
We have a number of mechanisms that allow people to exercise their rights. First, people can use our self-service tool, Your Twitter Data, to download a copy of their data. Alternatively, they can submit a request for their data by completing this Privacy Form. Account holders can always delete the content they post on Twitter or deactivate their account.
Developer specific FAQs
What do we need to do to ensure that data we access from you remains compliant (if anything)?
You should review Twitter’s Developer Terms and Policies and ensure that you are compliant with these policies.
What happens to historical data when a user opts out?
When a person protects their account or deactivates their account, pursuant to Twitter’s Developer Terms and Policies, you are required to respect these changes and remove any content from your archives.
Is Twitter providing recommendations on how a customer should handle their independent archives in regards to updated data?
Twitter cannot advise you with respect to your own compliance with applicable data protection laws. But in order to protect the people that use our services, violations of Twitter’s Developer Terms and Policies will be investigated and appropriate actions taken, including suspension or termination. We encourage all developers to review Twitter’s Developer Terms and Policies and ensure they are meeting their obligations.